Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).
Background information
Syntax and structure of RAM policies
A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
You can use the Version element, Statement element, and Effect element in RAM policies of OSS in the same manner as you use the elements in policies of RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:
Common RAM policies for OSS
AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.
AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.
Access control
For more information about the access control methods supported by OSS, see Overview.
Action element in RAM policies for OSS
RAM policies for OSS support service-level operations, bucket-level operations, and object-level operations.
Service-level operations
API
Action
Operation
oss:ListBuckets
Lists all buckets owned by the requester.
Bucket-level operations
API
Action
Operation
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists all objects in a bucket.
oss:GetBucketInfo
Queries information about a bucket.
oss:GetBucketLocation
Queries the location information about a bucket.
oss:PutBucketVersioning
Sets the versioning status of a bucket.
oss:GetBucketVersioning
Queries the versioning status of a bucket.
oss:ListObjectVersions
Lists the versions of all objects in a bucket, including delete markers.
oss:PutBucketAcl
Configures or modifies the access control list (ACL) of a bucket.
oss:GetBucketAcl
Queries the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period (days) of objects in a bucket for which a retention policy is locked.
oss:GetBucketWorm
Queries the retention policy of a bucket.
oss:PutBucketLogging
Enables logging for a bucket.
oss:GetBucketLogging
Queries the logging configurations of a bucket.
oss:DeleteBucketLogging
Disables logging for a bucket.
oss:PutBucketWebsite
Enables static website hosting for a bucket and configures redirection rules for the bucket.
oss:GetBucketWebsite
Queries the static website hosting status of a bucket and the redirection rules of the bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and deletes the redirection rules of the bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Queries the hotlink protection configurations of a bucket.
oss:PutBucketLifecycle
Configures lifecycle rules for a bucket.
oss:GetBucketLifecycle
Queries the lifecycle rules that are configured for a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rules of a bucket.
oss:PutBucketTransferAcceleration
Enables transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Queries the transfer acceleration configurations of a bucket.
oss:ListMultipartUploads
Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.
oss:PutBucketCors
Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors
Queries the CORS rules of a bucket.
oss:DeleteBucketCors
Disables CORS and deletes all CORS rules of a bucket.
oss:PutBucketPolicy
Configures bucket policies for a bucket.
oss:GetBucketPolicy
Queries the policies of a bucket.
oss:DeleteBucketPolicy
Deletes the policies of a bucket.
oss:PutBucketTagging
Adds tags to or modifies the tags of a bucket.
oss:GetBucketTagging
Queries the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures encryption rules for a bucket.
oss:GetBucketEncryption
Queries the encryption rules of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rules of a bucket.
oss:PutBucketRequestPayment
Enables pay-by-requester for a bucket.
oss:GetBucketRequestPayment
Queries the pay-by-requester configurations of a bucket.
oss:PutBucketReplication
Configures a data replication rule for a bucket.
oss:PutBucketRTC
Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.
oss:GetBucketReplication
Queries the data replication rules of a bucket.
oss:DeleteBucketReplication
Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.
oss:GetBucketReplicationLocation
Queries the regions in which the destination bucket can be located.
oss:GetBucketReplicationProgress
Queries the data replication progress of a bucket.
oss:PutBucketInventory
Configures inventories for a bucket.
oss:GetBucketInventory
Queries specific inventories of a bucket.
oss:GetBucketInventory
Queries all inventories of a bucket.
oss:DeleteBucketInventory
Deletes a specific inventory of a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Queries the access tracking status of a bucket.
oss:OpenMetaQuery
Enables metadata management for a bucket.
oss:GetMetaQueryStatus
Queries the metadata index library of a bucket.
oss:DoMetaQuery
Queries objects that meet specific conditions and lists the object information based on specific fields and sorting methods.
oss:CloseMetaQuery
Disables metadata management for a bucket.
oss:InitUserAntiDDosInfo
Creates Anti-DDoS instances.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS instance.
oss:GetUserAntiDDosInfo
Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.
oss:InitBucketAntiDDosInfo
Initializes Anti-DDoS instances for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the status of Anti-DDoS instances of a bucket.
oss:ListBucketAntiDDosInfo
Queries the protection list of an Anti-DDoS instance of a bucket.
oss:PutBucketResourceGroup
Configures a resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CNAME token used to verify the ownership of a domain name.
oss:GetCnameToken
Queries the created CNAME tokens.
oss:PutCname
Maps a custom domain name to a bucket.
oss:ListCname
Queries all custom domain names that are mapped to a bucket.
oss:DeleteCname
Deletes a CNAME record that maps a custom domain name to a bucket.
oss:PutStyle
Configures image styles.
oss:GetStyle
Queries image styles.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes image styles.
CreateBucketDataRedundancyTransition
oss:CreateBucketDataRedundancyTransition
Creates a task to change the storage redundancy type of a bucket.
GetBucketDataRedundancyTransition
oss:GetBucketDataRedundancyTransition
Queries the tasks that change the redundancy type of a bucket.
ListBucketDataRedundancyTransition
oss:ListBucketDataRedundancyTransition
Lists all redundancy type conversion tasks of a bucket.
DeleteBucketDataRedundancyTransition
oss:DeleteBucketDataRedundancyTransition
Deletes a redundancy type conversion task.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Queries whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Queries information about an access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Queries user-level or bucket-level access points.
oss:PutAccessPointPolicy
Configures an access point policy.
oss:GetAccessPointPolicy
Obtains information about an access point policy.
oss:DeleteAccessPointPolicy
Deletes an access point policy.
oss:PutBucketHttpsConfig
Enables or disables Transport Layer Security (TLS) version management for a bucket.
oss:GetBucketHttpsConfig
Queries the configurations of TLS version management of a bucket.
ReplicateList
oss:ReplicateList
Lists the historical data in the source bucket and then replicates the historical data to the destination bucket.
oss:CreateAccessPointForObjectProcess
Creates an Object FC Access Point.
oss:GetAccessPointForObjectProcess
Queries basic information about an Object FC Access Point.
oss:DeleteAccessPointForObjectProcess
Deletes an Object FC Access Point.
oss:ListAccessPointsForObjectProcess
Queries information about user-level Object FC Access Points.
oss:PutAccessPointConfigForObjectProcess
Changes the configurations of an Object FC Access Point.
oss:GetAccessPointConfigForObjectProcess
Queries the configurations of an Object FC Access Point.
oss:PutAccessPointPolicyForObjectProcess
Configures permission policies for an Object FC Access Point.
oss:GetAccessPointPolicyForObjectProcess
Queries the permission policies of an Object FC Access Point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the permission policies of an Object FC Access Point.
oss:WriteGetObjectResponse
Specifies the return data and response headers for a GetObject request.
Object-level operations
API
Action
Operation
oss:PutObject
Uploads an object.
oss:PutObject
Uploads an object to a bucket by using HTML form upload.
oss:PutObject
Uploads an object by using append upload.
oss:PutObject
Initiates a multipart upload task.
oss:PutObject
Uploads an object by part based on the object name and upload ID.
oss:PutObject
Completes a multipart upload task.
oss:AbortMultipartUpload
Cancels a multipart upload task and deletes the uploaded parts.
oss:PutObject
Creates a symbolic link for an object.
oss:GetObject
Queries an object.
oss:GetObject
Queries the metadata of an object.
oss:GetObject
Queries the metadata of an object, including the ETag, object size, and last modified time.
oss:GetObject
Executes SQL statements on an object and queries the execution results.
oss:GetObject
Queries the symbolic link of an object.
oss:DeleteObject
Deletes an object.
oss:DeleteObject
Deletes multiple objects from a bucket at a time.
oss:GetObject,oss:PutObject
Copies objects to the same bucket or to a different bucket in the same region.
oss:GetObject,oss:PutObject
Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to an UploadPart request to call the UploadPartCopy operation.
oss:ListParts
Lists all parts that are uploaded by using an upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:GetObjectAcl
Queries the ACL of an object in a bucket.
oss:RestoreObject
Restores Archive, Cold Archive, or Deep Cold Archive objects.
oss:PutObjectTagging
Adds tags to or modifies the tags of an object.
oss:GetObjectTagging
Queries the tags of an object.
oss:DeleteObjectTagging
Deletes the tags of an object.
GetObject (with versionId specified in the request)
oss:GetObjectVersion
Downloads a specific version of an object.
PutObjectACL (with versionId specified in the request)
oss:PutObjectVersionAcl
Modifies the ACL of a specific version of an object.
GetObjectACL (with versionId specified in the request)
oss:GetObjectVersionAcl
Queries the ACL of a specific version of an object.
RestoreObject (with versionId specified in the request)
oss:RestoreObjectVersion
Restores a specific version of an Archive object, a Cold Archive, or a Deep Cold Archive object.
DeleteObject (with versionId specified in the request)
oss:DeleteObjectVersion
Deletes a specific version of an object.
PutObjectTagging (with versionId specified in the request)
oss:PutObjectVersionTagging
Adds tags to or modifies the tags of a specific version of an object.
GetObjectTagging (with versionId specified in the request)
oss:GetObjectVersionTagging
Queries the tags of a specific version of an object.
DeleteObjectTagging (with versionId specified in the request)
oss:DeleteObjectVersionTagging
Deletes the tags of a specific version of an object.
oss:PutLiveChannel
Creates a LiveChannel.
oss:ListLiveChannel
Lists the specified LiveChannels.
oss:DeleteLiveChannel
Deletes a LiveChannel.
oss:PutLiveChannelStatus
Switches the status of a LiveChannel between enabled and disabled.
oss:GetLiveChannel
Queries the configurations of a LiveChannel.
oss:GetLiveChannelStat
Queries the stream ingest status of a LiveChannel.
oss:GetLiveChannelHistory
Queries the stream ingest records of a LiveChannel.
oss:PostVodPlaylist
Generates a video on demand (VOD) playlist for a LiveChannel.
oss:GetVodPlaylist
Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.
PublishRtmpStream
oss:PublishRtmpStream
Push audio and video streams over Real-Time Messaging Protocol (RTMP).
oss:PostProcessTask
Saves processed images to a bucket.
ReplicateGet
oss:ReplicateGet
Allows OSS to read data and metadata from the source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.
ReplicatePut
oss:ReplicatePut
Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, multipart upload tasks, parts, and symbolic links, and modifying object metadata.
ReplicateDelete
oss:ReplicateDelete
Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action is required only if you set Replication Policy to Add/Delete/Change.
Resource element in RAM policies for OSS
In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.
Category | Format | Example |
Bucket-level resource |
|
|
Object-level resource |
|
|
The region field can be set only to an asterisk (*) wildcard character.
Condition element in RAM policies for OSS
The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see Condition.
The following table describes the categories of conditional operators and condition keys.
Conditional operators
Category
Conditional operator
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Number
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
Condition keys
Condition
Description
acs:SourceIp
The CIDR block from which the requests are sent. This condition supports the asterisk (*) wildcard character.
acs:UserAgent
The User-Agent header in the HTTP request.
Type: string.
acs:CurrentTime
The point in time when the request is received by the OSS server.
Standard: ISO 8601.
acs:SecureTransport
Specifies whether to use HTTPS for secure data transfers. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If the
acs:SecureTransport
condition is not specified, both HTTPS and HTTP requests are allowed.oss:Prefix
The prefix in the names of the objects that you want to list by calling the ListObjects operation.
oss:Delimiter
The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.
acs:AccessId
The AccessKey ID provided in the request.
oss:BucketTag
The tag of the bucket.
A single bucket tag can be used as a condition. To configure multiple bucket tags as multiple conditions, you must add
oss:BucketTag/
before each bucket tag.acs:MFAPresent
Specifies whether to enable multi-factor authentication (MFA).
Valid values:
true
false
oss:ExistingObjectTag
Specifies that the requested object has tags.
A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add
oss:ExistingObjectTag/
before each object tag.This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags in the request.
A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add
oss:RequestObjectTag/
before each object tag.This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.
Examples
You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.