All Products
Search

This Product

    Object Storage Service:Configure RAM policies to authorize user access to OSS

    Document Center

    Object Storage Service:Configure RAM policies to authorize user access to OSS

    Last Updated:Sep 13, 2024

    Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).

    Background information

    • Syntax and structure of RAM policies

      A RAM policy contains a version number and a list of statements. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

      You can use the Version, Statement, and Effect elements in the RAM policies for OSS in the same manner as you use the elements in the policies for RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:

    • Common RAM policies for OSS

      • AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.

      • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.

    • Access control

      For more information about the access control methods supported by OSS, see Overview.

    Action element in RAM policies for OSS

    RAM policies for OSS support service-level, bucket-level, and object-level operations.

    • Service-level operations

      API

      Action

      Description

      ListBuckets (GetService)

      oss:ListBuckets

      Lists all buckets owned by the requester.

      ListUserDataRedundancyTransition

      oss:ListUserDataRedundancyTransition

      Lists all redundancy type change tasks of the requester.

      N/A

      oss:ActivateProduct

      Activates OSS and enables Content Risk Detection.

      N/A

      oss:CreateOrder

      Places an order for an OSS resource plan.

      PutPublicAccessBlock

      oss:PutPublicAccessBlock

      Enables Block Public Access for OSS resources.

      GetPublicAccessBlock

      oss:GetPublicAccessBlock

      Queries the Block Public Access configurations of OSS resources.

      DeletePublicAccessBlock

      oss:DeletePublicAccessBlock

      Deletes the Block Public Access configurations of OSS resources.

    • Bucket-level operations

      API

      Action

      Description

      PutBucket

      oss:PutBucket

      Creates a bucket.

      ListObjects (GetBucket)

      oss:ListObjects

      Lists all objects in a bucket.

      GetBucketInfo

      oss:GetBucketInfo

      Queries information about a bucket.

      GetBucketLocation

      oss:GetBucketLocation

      Queries the location information about a bucket.

      PutBucketVersioning

      oss:PutBucketVersioning

      Configures the versioning state for a bucket.

      GetBucketVersioning

      oss:GetBucketVersioning

      Queries the versioning state of a bucket.

      ListObjectVersions (GetBucketVersions)

      oss:ListObjectVersions

      Lists the versions of all objects in a bucket, including delete markers.

      PutBucketAcl

      oss:PutBucketAcl

      Configures or modifies the access control list (ACL) of a bucket.

      GetBucketAcl

      oss:GetBucketAcl

      Queries the ACL of a bucket.

      DeleteBucket

      oss:DeleteBucket

      Deletes a bucket.

      InitiateBucketWorm

      oss:InitiateBucketWorm

      Creates a retention policy.

      AbortBucketWorm

      oss:AbortBucketWorm

      Deletes an unlocked retention policy.

      CompleteBucketWorm

      oss:CompleteBucketWorm

      Locks a retention policy.

      ExtendBucketWorm

      oss:ExtendBucketWorm

      Extends the retention period (days) of objects in a bucket for which a retention policy is locked.

      GetBucketWorm

      oss:GetBucketWorm

      Queries the retention policies of a bucket.

      PutBucketLogging

      oss:PutBucketLogging

      Enables logging for a bucket.

      GetBucketLogging

      oss:GetBucketLogging

      Queries the logging configurations of a bucket.

      DeleteBucketLogging

      oss:DeleteBucketLogging

      Disables logging for a bucket.

      PutBucketWebsite

      oss:PutBucketWebsite

      Enables static website hosting for a bucket and configures redirection rules for the bucket.

      GetBucketWebsite

      oss:GetBucketWebsite

      Queries the static website hosting status and the redirection rules of a bucket.

      DeleteBucketWebsite

      oss:DeleteBucketWebsite

      Disables static website hosting for a bucket and deletes the redirection rules of the bucket.

      PutBucketReferer

      oss:PutBucketReferer

      Configures hotlink protection for a bucket.

      GetBucketReferer

      oss:GetBucketReferer

      Queries the hotlink protection configurations of a bucket.

      PutBucketLifecycle

      oss:PutBucketLifecycle

      Configures lifecycle rules for a bucket.

      GetBucketLifecycle

      oss:GetBucketLifecycle

      Queries the lifecycle rules of a bucket.

      DeleteBucketLifecycle

      oss:DeleteBucketLifecycle

      Deletes the lifecycle rules of a bucket.

      PutBucketTransferAcceleration

      oss:PutBucketTransferAcceleration

      Configures transfer acceleration for a bucket.

      GetBucketTransferAcceleration

      oss:GetBucketTransferAcceleration

      Queries the transfer acceleration configurations of a bucket.

      ListMultipartUploads

      oss:ListMultipartUploads

      Lists all ongoing multipart upload tasks, which include tasks that are initiated but are not completed or canceled.

      PutBucketCors

      oss:PutBucketCors

      Configures cross-origin resource sharing (CORS) rules for a bucket.

      GetBucketCors

      oss:GetBucketCors

      Queries the CORS rules of a bucket.

      DeleteBucketCors

      oss:DeleteBucketCors

      Disables CORS for a bucket and deletes all CORS rules of the bucket.

      PutBucketPolicy

      oss:PutBucketPolicy

      Configures policies for a bucket.

      GetBucketPolicy

      oss:GetBucketPolicy

      Queries the policies of a bucket.

      DeleteBucketPolicy

      oss:DeleteBucketPolicy

      Deletes the policies of a bucket.

      PutBucketTags

      oss:PutBucketTagging

      Adds tags to or modifies the tags of a bucket.

      GetBucketTags

      oss:GetBucketTagging

      Queries the tags of a bucket.

      DeleteBucketTags

      oss:DeleteBucketTagging

      Deletes the tags of a bucket.

      PutBucketEncryption

      oss:PutBucketEncryption

      Configures encryption rules for a bucket.

      GetBucketEncryption

      oss:GetBucketEncryption

      Queries the encryption rules of a bucket.

      DeleteBucketEncryption

      oss:DeleteBucketEncryption

      Deletes the encryption rules of a bucket.

      PutBucketRequestPayment

      oss:PutBucketRequestPayment

      Enables pay-by-requester for a bucket.

      GetBucketRequestPayment

      oss:GetBucketRequestPayment

      Queries the pay-by-requester configurations of a bucket.

      PutBucketReplication

      oss:PutBucketReplication

      Configures a data replication rule for a bucket.

      PutBucketRTC

      oss:PutBucketRTC

      Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.

      GetBucketReplication

      oss:GetBucketReplication

      Queries the data replication rules of a bucket.

      DeleteBucketReplication

      oss:DeleteBucketReplication

      Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.

      GetBucketReplicationLocation

      oss:GetBucketReplicationLocation

      Queries the region of a destination bucket to which data can be replicated.

      GetBucketReplicationProgress

      oss:GetBucketReplicationProgress

      Queries the progress of a data replication task of a bucket.

      PutBucketInventory

      oss:PutBucketInventory

      Configures inventories for a bucket.

      GetBucketInventory

      oss:GetBucketInventory

      Queries specific inventories of a bucket.

      ListBucketInventory

      oss:GetBucketInventory

      Queries all inventories of a bucket.

      DeleteBucketInventory

      oss:DeleteBucketInventory

      Deletes a specific inventory of a bucket.

      PutBucketAccessMonitor

      oss:PutBucketAccessMonitor

      Configures the access tracking status of a bucket.

      GetBucketAccessMonitor

      oss:GetBucketAccessMonitor

      Queries the access tracking status of a bucket.

      OpenMetaQuery

      oss:OpenMetaQuery

      Enables metadata management for a bucket.

      GetMetaQueryStatus

      oss:GetMetaQueryStatus

      Queries the metadata index library of a bucket.

      DoMetaQuery

      oss:DoMetaQuery

      Queries objects that meet specific conditions and lists object information based on specific fields and sorting methods.

      CloseMetaQuery

      oss:CloseMetaQuery

      Disables metadata management for a bucket.

      InitUserAntiDDosInfo

      oss:InitUserAntiDDosInfo

      Creates Anti-DDoS instances.

      UpdateUserAntiDDosInfo

      oss:UpdateUserAntiDDosInfo

      Changes the status of an Anti-DDoS instance.

      GetUserAntiDDosInfo

      oss:GetUserAntiDDosInfo

      Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.

      InitBucketAntiDDosInfo

      oss:InitBucketAntiDDosInfo

      Initializes Anti-DDoS instances for a bucket.

      UpdateBucketAntiDDosInfo

      oss:UpdateBucketAntiDDosInfo

      Updates the status of Anti-DDoS instances of a bucket.

      ListBucketAntiDDosInfo

      oss:ListBucketAntiDDosInfo

      Queries the protection list of an Anti-DDoS instance of a bucket.

      PutBucketResourceGroup

      oss:PutBucketResourceGroup

      Configures a resource group to which a bucket belongs.

      GetBucketResourceGroup

      oss:GetBucketResourceGroup

      Queries the ID of the resource group to which a bucket belongs.

      CreateCnameToken

      oss:CreateCnameToken

      Creates a CNAME token used to verify the ownership of a domain name.

      GetCnameToken

      oss:GetCnameToken

      Queries existing CNAME tokens.

      PutCname

      oss:PutCname

      Maps a custom domain name to a bucket.

      ListCname

      oss:ListCname

      Queries all custom domain names that are mapped to a bucket.

      DeleteCname

      oss:DeleteCname

      Deletes the CNAME record that maps a custom domain name to a bucket.

      PutStyle

      oss:PutStyle

      Configures image styles.

      GetStyle

      oss:GetStyle

      Queries image styles.

      ListStyle

      oss:ListStyle

      Lists image styles.

      DeleteStyle

      oss:DeleteStyle

      Deletes image styles.

      PutBucketArchiveDirectRead

      oss:PutBucketArchiveDirectRead

      Enables or disables real-time access of Archive objects for a bucket.

      GetBucketArchiveDirectRead

      oss:GetBucketArchiveDirectRead

      Queries whether real-time access of Archive objects is enabled for a bucket.

      CreateAccessPoint

      oss:CreateAccessPoint

      Creates an access point.

      GetAccessPoint

      oss:GetAccessPoint

      Queries information about an access point.

      DeleteAccessPoint

      oss:DeleteAccessPoint

      Deletes an access point.

      ListAccessPoints

      oss:ListAccessPoints

      Queries user-level or bucket-level access points.

      PutAccessPointPolicy

      oss:PutAccessPointPolicy

      Configures an access point policy.

      GetAccessPointPolicy

      oss:GetAccessPointPolicy

      Queries information about an access point policy.

      DeleteAccessPointPolicy

      oss:DeleteAccessPointPolicy

      Deletes an access point policy.

      PutBucketHttpsConfig

      oss:PutBucketHttpsConfig

      Enables or disables Transport Layer Security (TLS) version management for a bucket.

      GetBucketHttpsConfig

      oss:GetBucketHttpsConfig

      Queries the TLS version configurations of a bucket.

      N/A

      oss:ReplicateList

      The list permissions in the replication process. Lists historical data in a source bucket and then replicates the historical data to a destination bucket.

      CreateAccessPointForObjectProcess

      oss:CreateAccessPointForObjectProcess

      Creates an Object FC Access Point.

      GetAccessPointForObjectProcess

      oss:GetAccessPointForObjectProcess

      Queries basic information about an Object FC Access Point.

      DeleteAccessPointForObjectProcess

      oss:DeleteAccessPointForObjectProcess

      Deletes an Object FC Access Point.

      ListAccessPointsForObjectProcess

      oss:ListAccessPointsForObjectProcess

      Queries information about user-level Object FC Access Points.

      PutAccessPointConfigForObjectProcess

      oss:PutAccessPointConfigForObjectProcess

      Changes the configurations of an Object FC Access Point.

      GetAccessPointConfigForObjectProcess

      oss:GetAccessPointConfigForObjectProcess

      Queries the configurations of an Object FC Access Point.

      PutAccessPointPolicyForObjectProcess

      oss:PutAccessPointPolicyForObjectProcess

      Configures policies for an Object FC Access Point.

      GetAccessPointPolicyForObjectProcess

      oss:GetAccessPointPolicyForObjectProcess

      Queries the policies of an Object FC Access Point.

      DeleteAccessPointPolicyForObjectProcess

      oss:DeleteAccessPointPolicyForObjectProcess

      Deletes the policies of an Object FC Access Point.

      WriteGetObjectResponse

      oss:WriteGetObjectResponse

      Configures custom response headers and response data.

      CreateBucketDataRedundancyTransition

      oss:CreateBucketDataRedundancyTransition

      Creates a redundancy type conversion task for a bucket.

      GetBucketDataRedundancyTransition

      oss:GetBucketDataRedundancyTransition

      Queries the redundancy type conversion tasks of a bucket.

      DeleteBucketDataRedundancyTransition

      oss:DeleteBucketDataRedundancyTransition

      Deletes a redundancy type conversion task of a bucket.

      ListBucketDataRedundancyTransition

      oss:ListBucketDataRedundancyTransition

      Lists all redundancy type conversion tasks of a bucket.

      PutBucketPublicAccessBlock

      oss:PutBucketPublicAccessBlock

      Enables Block Public Access for a bucket.

      GetBucketPublicAccessBlock

      oss:GetBucketPublicAccessBlock

      Queries the Block Public Access configurations of a bucket.

      DeleteBucketPublicAccessBlock

      oss:DeleteBucketPublicAccessBlock

      Deletes the Block Public Access configurations of a bucket.

      PutAccessPointPublicAccessBlock

      oss:PutAccessPointPublicAccessBlock

      Enables Block Public Access for an access point.

      GetAccessPointPublicAccessBlock

      oss:GetAccessPointPublicAccessBlock

      Queries the Block Public Access configurations of an access point.

      DeleteAccessPointPublicAccessBlock

      oss:DeleteAccessPointPublicAccessBlock

      Deletes the Block Public Access configurations of an access point.

      GetBucketPolicyStatus

      oss:GetBucketPolicyStatus

      Checks whether the current bucket policy allows public access.

    • Object-level operations

      Note

      If object tags are configured when you upload an object, you must have the oss:PutObject and oss:PutObjectTagging permissions.

      API

      Action

      Description

      PutObject

      oss:PutObject

      Uploads an object.

      PostObject

      oss:PutObject

      Uploads an object to a bucket by using an HTML form.

      AppendObject

      oss:PutObject

      Uploads an object by using append upload.

      InitiateMultipartUpload

      oss:PutObject

      Initiates a multipart upload task.

      UploadPart

      oss:PutObject

      Uploads an object by part based on the object name and upload ID.

      CompleteMultipartUpload

      oss:PutObject

      Completes the multipart upload task of an object after all parts of the object are uploaded.

      AbortMultipartUpload

      oss:AbortMultipartUpload

      Cancels a multipart upload task and deletes uploaded parts.

      PutSymlink

      oss:PutObject

      Creates a symbolic link for an object.

      GetObject

      oss:GetObject

      Queries an object.

      HeadObject

      oss:GetObject

      Queries the metadata of an object.

      GetObjectMeta

      oss:GetObject

      Queries the metadata of an object, including the ETag, object size, and last modified time.

      SelectObject

      oss:GetObject

      Executes SQL statements on an object and queries the execution results.

      GetSymlink

      oss:GetObject

      Queries the symbolic link of an object.

      DeleteObject

      oss:DeleteObject

      Deletes an object.

      DeleteMultipleObjects

      oss:DeleteObject

      Deletes multiple objects from a bucket at a time.

      CopyObject

      oss:GetObject

      oss:PutObject

      Copies objects to the same bucket or to a different bucket in the same region.

      UploadPartCopy

      oss:GetObject

      oss:PutObject

      Copies data from an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.

      ListParts

      oss:ListParts

      Lists all parts that are uploaded by using an upload ID.

      PutObjectACL

      oss:PutObjectAcl

      Modifies the ACL of an object in a bucket.

      GetObjectACL

      oss:GetObjectAcl

      Queries the ACL of an object in a bucket.

      RestoreObject

      oss:RestoreObject

      Restores Archive, Cold Archive, and Deep Cold Archive objects.

      PutObjectTagging

      oss:PutObjectTagging

      Adds tags to or modifies the tags of an object.

      GetObjectTagging

      oss:GetObjectTagging

      Queries the tags of an object.

      DeleteObjectTagging

      oss:DeleteObjectTagging

      Deletes the tags of an object.

      GetObject (with version ID specified in the request)

      oss:GetObjectVersion

      Downloads a specific version of an object.

      PutObjectACL (with version ID specified in the request)

      oss:PutObjectVersionAcl

      Modifies the ACL of a specific version of an object.

      GetObjectACL (with version ID specified in the request)

      oss:GetObjectVersionAcl

      Queries the ACL of a specific version of an object.

      RestoreObject (with version ID specified in the request)

      oss:RestoreObjectVersion

      Restores a specific version of an Archive, Cold Archive, or Deep Cold Archive object.

      DeleteObject (with version ID specified in the request)

      oss:DeleteObjectVersion

      Deletes a specific version of an object.

      PutObjectTagging (with version ID specified in the request)

      oss:PutObjectVersionTagging

      Adds tags to or modifies the tags of a specific version of an object.

      GetObjectTagging (with version ID specified in the request)

      oss:GetObjectVersionTagging

      Queries the tags of a specific version of an object.

      DeleteObjectTagging (with version ID specified in the request)

      oss:DeleteObjectVersionTagging

      Deletes the tags of a specific version of an object.

      PutLiveChannel

      oss:PutLiveChannel

      Creates a LiveChannel before you upload audio and video data by using Real-Time Messaging Protocol (RTMP).

      ListLiveChannel

      oss:ListLiveChannel

      Lists specific LiveChannels.

      DeleteLiveChannel

      oss:DeleteLiveChannel

      Deletes a LiveChannel.

      PutLiveChannelStatus

      oss:PutLiveChannelStatus

      Changes the status of a LiveChannel to enabled or disabled.

      GetLiveChannelInfo

      oss:GetLiveChannel

      Queries the configurations of a LiveChannel.

      GetLiveChannelStat

      oss:GetLiveChannelStat

      Queries the stream ingest status of a LiveChannel.

      GetLiveChannelHistory

      oss:GetLiveChannelHistory

      Queries the stream ingest records of a LiveChannel.

      PostVodPlaylist

      oss:PostVodPlaylist

      Generates a video on demand (VOD) playlist for a LiveChannel.

      GetVodPlaylist

      oss:GetVodPlaylist

      Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.

      N/A

      oss:PublishRtmpStream

      Ingests video streams and audio streams to OSS over RTMP.

      ImgSaveAs

      oss:PostProcessTask

      Saves processed images to a bucket.

      N/A

      oss:ReplicateGet

      The read permissions in the replication process. Allows OSS to read data and metadata from source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.

      N/A

      oss:ReplicatePut

      The write permissions in the replication process. Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, performing multipart upload tasks, uploading parts, configuring symbolic links, and modifying object metadata.

      N/A

      oss:ReplicateDelete

      The delete permissions in the replication process. Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.

      Important

      This action is required only if you set Replication Policy to Add/Delete/Change.

    Resource element in RAM policies for OSS

    In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

    Category

    Format

    Example

    Bucket-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}

    acs:oss:*:*:mybucket

    Object-level resource

    acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}

    acs:oss:*:*:mybucket/abc.txt

    Note

    The region field can be set only to an asterisk (*) wildcard character.

    Condition element in RAM policies for OSS

    The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see Condition.

    The following table describes the categories of conditional operators and condition keys.

    • Categories of conditional operators

      Category

      Conditional operator

      String

      • StringEquals

      • StringNotEquals

      • StringEqualsIgnoreCase

      • StringNotEqualsIgnoreCase

      • StringLike

      • StringNotLike

      Number

      • NumericEquals

      • NumericNotEquals

      • NumericLessThan

      • NumericLessThanEquals

      • NumericGreaterThan

      • NumericGreaterThanEquals

      Date and time

      • DateEquals

      • DateNotEquals

      • DateLessThan

      • DateLessThanEquals

      • DateGreaterThan

      • DateGreaterThanEquals

      Boolean

      Bool

      IP address

      • IpAddress

      • NotIpAddress

    • Condition keys

      Condition key

      Description

      acs:SourceIp

      The CIDR block from which the request is sent. This condition supports the asterisk (*) wildcard character.

      acs:SourceVpc

      The VPC from which the request is sent. You can set this parameter to a specific VPC ID or vpc-*.

      Important

      When you use acs:SourceVpc to restrict the VPC, make sure that the region of the VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS.

      acs:UserAgent

      The User-Agent header in the HTTP request.

      Type: string.

      acs:CurrentTime

      The point in time when the request is received by the OSS server.

      Standard: ISO 8601.

      acs:SecureTransport

      Specifies whether to use HTTPS for secure data transfers. Valid values:

      • true: Only HTTPS requests are allowed.

      • false: Only HTTP requests are allowed.

      If the acs:SecureTransport condition is not specified, HTTPS and HTTP requests are allowed.

      oss:x-oss-acl

      The ACL of the bucket. Valid values:

      • private

      • public-read

      • public-read-write

      For more information, see Bucket ACLs.

      oss:x-oss-object-acl

      The ACL of the object. Valid values:

      • private

      • public-read

      • public-read-write

      • default: The ACL of the object is the same as the ACL of the bucket in which the object is stored.

      For more information, see Object ACLs.

      oss:Prefix

      The prefix in the names of the objects that you want to list by calling the ListObjects operation.

      oss:Delimiter

      The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.

      acs:AccessId

      The AccessKey ID in the request.

      oss:BucketTag

      The tag of the bucket.

      A single bucket tag can be used as a condition. To specify multiple bucket tags as multiple conditions, you must add oss:BucketTag/ before each bucket tag.

      acs:MFAPresent

      Specifies whether to enable multi-factor authentication (MFA).

      Valid values:

      • true

      • false

      oss:ExistingObjectTag

      Specifies that the requested object has tags.

      A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add oss:ExistingObjectTag/ before each object tag.

      This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

      oss:RequestObjectTag

      The object tags in the request.

      A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add oss:RequestObjectTag/ before each object tag.

      This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

    Examples

    You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.