A RAM policy is a user-based authorization policy that controls access to your resources. This topic describes how to use RAM policies to manage user permissions.
Background information
RAM policy syntax and structure
A RAM policy consists of a version (Version) and one or more statements (Statement). Each statement consists of an effect (Effect), an operation (Action), a resource (Resource), and an optional condition (Condition). For more information about the syntax and structure of an access policy, see Syntax and structure of an access policy.
In OSS, the rules for Version, Statement, and Effect are the same as those in RAM. For information about Action, Resource, and Condition, see the following sections:
Common OSS access policies
AliyunOSSFullAccess: Grants RAM users full management permissions for OSS.
AliyunOSSReadOnlyAccess: Grants RAM users read-only access permissions for OSS.
OSS access control methods
For more information about the access control methods that OSS provides, see Overview of access control.
OSS Action classification
Actions are classified into service-level operations, bucket-level operations, and object-level operations.
Service-level
API
Action
Description
oss:ListBuckets
Lists all buckets that the requester owns.
oss:ListUserDataRedundancyTransition
Lists all storage redundancy transition tasks of the requester.
None
oss:ActivateProduct
Activates OSS and Content Moderation services.
None
oss:CreateOrder
Creates orders for OSS resource plans.
oss:PutPublicAccessBlock
Enables Block Public Access for all of OSS.
oss:GetPublicAccessBlock
Obtains the configuration information of Block Public Access for all of OSS.
oss:DeletePublicAccessBlock
Deletes the configuration information of Block Public Access for all of OSS.
Bucket-level
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists information about all objects in a bucket.
oss:GetBucketInfo
Views information about a bucket.
oss:GetBucketLocation
Views the location information of a bucket.
oss:GetBucketStat
Obtains the storage capacity and the number of objects in a bucket.
oss:PutBucketVersioning
Sets the versioning state for a specified bucket.
oss:GetBucketVersioning
Obtains the versioning state of a specified bucket.
oss:ListObjectVersions
Lists the version information of all objects, including delete markers, in a bucket.
oss:PutBucketAcl
Sets or modifies the ACL of a bucket.
oss:GetBucketAcl
Obtains the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period of objects in the bucket that corresponds to a locked retention policy.
oss:GetBucketWorm
Obtains information about a retention policy.
oss:PutBucketLogging
Enables the log storage feature for a bucket.
oss:PutObject
When log storage is enabled for a source bucket, this action sets the logs of the source bucket to be written to a destination bucket.
oss:GetBucketLogging
Views the log storage configuration of a bucket.
oss:DeleteBucketLogging
Disables the log storage feature for a bucket.
oss:PutBucketWebsite
Configures a bucket for static website hosting and sets its redirection rules (RoutingRule).
oss:GetBucketWebsite
Views the static website hosting status and redirection rules of a bucket.
oss:DeleteBucketWebsite
Disables the static website hosting mode and redirection rules for a bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Views the hotlink protection (Referer) configuration of a bucket.
oss:PutBucketLifecycle
Sets the lifecycle rule for a bucket.
oss:GetBucketLifecycle
Views the lifecycle rule of a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rule of a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Views the transfer acceleration configuration of a bucket.
oss:ListMultipartUploads
Lists all multipart upload events that are in progress. In-progress multipart upload events are multipart upload events that have been initiated but not yet completed or aborted.
oss:PutBucketCors
Sets cross-origin resource sharing (CORS) rules for a specified bucket.
oss:GetBucketCors
Obtains the current CORS rules of a specified bucket.
oss:DeleteBucketCors
Disables the CORS feature for a specified bucket and clears all CORS rules.
oss:PutBucketPolicy
Sets the authorization policy for a specified bucket.
oss:GetBucketPolicy
Obtains the authorization policy of a specified bucket.
oss:DeleteBucketPolicy
Deletes the authorization policy of a specified bucket.
oss:PutBucketTagging
Adds or modifies the tags of a specified bucket.
oss:GetBucketTagging
Obtains the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures the encryption rule for a bucket.
oss:GetBucketEncryption
Obtains the encryption rule of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rule of a bucket.
oss:PutBucketRequestPayment
Configures the pay-by-requester mode.
oss:GetBucketRequestPayment
Obtains the configuration information of the pay-by-requester mode.
oss:PutBucketReplication
Sets the data replication rule for a bucket.
oss:ReplicateGet
Sets cross-account data replication rules for a bucket or specifies a RAM role for replication.
oss:PutBucketRTC
Enables or disables replication time control (RTC) for an existing cross-region replication rule.
oss:GetBucketReplication
Obtains the configured data replication rule of a bucket.
oss:DeleteBucketReplication
Stops data replication for a bucket and deletes the replication configuration of the bucket.
oss:GetBucketReplicationLocation
Obtains the regions where destination buckets for replication can be located.
oss:GetBucketReplicationProgress
Obtains the data replication progress of a bucket.
oss:PutBucketInventory
Configures an inventory rule for a bucket.
oss:GetBucketInventory
Views a specified inventory task in a bucket.
oss:GetBucketInventory
Obtains all inventory tasks in a bucket in batches.
oss:DeleteBucketInventory
Deletes a specified inventory task from a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking state of a bucket.
oss:GetBucketAccessMonitor
Obtains the access tracking state of a bucket.
oss:OpenMetaQuery
Enables the metadata management feature for a bucket.
oss:GetMetaQueryStatus
Obtains the metadata index information of a bucket.
oss:DoMetaQuery
Queries for objects that meet specified conditions and lists object information based on the specified fields and sorting order.
oss:CloseMetaQuery
Disables the metadata management feature for a bucket.
oss:InitUserAntiDDosInfo
Creates an Anti-DDoS for OSS instance.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS for OSS instance.
oss:GetUserAntiDDosInfo
Queries for information about the Anti-DDoS for OSS instances under a specified account.
oss:InitBucketAntiDDosInfo
Initializes protection for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the protection status of a bucket.
oss:ListBucketAntiDDosInfo
Obtains a list of protection information for a bucket.
oss:PutBucketResourceGroup
Sets the resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CnameToken required for domain name ownership verification.
oss:GetCnameToken
Obtains a created CnameToken.
oss:PutCname
Attaches a custom domain name to a bucket.
yundun-cert:DescribeSSLCertificatePrivateKey
yundun-cert:DescribeSSLCertificatePublicKeyDetail
yundun-cert:CreateSSLCertificate
When you attach a custom domain name to a bucket, this action attaches a certificate.
oss:ListCname
Obtains a list of all custom domain names (Cnames) attached to a bucket.
oss:DeleteCname
Deletes a Cname that is attached to a bucket.
oss:PutStyle
Sets an image style.
oss:GetStyle
Obtains an image style.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes an image style.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Checks whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Obtains information about a single access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Obtains information about user-level and bucket-level access points.
oss:PutAccessPointPolicy
Configures an access point policy.
oss:GetAccessPointPolicy
Obtains information about an access point policy.
oss:DeleteAccessPointPolicy
Deletes an access point policy.
oss:PutBucketHttpsConfig
Enables or disables TLS version settings for a bucket.
oss:GetBucketHttpsConfig
Views the TLS version settings of a bucket.
None
oss:ReplicateList
The list permission required for replication. This allows OSS to first list the historical data in the source bucket and then replicate the historical data one by one.
oss:CreateAccessPointForObjectProcess
Creates an object FC access point.
oss:GetAccessPointForObjectProcess
Obtains the basic information of an object FC access point.
oss:DeleteAccessPointForObjectProcess
Deletes an object FC access point.
oss:ListAccessPointsForObjectProcess
Obtains information about user-level object FC access points.
oss:PutAccessPointConfigForObjectProcess
Modifies the configuration of an object FC access point.
oss:GetAccessPointConfigForObjectProcess
Obtains the configuration information of an object FC access point.
oss:PutAccessPointPolicyForObjectProcess
Configures an access policy for an object FC access point.
oss:GetAccessPointPolicyForObjectProcess
Obtains the access policy configuration of an object FC access point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the access policy of an object FC access point.
oss:WriteGetObjectResponse
Customizes the returned data and response headers.
oss:CreateBucketDataRedundancyTransition
Creates a storage redundancy transition task.
oss:GetBucketDataRedundancyTransition
Obtains a storage redundancy transition task.
oss:DeleteBucketDataRedundancyTransition
Deletes a storage redundancy transition task.
oss:ListBucketDataRedundancyTransition
Lists all storage redundancy transition tasks in a bucket.
oss:PutBucketPublicAccessBlock
Enables Block Public Access for a bucket.
oss:GetBucketPublicAccessBlock
Obtains the Block Public Access configuration of a bucket.
oss:DeleteBucketPublicAccessBlock
Deletes the Block Public Access configuration of a bucket.
oss:PutAccessPointPublicAccessBlock
Enables Block Public Access for an access point.
oss:GetAccessPointPublicAccessBlock
Obtains the Block Public Access configuration of an access point.
oss:DeleteAccessPointPublicAccessBlock
Deletes the Block Public Access configuration of an access point.
oss:GetBucketPolicyStatus
Checks whether the current bucket policy allows public access.
Object-level
API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObjectTagging
When you upload an object, this action specifies the tags of the object using x-oss-tagging.
kms:GenerateDataKey
kms:Decrypt
When you upload an object, this action specifies that the metadata of the object contains X-Oss-Server-Side-Encryption: KMS.
oss:PutObject
Uploads an object to a specified bucket using an HTML form.
oss:PutObject
Uploads an object in append mode.
oss:PutObjectTagging
When you upload an object in append mode, this action specifies the object tags using x-oss-tagging.
oss:PutObject
Initializes a multipart upload task.
oss:PutObjectTagging
When you initialize a multipart upload task, this action specifies the object tags using x-oss-tagging.
kms:GenerateDataKey
kms:Decrypt
When you initialize a multipart upload task, this action specifies that the metadata of the object contains X-Oss-Server-Side-Encryption: KMS.
oss:PutObject
Uploads data in parts based on the specified object name and upload ID.
oss:PutObject
After all data parts are uploaded, call this operation to complete the multipart upload of the object.
oss:PutObjectTagging
After all data parts are uploaded, call this operation to complete the multipart upload of the object and specify the tags of the object.
oss:AbortMultipartUpload
Aborts a multipart upload event and deletes the corresponding part data.
oss:PutObject
Creates a symbolic link for a target object in OSS.
oss:PutObjectTagging
Creates a symbolic link with specified object tags for a target object in OSS.
oss:GetObject
Obtains an object.
kms:Decrypt
Downloads an object that is encrypted using a specified KMS key.
oss:GetObjectVersion
Downloads a specified version of an object.
oss:GetObject
Obtains the metadata of an object.
oss:GetObject
Obtains the metadata of an object, including its ETag, Size, and LastModified information.
oss:GetObject
Executes an SQL statement on a target object and returns the execution result.
oss:GetObject
Obtains the symbolic link of a target object.
oss:DeleteObject
Deletes an object.
oss:DeleteObjectVersion
Deletes a specified version of an object.
oss:DeleteObject
Deletes multiple objects from the same bucket.
oss:GetObject
oss:PutObject
Copies an object between the same or different buckets in the same region.
oss:GetObjectVersion
Copies a specified version of an object between the same or different buckets in the same region.
oss:GetObjectTagging
oss:PutObjectTagging
Copies an object with specified tags between the same or different buckets in the same region.
kms:DecryptnerateDataKey
kms:Decrypt
When you copy an object, this action specifies that the metadata of the destination object contains X-Oss-Server-Side-Encryption: KMS.
oss:GetObjectVersionTagging
Copies a specified version of an object with specified tags between the same or different buckets in the same region.
oss:GetObject
oss:PutObject
Calls the UploadPartCopy operation by adding the x-oss-copy-source request header to an UploadPart request. This lets you copy data from an existing object to upload a part.
oss:GetObjectVersion
Calls the UploadPartCopy operation by adding the x-oss-copy-source request header to an UploadPart request. This lets you copy data from a specified version of an existing object to upload a part.
oss:ListParts
Lists all successfully uploaded parts that belong to a specified upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:PutObjectVersionAcl
Modifies the ACL of a specified version of an object in a bucket.
oss:GetObjectAcl
Obtains the ACL of an object in a bucket.
oss:GetObjectVersionAcl
Obtains the ACL of a specified version of an object in a bucket.
oss:RestoreObject
Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:RestoreObjectVersion
Restores a specified version of an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:PutObjectTagging
Sets or updates the tagging information of an object.
oss:PutObjectVersionTagging
Sets or updates the tagging information of a specified version of an object.
oss:GetObjectTagging
Obtains the tag information of an object.
oss:GetObjectVersionTagging
Obtains the tag information of a specified version of an object.
oss:DeleteObjectTagging
Deletes the tag information of a specified object.
oss:DeleteObjectVersionTagging
Deletes the tag information of a specified version of an object.
oss:PutLiveChannel
Before you can upload audio and video data using RTMP, you must call this operation to create a LiveChannel.
oss:ListLiveChannel
Lists specified LiveChannels.
oss:DeleteLiveChannel
Deletes a specified LiveChannel.
oss:PutLiveChannelStatus
Switches between the enabled and disabled states.
oss:GetLiveChannel
Obtains the configuration information of a specified LiveChannel.
oss:GetLiveChannelStat
Obtains the stream ingest status of a specified LiveChannel.
oss:GetLiveChannelHistory
Obtains the stream ingest records of a specified LiveChannel.
oss:PostVodPlaylist
Generates a video-on-demand (VOD) playlist for a specified LiveChannel.
oss:GetVodPlaylist
Views the playlist generated by stream ingest to a specified LiveChannel within a specified time range.
None
oss:PublishRtmpStream
Pushes audio and video data streams to RTMP.
None
oss:ProcessImm
The permission to process data using IMM through OSS.
oss:GetObject
The permission to process data using IMM through a POST request.
oss:PutObject
The permission to process data using IMM with the Saveas parameter.
oss:PostProcessTask
Saves a processed image to a specified bucket.
imm:CreateOfficeConversionTask
The permission to perform document conversion or take snapshots using IMM.
imm: GenerateWebofficeToken
Used to obtain a Weboffice credential.
imm:RefreshWebofficeToken
Used to refresh a Weboffice credential.
None
oss:ReplicateGet
The read permission required for replication. This allows OSS to read data and metadata from the source and destination buckets, including objects, parts, and multipart uploads.
None
oss:ReplicatePut
The write permission required for replication. This allows OSS to perform write operations related to replication on the destination bucket, including writing objects, multipart uploads, parts, and symbolic links, and modifying metadata.
None
oss:ReplicateDelete
The delete permission required for replication. This allows OSS to perform delete operations related to replication on the destination bucket, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantYou need to grant this action to the RAM role only when the data replication method is set to Sync Create, Delete, And Update.
Resource pool QoS
API
Action
Description
oss:PutBucketQoSInfo
Sets throttling for a bucket in a resource pool.
oss:GetBucketQoSInfo
Obtains the throttling configuration of a bucket in a resource pool.
oss:DeleteBucketQoSInfo
Deletes the throttling configuration of a specified bucket in a resource pool.
oss:PutBucketRequesterQoSInfo
Sets bucket-level throttling for a requester.
oss:GetBucketRequesterQoSInfo
Obtains the bucket-level throttling configuration for a specified requester.
oss:ListBucketRequesterQoSInfo
Obtains the bucket-level throttling configurations for all requesters.
oss:DeleteBucketRequesterQoSInfo
Deletes the throttling configuration of a requester for a bucket.
oss:ListResourcePools
Obtains information about all resource pools under the current account.
oss:GetResourcePoolInfo
Obtains the throttling configuration of a specified resource pool.
oss:ListResourcePoolBuckets
Obtains the list of buckets included in a specified resource pool.
oss:PutResourcePoolRequesterQoSInfo
Configures throttling for a requester of a resource pool.
oss:GetResourcePoolRequesterQoSInfo
Obtains the throttling configuration of a specified requester in a resource pool.
oss:ListResourcePoolRequesterQoSInfos
Obtains the throttling configurations of all requesters in a resource pool.
oss:DeleteResourcePoolRequesterQoSInfo
Deletes the throttling configuration of a specified requester in a resource pool.
Vector bucket
API
Action
Description
oss:PutVectorBucket
Creates a vector bucket.
oss:GetVectorBucket
Obtains the details of a vector bucket.
oss:ListVectorBuckets
Lists all vector buckets that the requester owns.
oss:DeleteVectorBucket
Deletes a vector bucket.
oss:PutBucketLogging
Enables the log storage feature for a vector bucket.
oss:PutObject
When log storage is enabled for a source vector bucket, this action sets the logs of the source vector bucket to be written to a destination bucket.
oss:GetBucketLogging
Views the log storage configuration of a vector bucket.
oss:DeleteBucketLogging
Disables the log storage feature for a vector bucket.
oss:PutBucketPolicy
Sets the authorization policy for a specified vector bucket.
oss:GetBucketPolicy
Obtains the authorization policy of a specified vector bucket.
oss:DeleteBucketPolicy
Deletes the authorization policy of a specified vector bucket.
oss:PutVectorIndex
Creates a vector index.
oss:GetVectorIndex
Obtains the details of a vector index.
oss:ListVectorIndexes
Lists all vector indexes in a vector bucket.
oss:DeleteVectorIndex
Deletes a vector index.
oss:PutVectors
Writes vector data.
oss:GetVectors
Obtains specified vector data.
oss:ListVectors
Lists all vector data in a vector index.
oss:QueryVectors
Performs a vector similarity search.
oss:DeleteVectors
Deletes specified vector data from a vector index.
OSS Resource description
In OSS, a Resource specifies one or more resources and supports the asterisk (*) wildcard character. A single RAM policy can contain multiple Resources.
Bucket
Classification | Format | Example |
Bucket-level |
|
|
Object-level |
|
|
Resource pool-level |
|
|
Vector bucket
Resource level | Format | Example |
All vector resources |
|
|
Vector bucket |
|
|
Vector index |
|
|
Vector data |
|
|
The region field can only be set to the asterisk (*) wildcard character.
OSS Condition description
An OSS Condition specifies the conditions under which an authorization is granted. It consists of a condition operator type, a condition key, and a condition value.
The condition operator types and condition keys in an OSS Condition are as follows:
Condition operator types
Condition operator type
Supported types
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Numeric
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
IpAddressIncludeBorder
Condition keys
Condition key
Description
acs:SourceIp
Specifies a normal IP address range. The asterisk (*) wildcard character is supported.
acs:SourceVpc
Specifies a VPC. You can set this to a specific VPC ID or vpc-*.
ImportantWhen you use
acs:SourceVpcto restrict access from a VPC, make sure that the region of the selected VPC matches a region where OSS gateway endpoints are supported. Otherwise, authentication requests cannot be associated with the corresponding VPC, which causes authentication to fail. For more information about the regions where OSS gateway endpoints are supported, see Regions that support gateway endpoints for OSS.acs:UserAgent
Specifies the HTTP User-Agent header.
Type: string.
acs:CurrentTime
The time when the request arrives at the OSS server.
Format: ISO8601.
acs:SecureTransport
The protocol type of the request. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If
acs:SecureTransportis not set, both HTTP and HTTPS requests are allowed.oss:x-oss-acl
Restricts the type of bucket ACL. Valid values:
private: private.
public-read: public-read.
public-read-write: public-read-write.
For more information, see Bucket ACL.
oss:x-oss-object-acl
Restricts the type of object ACL. Valid values:
private: private.
public-read: public-read.
public-read-write: public-read-write.
default: Inherits the bucket ACL.
For more information, see Object ACL.
oss:Prefix
Used in a ListObjects request to list objects with a specified prefix.
oss:Delimiter
Used in a ListObjects request as the character to group object names.
acs:AccessId
The AccessId included in the request.
oss:BucketTag
Bucket tag.
A single bucket tag can be used as a condition. If you specify multiple bucket tags, you must add
oss:BucketTag/before each bucket tag to form multiple conditions.acs:MFAPresent
Specifies whether multi-factor authentication (MFA) is enabled.
Valid values:
true: MFA is enabled.
false: MFA is not enabled.
oss:ExistingObjectTag
The tag that exists on the requested object.
A single object tag can be used as a condition. If you specify multiple object tags, you must add
oss:ExistingObjectTag/before each tag.This key is mainly used for operations that read objects, such as GetObject and HeadObject, and for object tagging operations, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tag included in the request.
A single object tag can be used as a condition. If you specify multiple object tags, you must add
oss:RequestObjectTag/before each tag.This key is mainly used for operations that write objects, such as PutObject and PostObject, and for object tagging operations, such as PutObjectTagging and GetObjectTagging.