This topic provides sample policies that allow access to Object Storage Service (OSS) from a specified IP address.
- In the following policy, an IP address condition is added to the
Allow
element. This way, a RAM user can read data from themyphotos
bucket from an IP address in the192.168.0.0/16
or172.16.0.0/12
CIDR block.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "172.16.0.0/12"] } } } ] }
- In the following policy, an IP address condition is added to the
Deny
element. This way, a RAM user cannot access OSS if the IP address of the RAM user is not in the192.168.0.0/16
CIDR block.Note A policy with the Deny effect has a higher priority than a policy with the Allow effect. When a RAM user attempts to read data from themyphotos
bucket, but the IP address is not in the192.168.0.0/16
CIDR block, OSS notifies the RAM user that the RAM user does not have the required permissions.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:myphotos", "acs:oss:*:*:myphotos/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }