All Products
Search

This Product

    Object Storage Service:Overview

    Document Center

    Object Storage Service:Overview

    Last Updated:Nov 22, 2023

    Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).

    Background information

    • Syntax and structure of RAM policies

      A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

      You can use the Version element, Statement element, and Effect element in RAM policies of OSS in the same manner as you use the elements in policies of RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:

    • Common RAM policies for OSS

      • AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.

      • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.

    • Access control

      For more information about the access control methods supported by OSS, see Overview.

    Action element in RAM policies for OSS

    RAM policies for OSS support service-level operations, bucket-level operations, and object-level operations.

    • Service-level operations

      API

      Action

      Operation

      ListBuckets(GetService)

      oss:ListBuckets

      Lists all buckets owned by the requester.

    • Bucket-level operations

      API

      Action

      Operation

      PutBucket

      oss:PutBucket

      Creates a bucket.

      ListObjects (GetBucket)

      oss:ListObjects

      Lists all objects in a bucket.

      GetBucketInfo

      oss:GetBucketInfo

      Queries information about a bucket.

      GetBucketLocation

      oss:GetBucketLocation

      Queries the location information about a bucket.

      PutBucketVersioning

      oss:PutBucketVersioning

      Sets the versioning status of a bucket.

      GetBucketVersioning

      oss:GetBucketVersioning

      Queries the versioning status of a bucket.

      ListObjectVersions (GetBucketVersions)

      oss:ListObjectVersions

      Lists the versions of all objects in a bucket, including delete markers.

      PutBucketAcl

      oss:PutBucketAcl

      Configures or modifies the access control list (ACL) of a bucket.

      GetBucketAcl

      oss:GetBucketAcl

      Queries the ACL of a bucket.

      DeleteBucket

      oss:DeleteBucket

      Deletes a bucket.

      InitiateBucketWorm

      oss:InitiateBucketWorm

      Creates a retention policy.

      AbortBucketWorm

      oss:AbortBucketWorm

      Deletes an unlocked retention policy.

      CompleteBucketWorm

      oss:CompleteBucketWorm

      Locks a retention policy.

      ExtendBucketWorm

      oss:ExtendBucketWorm

      Extends the retention period (days) of objects in a bucket for which a retention policy is locked.

      GetBucketWorm

      oss:GetBucketWorm

      Queries the retention policy of a bucket.

      PutBucketLogging

      oss:PutBucketLogging

      Enables logging for a bucket.

      GetBucketLogging

      oss:GetBucketLogging

      Queries the logging configurations of a bucket.

      DeleteBucketLogging

      oss:DeleteBucketLogging

      Disables logging for a bucket.

      PutBucketWebsite

      oss:PutBucketWebsite

      Enables static website hosting for a bucket and configures redirection rules for the bucket.

      GetBucketWebsite

      oss:GetBucketWebsite

      Queries the static website hosting status of a bucket and the redirection rules of the bucket.

      DeleteBucketWebsite

      oss:DeleteBucketWebsite

      Disables static website hosting for a bucket and deletes the redirection rules of the bucket.

      PutBucketReferer

      oss:PutBucketReferer

      Configures hotlink protection for a bucket.

      GetBucketReferer

      oss:GetBucketReferer

      Queries the hotlink protection configurations of a bucket.

      PutBucketLifecycle

      oss:PutBucketLifecycle

      Configures lifecycle rules for a bucket.

      GetBucketLifecycle

      oss:GetBucketLifecycle

      Queries the lifecycle rules that are configured for a bucket.

      DeleteBucketLifecycle

      oss:DeleteBucketLifecycle

      Deletes the lifecycle rules of a bucket.

      PutBucketTransferAcceleration

      oss:PutBucketTransferAcceleration

      Enables transfer acceleration for a bucket.

      GetBucketTransferAcceleration

      oss:GetBucketTransferAcceleration

      Queries the transfer acceleration configurations of a bucket.

      ListMultipartUploads

      oss:ListMultipartUploads

      Lists all ongoing multipart upload tasks, which include tasks that have been initiated but are not completed or canceled.

      PutBucketCors

      oss:PutBucketCors

      Configures cross-origin resource sharing (CORS) rules for a bucket.

      GetBucketCors

      oss:GetBucketCors

      Queries the CORS rules of a bucket.

      DeleteBucketCors

      oss:DeleteBucketCors

      Disables CORS and deletes all CORS rules of a bucket.

      PutBucketPolicy

      oss:PutBucketPolicy

      Configures bucket policies for a bucket.

      GetBucketPolicy

      oss:GetBucketPolicy

      Queries the policies of a bucket.

      DeleteBucketPolicy

      oss:DeleteBucketPolicy

      Deletes the policies of a bucket.

      PutBucketTags

      oss:PutBucketTagging

      Adds tags to or modifies the tags of a bucket.

      GetBucketTags

      oss:GetBucketTagging

      Queries the tags of a bucket.

      DeleteBucketTags

      oss:DeleteBucketTagging

      Deletes the tags of a bucket.

      PutBucketEncryption

      oss:PutBucketEncryption

      Configures encryption rules for a bucket.

      GetBucketEncryption

      oss:GetBucketEncryption

      Queries the encryption rules of a bucket.

      DeleteBucketEncryption

      oss:DeleteBucketEncryption

      Deletes the encryption rules of a bucket.

      PutBucketRequestPayment

      oss:PutBucketRequestPayment

      Enables pay-by-requester for a bucket.

      GetBucketRequestPayment

      oss:GetBucketRequestPayment

      Queries the pay-by-requester configurations of a bucket.

      PutBucketReplication

      oss:PutBucketReplication

      Configures a data replication rule for a bucket.

      PutBucketRTC

      oss:PutBucketRTC

      Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.

      GetBucketReplication

      oss:GetBucketReplication

      Queries the data replication rules of a bucket.

      DeleteBucketReplication

      oss:DeleteBucketReplication

      Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.

      GetBucketReplicationLocation

      oss:GetBucketReplicationLocation

      Queries the regions in which the destination bucket can be located.

      GetBucketReplicationProgress

      oss:GetBucketReplicationProgress

      Queries the data replication progress of a bucket.

      PutBucketInventory

      oss:PutBucketInventory

      Configures inventories for a bucket.

      GetBucketInventory

      oss:GetBucketInventory

      Queries specific inventories of a bucket.

      ListBucketInventory

      oss:GetBucketInventory

      Queries all inventories of a bucket.

      DeleteBucketInventory

      oss:DeleteBucketInventory

      Deletes a specific inventory of a bucket.

      PutBucketAccessMonitor

      oss:PutBucketAccessMonitor

      Configures the access tracking status of a bucket.

      GetBucketAccessMonitor

      oss:GetBucketAccessMonitor

      Queries the access tracking status of a bucket.

      OpenMetaQuery

      oss:OpenMetaQuery

      Enables metadata management for a bucket.

      GetMetaQueryStatus

      oss:GetMetaQueryStatus

      Queries the metadata index library of a bucket.

      DoMetaQuery

      oss:DoMetaQuery

      Queries objects that meet specific conditions and lists the object information based on specific fields and sorting methods.

      CloseMetaQuery

      oss:CloseMetaQuery

      Disables metadata management for a bucket.

      InitUserAntiDDosInfo

      oss:InitUserAntiDDosInfo

      Creates Anti-DDoS instances.

      UpdateUserAntiDDosInfo

      oss:UpdateUserAntiDDosInfo

      Changes the status of an Anti-DDoS instance.

      GetUserAntiDDosInfo

      oss:GetUserAntiDDosInfo

      Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.

      InitBucketAntiDDosInfo

      oss:InitBucketAntiDDosInfo

      Initializes Anti-DDoS instances for a bucket.

      UpdateBucketAntiDDosInfo

      oss:UpdateBucketAntiDDosInfo

      Updates the status of Anti-DDoS instances of a bucket.

      ListBucketAntiDDosInfo

      oss:ListBucketAntiDDosInfo

      Queries the protection list of an Anti-DDoS instance of a bucket.

      PutBucketResourceGroup

      oss:PutBucketResourceGroup

      Configures a resource group to which a bucket belongs.

      GetBucketResourceGroup

      oss:GetBucketResourceGroup

      Queries the ID of the resource group to which a bucket belongs.

      CreateCnameToken

      oss:CreateCnameToken

      Creates a CNAME token used to verify the ownership of a domain name.

      GetCnameToken

      oss:GetCnameToken

      Queries the created CNAME tokens.

      PutCname

      oss:PutCname

      Maps a custom domain name to a bucket.

      ListCname

      oss:ListCname

      Queries all custom domain names that are mapped to a bucket.

      DeleteCname

      oss:DeleteCname

      Deletes a CNAME record that maps a custom domain name to a bucket.

      PutStyle

      oss:PutStyle

      Configures image styles.

      GetStyle

      oss:GetStyle

      Queries image styles.

      ListStyle

      oss:ListStyle

      Lists image styles.

      DeleteStyle

      oss:DeleteStyle

      Deletes image styles.

      CreateBucketDataRedundancyTransition

      oss:CreateBucketDataRedundancyTransition

      Creates a task to change the storage redundancy type of a bucket.

      GetBucketDataRedundancyTransition

      oss:GetBucketDataRedundancyTransition

      Queries the tasks that change the redundancy type of a bucket.

      ListBucketDataRedundancyTransition

      oss:ListBucketDataRedundancyTransition

      Lists all redundancy type conversion tasks of a bucket.

      DeleteBucketDataRedundancyTransition

      oss:DeleteBucketDataRedundancyTransition

      Deletes a redundancy type conversion task.

      PutArchiveDirectRead

      oss:PutBucketArchiveDirectRead

      Enables or disables real-time access of Archive objects for a bucket.

      GetArchiveDirectRead

      oss:GetBucketArchiveDirectRead

      Queries whether real-time access of Archive objects is enabled for a bucket.

      CreateAccessPoint

      oss:CreateAccessPoint

      Creates an access point.

      GetAccessPoint

      oss:GetAccessPoint

      Queries information about an access point.

      DeleteAccessPoint

      oss:DeleteAccessPoint

      Deletes an access point.

      ListAccessPoints

      oss:ListAccessPoints

      Queries user-level or bucket-level access points.

      PutAccessPointPolicy

      oss:PutAccessPointPolicy

      Configures an access point policy.

      GetAccessPointPolicy

      oss:GetAccessPointPolicy

      Obtains information about an access point policy.

      DeleteAccessPointPolicy

      oss:DeleteAccessPointPolicy

      Deletes an access point policy.

      PutBucketHttpsConfig

      oss:PutBucketHttpsConfig

      Enables or disables Transport Layer Security (TLS) version management for a bucket.

      GetBucketHttpsConfig

      oss:GetBucketHttpsConfig

      Queries the configurations of TLS version management of a bucket.

      ReplicateList

      oss:ReplicateList

      Lists the historical data in the source bucket and then replicates the historical data to the destination bucket.

      CreateAccessPointForObjectProcess

      oss:CreateAccessPointForObjectProcess

      Creates an Object FC Access Point.

      GetAccessPointForObjectProcess

      oss:GetAccessPointForObjectProcess

      Queries basic information about an Object FC Access Point.

      DeleteAccessPointForObjectProcess

      oss:DeleteAccessPointForObjectProcess

      Deletes an Object FC Access Point.

      ListAccessPointsForObjectProcess

      oss:ListAccessPointsForObjectProcess

      Queries information about user-level Object FC Access Points.

      PutAccessPointConfigForObjectProcess

      oss:PutAccessPointConfigForObjectProcess

      Changes the configurations of an Object FC Access Point.

      GetAccessPointConfigForObjectProcess

      oss:GetAccessPointConfigForObjectProcess

      Queries the configurations of an Object FC Access Point.

      PutAccessPointPolicyForObjectProcess

      oss:PutAccessPointPolicyForObjectProcess

      Configures permission policies for an Object FC Access Point.

      GetAccessPointPolicyForObjectProcess

      oss:GetAccessPointPolicyForObjectProcess

      Queries the permission policies of an Object FC Access Point.

      DeleteAccessPointPolicyForObjectProcess

      oss:DeleteAccessPointPolicyForObjectProcess

      Deletes the permission policies of an Object FC Access Point.

      WriteGetObjectResponse

      oss:WriteGetObjectResponse

      Specifies the return data and response headers for a GetObject request.

    • Object-level operations

      API

      Action

      Operation

      PutObject

      oss:PutObject

      Uploads an object.

      PostObject

      oss:PutObject

      Uploads an object to a bucket by using HTML form upload.

      AppendObject

      oss:PutObject

      Uploads an object by using append upload.

      InitiateMultipartUpload

      oss:PutObject

      Initiates a multipart upload task.

      UploadPart

      oss:PutObject

      Uploads an object by part based on the object name and upload ID.

      CompleteMultipartUpload

      oss:PutObject

      Completes a multipart upload task.

      AbortMultipartUpload

      oss:AbortMultipartUpload

      Cancels a multipart upload task and deletes the uploaded parts.

      PutSymlink

      oss:PutObject

      Creates a symbolic link for an object.

      GetObject

      oss:GetObject

      Queries an object.

      HeadObject

      oss:GetObject

      Queries the metadata of an object.

      GetObjectMeta

      oss:GetObject

      Queries the metadata of an object, including the ETag, object size, and last modified time.

      SelectObject

      oss:GetObject

      Executes SQL statements on an object and queries the execution results.

      GetSymlink

      oss:GetObject

      Queries the symbolic link of an object.

      DeleteObject

      oss:DeleteObject

      Deletes an object.

      DeleteMultipleObjects

      oss:DeleteObject

      Deletes multiple objects from a bucket at a time.

      CopyObject

      oss:GetObject,oss:PutObject

      Copies objects to the same bucket or to a different bucket in the same region.

      UploadPartCopy

      oss:GetObject,oss:PutObject

      Copies data from an existing object to upload a part by adding the x-oss-copy-source request header to an UploadPart request to call the UploadPartCopy operation.

      ListParts

      oss:ListParts

      Lists all parts that are uploaded by using an upload ID.

      PutObjectACL

      oss:PutObjectAcl

      Modifies the ACL of an object in a bucket.

      GetObjectACL

      oss:GetObjectAcl

      Queries the ACL of an object in a bucket.

      RestoreObject

      oss:RestoreObject

      Restores Archive, Cold Archive, or Deep Cold Archive objects.

      PutObjectTagging

      oss:PutObjectTagging

      Adds tags to or modifies the tags of an object.

      GetObjectTagging

      oss:GetObjectTagging

      Queries the tags of an object.

      DeleteObjectTagging

      oss:DeleteObjectTagging

      Deletes the tags of an object.

      GetObject (with versionId specified in the request)

      oss:GetObjectVersion

      Downloads a specific version of an object.

      PutObjectACL (with versionId specified in the request)

      oss:PutObjectVersionAcl

      Modifies the ACL of a specific version of an object.

      GetObjectACL (with versionId specified in the request)

      oss:GetObjectVersionAcl

      Queries the ACL of a specific version of an object.

      RestoreObject (with versionId specified in the request)

      oss:RestoreObjectVersion

      Restores a specific version of an Archive object, a Cold Archive, or a Deep Cold Archive object.

      DeleteObject (with versionId specified in the request)

      oss:DeleteObjectVersion

      Deletes a specific version of an object.

      PutObjectTagging (with versionId specified in the request)

      oss:PutObjectVersionTagging

      Adds tags to or modifies the tags of a specific version of an object.

      GetObjectTagging (with versionId specified in the request)

      oss:GetObjectVersionTagging

      Queries the tags of a specific version of an object.

      DeleteObjectTagging (with versionId specified in the request)

      oss:DeleteObjectVersionTagging

      Deletes the tags of a specific version of an object.

      PutLiveChannel

      oss:PutLiveChannel

      Creates a LiveChannel.

      ListLiveChannel

      oss:ListLiveChannel

      Lists the specified LiveChannels.

      DeleteLiveChannel

      oss:DeleteLiveChannel

      Deletes a LiveChannel.

      PutLiveChannelStatus

      oss:PutLiveChannelStatus

      Switches the status of a LiveChannel between enabled and disabled.

      GetLiveChannelInfo

      oss:GetLiveChannel

      Queries the configurations of a LiveChannel.

      GetLiveChannelStat

      oss:GetLiveChannelStat

      Queries the stream ingest status of a LiveChannel.

      GetLiveChannelHistory

      oss:GetLiveChannelHistory

      Queries the stream ingest records of a LiveChannel.

      PostVodPlaylist

      oss:PostVodPlaylist

      Generates a video on demand (VOD) playlist for a LiveChannel.

      GetVodPlaylist

      oss:GetVodPlaylist

      Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.

      PublishRtmpStream

      oss:PublishRtmpStream

      Push audio and video streams over Real-Time Messaging Protocol (RTMP).

      ImgSaveAs

      oss:PostProcessTask

      Saves processed images to a bucket.

      ReplicateGet

      oss:ReplicateGet

      Allows OSS to read data and metadata from the source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.

      ReplicatePut

      oss:ReplicatePut

      Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, multipart upload tasks, parts, and symbolic links, and modifying object metadata.

      ReplicateDelete

      oss:ReplicateDelete

      Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.

      Important

      This action is required only if you set Replication Policy to Add/Delete/Change.

    Resource element in RAM policies for OSS

    In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

    Category

    Format

    Example

    Bucket-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}

    acs:oss:*:*:mybucket

    Object-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}

    acs:oss:*:*:mybucket/abc.txt

    Note

    The region field can be set only to an asterisk (*) wildcard character.

    Condition element in RAM policies for OSS

    The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see Condition.

    The following table describes the categories of conditional operators and condition keys.

    • Conditional operators

      Category

      Conditional operator

      String

      • StringEquals

      • StringNotEquals

      • StringEqualsIgnoreCase

      • StringNotEqualsIgnoreCase

      • StringLike

      • StringNotLike

      Number

      • NumericEquals

      • NumericNotEquals

      • NumericLessThan

      • NumericLessThanEquals

      • NumericGreaterThan

      • NumericGreaterThanEquals

      Date and time

      • DateEquals

      • DateNotEquals

      • DateLessThan

      • DateLessThanEquals

      • DateGreaterThan

      • DateGreaterThanEquals

      Boolean

      Bool

      IP address

      • IpAddress

      • NotIpAddress

    • Condition keys

      Condition

      Description

      acs:SourceIp

      The CIDR block from which the requests are sent. This condition supports the asterisk (*) wildcard character.

      acs:UserAgent

      The User-Agent header in the HTTP request.

      Type: string.

      acs:CurrentTime

      The point in time when the request is received by the OSS server.

      Standard: ISO 8601.

      acs:SecureTransport

      Specifies whether to use HTTPS for secure data transfers. Valid values:

      • true: Only HTTPS requests are allowed.

      • false: Only HTTP requests are allowed.

      If the acs:SecureTransport condition is not specified, both HTTPS and HTTP requests are allowed.

      oss:Prefix

      The prefix in the names of the objects that you want to list by calling the ListObjects operation.

      oss:Delimiter

      The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.

      acs:AccessId

      The AccessKey ID provided in the request.

      oss:BucketTag

      The tag of the bucket.

      A single bucket tag can be used as a condition. To configure multiple bucket tags as multiple conditions, you must add oss:BucketTag/ before each bucket tag.

      acs:MFAPresent

      Specifies whether to enable multi-factor authentication (MFA).

      Valid values:

      • true

      • false

      oss:ExistingObjectTag

      Specifies that the requested object has tags.

      A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:ExistingObjectTag/ before each object tag.

      This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

      oss:RequestObjectTag

      The object tags in the request.

      A single object tag can be used as a condition. To configure multiple object tags as multiple conditions, you must add oss:RequestObjectTag/ before each object tag.

      This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

    Examples

    You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.