This topic describes the conditions that must be met by the access point policy, RAM policy, and bucket policy when you perform operations on Object Storage Service (OSS) by using an access point.
Relationships among the access point policy, bucket policy, and RAM policy
The following table shows that you can use an access point to perform operations on OSS only if both of the following conditions are met:
The merged result of the RAM policy and bucket policy is determined as Allow.
The access point policy is determined as Allow.
Input result (Merged result of the RAM policy and bucket policy) | Access point policy result | Output result |
Allow | Allow | Allow |
Allow | Deny | Deny |
Allow | Ignore | Ignore |
Deny | Allow | Deny |
Deny | Deny | Deny |
Deny | Ignore | Deny |
Ignore | Allow | Ignore |
Ignore | Deny | Deny |
Ignore | Ignore | Ignore |
The following table describes the output results in the preceding table.
Output result | Description |
Allow | If a request hits an Allow statement instead of a Deny statement in a policy, the request is allowed and the output result is determined as Allow. |
Deny (explicit deny) | If a request hits a Deny statement in a policy, the request is denied and the output result is determined as Deny. If a request hits a Deny statement and an Allow statement in a policy, the Deny statement takes precedence over the Allow statement. In this case, the request is denied and the output result is determined as Deny (explicit deny). |
Ignore (implicit deny) | If a request does not hit a Deny statement or an Allow statement in a policy, the request is denied and the output result is determined as Ignore (implicit deny). By default, all requests initiated by a RAM user are implicitly denied. |
Examples
Example 1
Input result (Merged result of the RAM policy and bucket policy) | Access point policy result | Output result |
Allow | Allow | Allow |
RAM policy and bucket policy
Policy | Example | Input result |
RAM policy | Empty | Allow The RAM user whose UID is 205xxxx of the Alibaba Cloud account whose UID is 137xxxx has the permissions to perform all operations on the resources in the |
Bucket policy | The following bucket policy allows the RAM user whose UID is 205xxxx of the Alibaba Cloud account whose UID is 137xxxx to perform all operations on the resources in the |
Access point policy
The following access point policy allows the RAM user whose UID is 205xxxx to perform all operations on the resources in the finance/ directory of the bucket with which the access point is associated.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:*"
],
"Principal":[
"205xxxx"
],
"Resource":[
"acs:oss:cn-hangzhou:137xxxx:accesspoint/example-ap-001/object/finance/*"
]
},
{
"Effect":"Allow",
"Action":[
"oss:ListObjects",
"oss:GetObject"
],
"Principal":[
"205xxxx"
],
"Resource":[
"acs:oss:cn-hangzhou:137xxxx:accesspoint/example-ap-001"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"finance/*"
]
}
}
}
]
}Use a RAM user authorized by the access point policy to upload a local file by using an access point
The following sample code provides an example on how to use the authorized RAM user whose UID is 205xxxx to upload a local file to the finance/ directory by using an access point.
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the AccessKey pair of the RAM user is specified by using the environment variables.
auth = oss2.ProviderAuthV4(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"
# Specify the access point alias.
bucket_name = "example-ap-001-14****-ossalias"
# Specify the region in which the bucket is located. Example: cn-hangzhou.
region = "cn-hangzhou"
bucket = oss2.Bucket(auth, endpoint, bucket_name, region=region)
# Upload the local file to the directory specified by the access point policy.
result = bucket.put_object('finance/exampleobject.txt', 'Hello OSS')
# Display the returned HTTP status code.
print('http status: {0}'.format(result.status))
# Display the request ID. A request ID uniquely identifies the request. We recommend that you add this parameter to the logs.
print('request_id: {0}'.format(result.request_id))
# Display the ETag value returned by the put_object method. The ETag value of an object is used to identify the object content.
print('ETag: {0}'.format(result.etag))
# Display the HTTP response headers.
print('date: {0}'.format(result.headers['date']))The following returned results indicate that the RAM user authorized by the access point policy can upload a file to the directory specified by the access point policy by using an access point.
http status: 200
request_id: 673AACB3478AB335343C****
ETag: F0F18C2C66AE1DD512BDCD4366F7****
date: Mon, 18 Nov 2024 02:55:47 GMTExample 2
Input result (Merged result of the RAM policy and bucket policy) | Access point policy result | Output result |
Allow | Ignore | Ignore |
RAM policy and bucket policy
Policy | Example | Input result |
RAM policy | The following RAM policy grants the | Allow The RAM user whose UID is 266xxxx of the Alibaba Cloud account whose UID is 137xxxx has the permissions to perform all operations on the resources in the |
Bucket policy | The following bucket policy allows all RAM users of the Alibaba Cloud account whose UID is 137xxxx to perform all operations on the resources in the |
Aaccess point policy
The following access point policy allows the RAM user whose UID is 205xxxx to perform all operations on the resources in the finance/ directory of the bucket with which the access point is associated.
{
"Version":"1",
"Statement":[
{
"Effect":"Allow",
"Action":[
"oss:*"
],
"Principal":[
"205xxxx"
],
"Resource":[
"acs:oss:cn-hangzhou:137xxxx:accesspoint/example-ap-001/object/finance/*"
]
},
{
"Effect":"Allow",
"Action":[
"oss:ListObjects",
"oss:GetObject"
],
"Principal":[
"205xxxx"
],
"Resource":[
"acs:oss:cn-hangzhou:137xxxx:accesspoint/example-ap-001"
],
"Condition":{
"StringLike":{
"oss:Prefix":[
"finance/*"
]
}
}
}
]
}Use a RAM user that is not authorized by the access point policy to upload a local file by using an access point
The following sample code provides an example on how to use an unauthorized RAM user whose UID is 266xxxx to upload a local file to the finance/ directory by using an access point.
# -*- coding: utf-8 -*-
import oss2
from oss2.credentials import EnvironmentVariableCredentialsProvider
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the AccessKey pair of the RAM user is specified by using the environment variables.
auth = oss2.ProviderAuthV4(EnvironmentVariableCredentialsProvider())
# Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
endpoint = "https://oss-cn-hangzhou.aliyuncs.com"
# Specify the access point alias.
bucket_name = "example-ap-001-14****-ossalias"
# Specify the region in which the bucket is located. Example: cn-hangzhou.
region = "cn-hangzhou"
bucket = oss2.Bucket(auth, endpoint, bucket_name, region=region)
# Upload the local file to the directory specified by the access point policy.
result = bucket.put_object('finance/exampleobject.txt', 'Hello OSS')
# Display the returned HTTP status code.
print('http status: {0}'.format(result.status))
# Display the request ID. A request ID uniquely identifies the request. We recommend that you add this parameter to the logs.
print('request_id: {0}'.format(result.request_id))
# Display the ETag value returned by the put_object method. The ETag value of an object is used to identify the object content.
print('ETag: {0}'.format(result.etag))
# Display the HTTP response headers.
print('date: {0}'.format(result.headers['date']))The following returned results indicate that the RAM user that is not authorized by the access point policy cannot upload a file to the directory specified by the access point policy by using an access point.
oss2.exceptions.AccessDenied: {'status': 403, 'x-oss-request-id': '673C375AECB4DB373307****',
'details': {'Code': 'AccessDenied',
'Message': 'You have no right to access this object because of bucket acl.',
'RequestId': '673C375AECB4DB373307****',
'HostId': 'example-ap-001-14****-ossalias.oss-cn-hangzhou.aliyuncs.com',
'EC': '0003-00000001', 'RecommendDoc': 'https://api.aliyun.com/troubleshoot?q=0003-00000001'}}