Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).
Background information
Syntax and structure of RAM policies
A RAM policy contains a version number and a list of statements. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
You can use the Version, Statement, and Effect elements in the RAM policies for OSS in the same manner as you use the elements in the policies for RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:
Common RAM policies for OSS
AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.
AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.
Access control
For more information about the access control methods supported by OSS, see Overview.
Action element in RAM policies for OSS
RAM policies for OSS support service-level, bucket-level, and object-level operations.
Service-level operations
API
Action
Description
oss:ListBuckets
Lists all buckets owned by the requester.
oss:ListUserDataRedundancyTransition
Lists all redundancy type change tasks of the requester.
N/A
oss:ActivateProduct
Activates OSS and enables Content Risk Detection.
N/A
oss:CreateOrder
Places an order for an OSS resource plan.
oss:PutPublicAccessBlock
Enables Block Public Access for OSS resources.
oss:GetPublicAccessBlock
Queries the Block Public Access configurations of OSS resources.
oss:DeletePublicAccessBlock
Deletes the Block Public Access configurations of OSS resources.
Bucket-level operations
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists all objects in a bucket.
oss:GetBucketInfo
Queries information about a bucket.
oss:GetBucketLocation
Queries the location information about a bucket.
oss:PutBucketVersioning
Configures the versioning state for a bucket.
oss:GetBucketVersioning
Queries the versioning state of a bucket.
oss:ListObjectVersions
Lists the versions of all objects in a bucket, including delete markers.
oss:PutBucketAcl
Configures or modifies the access control list (ACL) of a bucket.
oss:GetBucketAcl
Queries the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period (days) of objects in a bucket for which a retention policy is locked.
oss:GetBucketWorm
Queries the retention policies of a bucket.
oss:PutBucketLogging
Enables logging for a bucket.
oss:GetBucketLogging
Queries the logging configurations of a bucket.
oss:DeleteBucketLogging
Disables logging for a bucket.
oss:PutBucketWebsite
Enables static website hosting for a bucket and configures redirection rules for the bucket.
oss:GetBucketWebsite
Queries the static website hosting status and the redirection rules of a bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and deletes the redirection rules of the bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Queries the hotlink protection configurations of a bucket.
oss:PutBucketLifecycle
Configures lifecycle rules for a bucket.
oss:GetBucketLifecycle
Queries the lifecycle rules of a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rules of a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Queries the transfer acceleration configurations of a bucket.
oss:ListMultipartUploads
Lists all ongoing multipart upload tasks, which include tasks that are initiated but are not completed or canceled.
oss:PutBucketCors
Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors
Queries the CORS rules of a bucket.
oss:DeleteBucketCors
Disables CORS for a bucket and deletes all CORS rules of the bucket.
oss:PutBucketPolicy
Configures policies for a bucket.
oss:GetBucketPolicy
Queries the policies of a bucket.
oss:DeleteBucketPolicy
Deletes the policies of a bucket.
oss:PutBucketTagging
Adds tags to or modifies the tags of a bucket.
oss:GetBucketTagging
Queries the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures encryption rules for a bucket.
oss:GetBucketEncryption
Queries the encryption rules of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rules of a bucket.
oss:PutBucketRequestPayment
Enables pay-by-requester for a bucket.
oss:GetBucketRequestPayment
Queries the pay-by-requester configurations of a bucket.
oss:PutBucketReplication
Configures a data replication rule for a bucket.
oss:PutBucketRTC
Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.
oss:GetBucketReplication
Queries the data replication rules of a bucket.
oss:DeleteBucketReplication
Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.
oss:GetBucketReplicationLocation
Queries the region of a destination bucket to which data can be replicated.
oss:GetBucketReplicationProgress
Queries the progress of a data replication task of a bucket.
oss:PutBucketInventory
Configures inventories for a bucket.
oss:GetBucketInventory
Queries specific inventories of a bucket.
oss:GetBucketInventory
Queries all inventories of a bucket.
oss:DeleteBucketInventory
Deletes a specific inventory of a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Queries the access tracking status of a bucket.
oss:OpenMetaQuery
Enables metadata management for a bucket.
oss:GetMetaQueryStatus
Queries the metadata index library of a bucket.
oss:DoMetaQuery
Queries objects that meet specific conditions and lists object information based on specific fields and sorting methods.
oss:CloseMetaQuery
Disables metadata management for a bucket.
oss:InitUserAntiDDosInfo
Creates Anti-DDoS instances.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS instance.
oss:GetUserAntiDDosInfo
Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.
oss:InitBucketAntiDDosInfo
Initializes Anti-DDoS instances for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the status of Anti-DDoS instances of a bucket.
oss:ListBucketAntiDDosInfo
Queries the protection list of an Anti-DDoS instance of a bucket.
oss:PutBucketResourceGroup
Configures a resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CNAME token used to verify the ownership of a domain name.
oss:GetCnameToken
Queries existing CNAME tokens.
oss:PutCname
Maps a custom domain name to a bucket.
oss:ListCname
Queries all custom domain names that are mapped to a bucket.
oss:DeleteCname
Deletes the CNAME record that maps a custom domain name to a bucket.
oss:PutStyle
Configures image styles.
oss:GetStyle
Queries image styles.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes image styles.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Queries whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Queries information about an access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Queries user-level or bucket-level access points.
oss:PutAccessPointPolicy
Configures an access point policy.
oss:GetAccessPointPolicy
Queries information about an access point policy.
oss:DeleteAccessPointPolicy
Deletes an access point policy.
oss:PutBucketHttpsConfig
Enables or disables Transport Layer Security (TLS) version management for a bucket.
oss:GetBucketHttpsConfig
Queries the TLS version configurations of a bucket.
N/A
oss:ReplicateList
The list permissions in the replication process. Lists historical data in a source bucket and then replicates the historical data to a destination bucket.
oss:CreateAccessPointForObjectProcess
Creates an Object FC Access Point.
oss:GetAccessPointForObjectProcess
Queries basic information about an Object FC Access Point.
oss:DeleteAccessPointForObjectProcess
Deletes an Object FC Access Point.
oss:ListAccessPointsForObjectProcess
Queries information about user-level Object FC Access Points.
oss:PutAccessPointConfigForObjectProcess
Changes the configurations of an Object FC Access Point.
oss:GetAccessPointConfigForObjectProcess
Queries the configurations of an Object FC Access Point.
oss:PutAccessPointPolicyForObjectProcess
Configures policies for an Object FC Access Point.
oss:GetAccessPointPolicyForObjectProcess
Queries the policies of an Object FC Access Point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the policies of an Object FC Access Point.
oss:WriteGetObjectResponse
Configures custom response headers and response data.
oss:CreateBucketDataRedundancyTransition
Creates a redundancy type conversion task for a bucket.
oss:GetBucketDataRedundancyTransition
Queries the redundancy type conversion tasks of a bucket.
oss:DeleteBucketDataRedundancyTransition
Deletes a redundancy type conversion task of a bucket.
oss:ListBucketDataRedundancyTransition
Lists all redundancy type conversion tasks of a bucket.
oss:PutBucketPublicAccessBlock
Enables Block Public Access for a bucket.
oss:GetBucketPublicAccessBlock
Queries the Block Public Access configurations of a bucket.
oss:DeleteBucketPublicAccessBlock
Deletes the Block Public Access configurations of a bucket.
oss:PutAccessPointPublicAccessBlock
Enables Block Public Access for an access point.
oss:GetAccessPointPublicAccessBlock
Queries the Block Public Access configurations of an access point.
oss:DeleteAccessPointPublicAccessBlock
Deletes the Block Public Access configurations of an access point.
oss:GetBucketPolicyStatus
Checks whether the current bucket policy allows public access.
Object-level operations
NoteIf object tags are configured when you upload an object, you must have the
oss:PutObject
andoss:PutObjectTagging
permissions.API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObject
Uploads an object to a bucket by using an HTML form.
oss:PutObject
Uploads an object by using append upload.
oss:PutObject
Initiates a multipart upload task.
oss:PutObject
Uploads an object by part based on the object name and upload ID.
oss:PutObject
Completes the multipart upload task of an object after all parts of the object are uploaded.
oss:AbortMultipartUpload
Cancels a multipart upload task and deletes uploaded parts.
oss:PutObject
Creates a symbolic link for an object.
oss:GetObject
Queries an object.
oss:GetObject
Queries the metadata of an object.
oss:GetObject
Queries the metadata of an object, including the ETag, object size, and last modified time.
oss:GetObject
Executes SQL statements on an object and queries the execution results.
oss:GetObject
Queries the symbolic link of an object.
oss:DeleteObject
Deletes an object.
oss:DeleteObject
Deletes multiple objects from a bucket at a time.
oss:GetObject
oss:PutObject
Copies objects to the same bucket or to a different bucket in the same region.
oss:GetObject
oss:PutObject
Copies data from an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.
oss:ListParts
Lists all parts that are uploaded by using an upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:GetObjectAcl
Queries the ACL of an object in a bucket.
oss:RestoreObject
Restores Archive, Cold Archive, and Deep Cold Archive objects.
oss:PutObjectTagging
Adds tags to or modifies the tags of an object.
oss:GetObjectTagging
Queries the tags of an object.
oss:DeleteObjectTagging
Deletes the tags of an object.
GetObject (with version ID specified in the request)
oss:GetObjectVersion
Downloads a specific version of an object.
PutObjectACL (with version ID specified in the request)
oss:PutObjectVersionAcl
Modifies the ACL of a specific version of an object.
GetObjectACL (with version ID specified in the request)
oss:GetObjectVersionAcl
Queries the ACL of a specific version of an object.
RestoreObject (with version ID specified in the request)
oss:RestoreObjectVersion
Restores a specific version of an Archive, Cold Archive, or Deep Cold Archive object.
DeleteObject (with version ID specified in the request)
oss:DeleteObjectVersion
Deletes a specific version of an object.
PutObjectTagging (with version ID specified in the request)
oss:PutObjectVersionTagging
Adds tags to or modifies the tags of a specific version of an object.
GetObjectTagging (with version ID specified in the request)
oss:GetObjectVersionTagging
Queries the tags of a specific version of an object.
DeleteObjectTagging (with version ID specified in the request)
oss:DeleteObjectVersionTagging
Deletes the tags of a specific version of an object.
oss:PutLiveChannel
Creates a LiveChannel before you upload audio and video data by using Real-Time Messaging Protocol (RTMP).
oss:ListLiveChannel
Lists specific LiveChannels.
oss:DeleteLiveChannel
Deletes a LiveChannel.
oss:PutLiveChannelStatus
Changes the status of a LiveChannel to enabled or disabled.
oss:GetLiveChannel
Queries the configurations of a LiveChannel.
oss:GetLiveChannelStat
Queries the stream ingest status of a LiveChannel.
oss:GetLiveChannelHistory
Queries the stream ingest records of a LiveChannel.
oss:PostVodPlaylist
Generates a video on demand (VOD) playlist for a LiveChannel.
oss:GetVodPlaylist
Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.
N/A
oss:PublishRtmpStream
Ingests video streams and audio streams to OSS over RTMP.
oss:PostProcessTask
Saves processed images to a bucket.
N/A
oss:ReplicateGet
The read permissions in the replication process. Allows OSS to read data and metadata from source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.
N/A
oss:ReplicatePut
The write permissions in the replication process. Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, performing multipart upload tasks, uploading parts, configuring symbolic links, and modifying object metadata.
N/A
oss:ReplicateDelete
The delete permissions in the replication process. Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action is required only if you set Replication Policy to Add/Delete/Change.
Resource element in RAM policies for OSS
In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.
Category | Format | Example |
Bucket-level resource |
|
|
Object-level resource |
|
|
The region field can be set only to an asterisk (*) wildcard character.
Condition element in RAM policies for OSS
The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see Condition.
The following table describes the categories of conditional operators and condition keys.
Categories of conditional operators
Category
Conditional operator
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Number
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
IpAddressIncludeBorder
Condition keys
Condition key
Description
acs:SourceIp
The CIDR block from which the request is sent. This condition supports the asterisk (*) wildcard character.
acs:SourceVpc
The VPC from which the request is sent. You can set this parameter to a specific VPC ID or vpc-*.
ImportantWhen you use
acs:SourceVpc
to restrict the VPC, make sure that the region of the VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS.acs:UserAgent
The User-Agent header in the HTTP request.
Type: string.
acs:CurrentTime
The point in time when the request is received by the OSS server.
Standard: ISO 8601.
acs:SecureTransport
Specifies whether to use HTTPS for secure data transfers. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If the
acs:SecureTransport
condition is not specified, HTTPS and HTTP requests are allowed.oss:x-oss-acl
The ACL of the bucket. Valid values:
private
public-read
public-read-write
For more information, see Bucket ACLs.
oss:x-oss-object-acl
The ACL of the object. Valid values:
private
public-read
public-read-write
default: The ACL of the object is the same as the ACL of the bucket in which the object is stored.
For more information, see Object ACLs.
oss:Prefix
The prefix in the names of the objects that you want to list by calling the ListObjects operation.
oss:Delimiter
The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.
acs:AccessId
The AccessKey ID in the request.
oss:BucketTag
The tag of the bucket.
A single bucket tag can be used as a condition. To specify multiple bucket tags as multiple conditions, you must add
oss:BucketTag/
before each bucket tag.acs:MFAPresent
Specifies whether to enable multi-factor authentication (MFA).
Valid values:
true
false
oss:ExistingObjectTag
Specifies that the requested object has tags.
A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add
oss:ExistingObjectTag/
before each object tag.This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags in the request.
A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add
oss:RequestObjectTag/
before each object tag.This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.
Examples
You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.