You can use Resource Access Management (RAM) to control access to your Object Storage Service (OSS) resources. This topic describes how to create custom RAM policies to grant fine-grained permissions to users for accessing OSS buckets and objects.
Background information
RAM provides the following system policies for OSS:
AliyunOSSFullAccess: Grants permissions to perform all actions on all OSS resources.AliyunOSSReadOnlyAccess: Grants read-only permissions for all OSS resources.
If these system policies do not meet your requirements, you can create custom policies to implement the principle of least privilege and achieve fine-grained access control. For more information about OSS actions and resources, see RAM policies for OSS.
Procedure
For examples, see the "Policy examples" section in this topic.
Attach the custom policy to the RAM user.
When you attach the policy, specify one of the following authorization scopes:
Account: The permissions apply to all resources within your Alibaba Cloud account.
Resource Group: The permissions apply only to the resources within a specified resource group.
Policy examples
Example 1: Grant full access to a specific bucket
The following example policy grants a user permissions to perform all actions on the bucket
myphotosand all objects within it.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:*", "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] } ] }Example 2: Grant read-only access to a specific bucket
The required permissions vary depending on whether the user accesses OSS through the console or programmatically.
For programmatic access (SDK or CLI)
This policy allows a user to list objects in the
myphotosbucket and download objects from it.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:myphotos/*" } ] }For console access
To use the OSS console, a user needs additional permissions to list all buckets and retrieve bucket information, which are required for the console to render correctly.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:myphotos" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:myphotos/*" } ] }
Example 3: Restrict access by source IP address
You can use a condition block to control access based on the user's IP address.
Allow access only from specific IP ranges
This policy allows a user to read data from the
myphotosbucket only if their IP address is in the192.168.0.0/16or172.16.1.0/16CIDR block.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.16.1.0/16"] } } } ] }Deny access from outside a specific IP range
This policy explicitly denies all OSS actions if the user's IP address is not in the
192.168.0.0/16CIDR block. An explicitDenystatement always overrides anAllowstatement.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
Example 4: Grant read-only access to a specific directory
Assume you have a bucket named
myphotoswith a folder structure organized by location and year. You want to grant a user read-only access to thehangzhou/2015/directory.myphotos/ ├── beijing/ │ ├── 2014/ │ └── 2015/ ├── hangzhou/ │ ├── 2013/ │ ├── 2014/ │ └── 2015/ <-- Grant read-only access to this directory └── qingdao/ ├── 2014/ └── 2015/The required policy varies based on the access method.
For application access (get objects only)
This policy allows an application to download objects from the specified directory if it knows the full object path. It does not allow listing the objects in the directory.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:myphotos/hangzhou/2015/*" } ] }For programmatic access (list and get objects)
This policy allows a developer using an SDK or CLI to list and download objects in the
myphotos/hangzhou/2015/directory. Theoss:ListObjectsaction is restricted by a prefix condition to limit the listing scope.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:myphotos/hangzhou/2015/*" }, { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:myphotos", "Condition":{ "StringLike":{ "oss:Prefix":"hangzhou/2015/*" } } } ] }For console access
This policy allows a RAM user to navigate the folder structure in the OSS console and access the target directory. It grants permissions to list buckets and then progressively list objects within prefixes, using a delimiter to simulate a folder hierarchy. This is the most complex scenario.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:myphotos/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:myphotos" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2015/*" ] } } } ] }