This topic uses an example policy to demonstrate how to access Object Storage Service (OSS) through specified IP addresses.
- The following policy indicates that the authorized RAM user can read data from the
myphotos
directory through an IP address in the192.168.0.0/16
and172.12.0.0/16
CIDR blocks.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.12.0.0/16"] } } } ] }
- The following policy indicates that the authorized RAM user cannot access OSS unless
the IP address of the RAM user is in the
192.168.0.0/16
CIDR block.Note A policy with the Deny command has a higher priority than a policy with the Allow command. When a RAM user whose IP address is not in the192.168.0.0/16
CIDR block attempts to read data from themyphotos
directory, OSS notifies the RAM user of having no permissions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }