All Products
Search
Document Center

Object Storage Service:Configure RAM policies to authorize user access to OSS

Last Updated:Dec 06, 2024

Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your resources in Object Storage Service (OSS).

Background information

  • Syntax and structure of RAM policies

    A RAM policy contains a version number and a list of statements. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    You can use the Version, Statement, and Effect elements in the RAM policies for OSS in the same manner as you use the elements in the policies for RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:

  • Common RAM policies for OSS

    • AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.

    • AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.

  • Access control

    For more information about the access control methods supported by OSS, see Overview.

Action element in RAM policies for OSS

RAM policies for OSS support service-level, bucket-level, and object-level operations.

  • Service-level operations

    API

    Action

    Description

    ListBuckets (GetService)

    oss:ListBuckets

    Lists all buckets owned by the requester.

    ListUserDataRedundancyTransition

    oss:ListUserDataRedundancyTransition

    Lists all redundancy type change tasks of the requester.

    N/A

    oss:ActivateProduct

    Activates OSS and enables Content Risk Detection.

    N/A

    oss:CreateOrder

    Places an order for an OSS resource plan.

    PutPublicAccessBlock

    oss:PutPublicAccessBlock

    Enables Block Public Access for OSS resources.

    GetPublicAccessBlock

    oss:GetPublicAccessBlock

    Queries the Block Public Access configurations of OSS resources.

    DeletePublicAccessBlock

    oss:DeletePublicAccessBlock

    Deletes the Block Public Access configurations of OSS resources.

  • Bucket-level operations

    API

    Action

    Description

    PutBucket

    oss:PutBucket

    Creates a bucket.

    ListObjects (GetBucket)

    oss:ListObjects

    Lists all objects in a bucket.

    GetBucketInfo

    oss:GetBucketInfo

    Queries information about a bucket.

    GetBucketLocation

    oss:GetBucketLocation

    Queries the location information about a bucket.

    PutBucketVersioning

    oss:PutBucketVersioning

    Configures the versioning state for a bucket.

    GetBucketVersioning

    oss:GetBucketVersioning

    Queries the versioning state of a bucket.

    ListObjectVersions (GetBucketVersions)

    oss:ListObjectVersions

    Lists the versions of all objects in a bucket, including delete markers.

    PutBucketAcl

    oss:PutBucketAcl

    Configures or modifies the access control list (ACL) of a bucket.

    GetBucketAcl

    oss:GetBucketAcl

    Queries the ACL of a bucket.

    DeleteBucket

    oss:DeleteBucket

    Deletes a bucket.

    InitiateBucketWorm

    oss:InitiateBucketWorm

    Creates a retention policy.

    AbortBucketWorm

    oss:AbortBucketWorm

    Deletes an unlocked retention policy.

    CompleteBucketWorm

    oss:CompleteBucketWorm

    Locks a retention policy.

    ExtendBucketWorm

    oss:ExtendBucketWorm

    Extends the retention period (days) of objects in a bucket for which a retention policy is locked.

    GetBucketWorm

    oss:GetBucketWorm

    Queries the retention policies of a bucket.

    PutBucketLogging

    oss:PutBucketLogging

    Enables logging for a bucket.

    GetBucketLogging

    oss:GetBucketLogging

    Queries the logging configurations of a bucket.

    DeleteBucketLogging

    oss:DeleteBucketLogging

    Disables logging for a bucket.

    PutBucketWebsite

    oss:PutBucketWebsite

    Enables static website hosting for a bucket and configures redirection rules for the bucket.

    GetBucketWebsite

    oss:GetBucketWebsite

    Queries the static website hosting status and the redirection rules of a bucket.

    DeleteBucketWebsite

    oss:DeleteBucketWebsite

    Disables static website hosting for a bucket and deletes the redirection rules of the bucket.

    PutBucketReferer

    oss:PutBucketReferer

    Configures hotlink protection for a bucket.

    GetBucketReferer

    oss:GetBucketReferer

    Queries the hotlink protection configurations of a bucket.

    PutBucketLifecycle

    oss:PutBucketLifecycle

    Configures lifecycle rules for a bucket.

    GetBucketLifecycle

    oss:GetBucketLifecycle

    Queries the lifecycle rules of a bucket.

    DeleteBucketLifecycle

    oss:DeleteBucketLifecycle

    Deletes the lifecycle rules of a bucket.

    PutBucketTransferAcceleration

    oss:PutBucketTransferAcceleration

    Configures transfer acceleration for a bucket.

    GetBucketTransferAcceleration

    oss:GetBucketTransferAcceleration

    Queries the transfer acceleration configurations of a bucket.

    ListMultipartUploads

    oss:ListMultipartUploads

    Lists all ongoing multipart upload tasks, which include tasks that are initiated but are not completed or canceled.

    PutBucketCors

    oss:PutBucketCors

    Configures cross-origin resource sharing (CORS) rules for a bucket.

    GetBucketCors

    oss:GetBucketCors

    Queries the CORS rules of a bucket.

    DeleteBucketCors

    oss:DeleteBucketCors

    Disables CORS for a bucket and deletes all CORS rules of the bucket.

    PutBucketPolicy

    oss:PutBucketPolicy

    Configures policies for a bucket.

    GetBucketPolicy

    oss:GetBucketPolicy

    Queries the policies of a bucket.

    DeleteBucketPolicy

    oss:DeleteBucketPolicy

    Deletes the policies of a bucket.

    PutBucketTags

    oss:PutBucketTagging

    Adds tags to or modifies the tags of a bucket.

    GetBucketTags

    oss:GetBucketTagging

    Queries the tags of a bucket.

    DeleteBucketTags

    oss:DeleteBucketTagging

    Deletes the tags of a bucket.

    PutBucketEncryption

    oss:PutBucketEncryption

    Configures encryption rules for a bucket.

    GetBucketEncryption

    oss:GetBucketEncryption

    Queries the encryption rules of a bucket.

    DeleteBucketEncryption

    oss:DeleteBucketEncryption

    Deletes the encryption rules of a bucket.

    PutBucketRequestPayment

    oss:PutBucketRequestPayment

    Enables pay-by-requester for a bucket.

    GetBucketRequestPayment

    oss:GetBucketRequestPayment

    Queries the pay-by-requester configurations of a bucket.

    PutBucketReplication

    oss:PutBucketReplication

    Configures a data replication rule for a bucket.

    PutBucketRTC

    oss:PutBucketRTC

    Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.

    GetBucketReplication

    oss:GetBucketReplication

    Queries the data replication rules of a bucket.

    DeleteBucketReplication

    oss:DeleteBucketReplication

    Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.

    GetBucketReplicationLocation

    oss:GetBucketReplicationLocation

    Queries the region of a destination bucket to which data can be replicated.

    GetBucketReplicationProgress

    oss:GetBucketReplicationProgress

    Queries the progress of a data replication task of a bucket.

    PutBucketInventory

    oss:PutBucketInventory

    Configures inventories for a bucket.

    GetBucketInventory

    oss:GetBucketInventory

    Queries specific inventories of a bucket.

    ListBucketInventory

    oss:GetBucketInventory

    Queries all inventories of a bucket.

    DeleteBucketInventory

    oss:DeleteBucketInventory

    Deletes a specific inventory of a bucket.

    PutBucketAccessMonitor

    oss:PutBucketAccessMonitor

    Configures the access tracking status of a bucket.

    GetBucketAccessMonitor

    oss:GetBucketAccessMonitor

    Queries the access tracking status of a bucket.

    OpenMetaQuery

    oss:OpenMetaQuery

    Enables metadata management for a bucket.

    GetMetaQueryStatus

    oss:GetMetaQueryStatus

    Queries the metadata index library of a bucket.

    DoMetaQuery

    oss:DoMetaQuery

    Queries objects that meet specific conditions and lists object information based on specific fields and sorting methods.

    CloseMetaQuery

    oss:CloseMetaQuery

    Disables metadata management for a bucket.

    InitUserAntiDDosInfo

    oss:InitUserAntiDDosInfo

    Creates Anti-DDoS instances.

    UpdateUserAntiDDosInfo

    oss:UpdateUserAntiDDosInfo

    Changes the status of an Anti-DDoS instance.

    GetUserAntiDDosInfo

    oss:GetUserAntiDDosInfo

    Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.

    InitBucketAntiDDosInfo

    oss:InitBucketAntiDDosInfo

    Initializes Anti-DDoS instances for a bucket.

    UpdateBucketAntiDDosInfo

    oss:UpdateBucketAntiDDosInfo

    Updates the status of Anti-DDoS instances of a bucket.

    ListBucketAntiDDosInfo

    oss:ListBucketAntiDDosInfo

    Queries the protection list of an Anti-DDoS instance of a bucket.

    PutBucketResourceGroup

    oss:PutBucketResourceGroup

    Configures a resource group to which a bucket belongs.

    GetBucketResourceGroup

    oss:GetBucketResourceGroup

    Queries the ID of the resource group to which a bucket belongs.

    CreateCnameToken

    oss:CreateCnameToken

    Creates a CNAME token used to verify the ownership of a domain name.

    GetCnameToken

    oss:GetCnameToken

    Queries existing CNAME tokens.

    PutCname

    oss:PutCname

    Maps a custom domain name to a bucket.

    ListCname

    oss:ListCname

    Queries all custom domain names that are mapped to a bucket.

    DeleteCname

    oss:DeleteCname

    Deletes the CNAME record that maps a custom domain name to a bucket.

    PutStyle

    oss:PutStyle

    Configures image styles.

    GetStyle

    oss:GetStyle

    Queries image styles.

    ListStyle

    oss:ListStyle

    Lists image styles.

    DeleteStyle

    oss:DeleteStyle

    Deletes image styles.

    PutBucketArchiveDirectRead

    oss:PutBucketArchiveDirectRead

    Enables or disables real-time access of Archive objects for a bucket.

    GetBucketArchiveDirectRead

    oss:GetBucketArchiveDirectRead

    Queries whether real-time access of Archive objects is enabled for a bucket.

    CreateAccessPoint

    oss:CreateAccessPoint

    Creates an access point.

    GetAccessPoint

    oss:GetAccessPoint

    Queries information about an access point.

    DeleteAccessPoint

    oss:DeleteAccessPoint

    Deletes an access point.

    ListAccessPoints

    oss:ListAccessPoints

    Queries user-level or bucket-level access points.

    PutAccessPointPolicy

    oss:PutAccessPointPolicy

    Configures an access point policy.

    GetAccessPointPolicy

    oss:GetAccessPointPolicy

    Queries information about an access point policy.

    DeleteAccessPointPolicy

    oss:DeleteAccessPointPolicy

    Deletes an access point policy.

    PutBucketHttpsConfig

    oss:PutBucketHttpsConfig

    Enables or disables Transport Layer Security (TLS) version management for a bucket.

    GetBucketHttpsConfig

    oss:GetBucketHttpsConfig

    Queries the TLS version configurations of a bucket.

    N/A

    oss:ReplicateList

    The list permissions in the replication process. Lists historical data in a source bucket and then replicates the historical data to a destination bucket.

    CreateAccessPointForObjectProcess

    oss:CreateAccessPointForObjectProcess

    Creates an Object FC Access Point.

    GetAccessPointForObjectProcess

    oss:GetAccessPointForObjectProcess

    Queries basic information about an Object FC Access Point.

    DeleteAccessPointForObjectProcess

    oss:DeleteAccessPointForObjectProcess

    Deletes an Object FC Access Point.

    ListAccessPointsForObjectProcess

    oss:ListAccessPointsForObjectProcess

    Queries information about user-level Object FC Access Points.

    PutAccessPointConfigForObjectProcess

    oss:PutAccessPointConfigForObjectProcess

    Changes the configurations of an Object FC Access Point.

    GetAccessPointConfigForObjectProcess

    oss:GetAccessPointConfigForObjectProcess

    Queries the configurations of an Object FC Access Point.

    PutAccessPointPolicyForObjectProcess

    oss:PutAccessPointPolicyForObjectProcess

    Configures policies for an Object FC Access Point.

    GetAccessPointPolicyForObjectProcess

    oss:GetAccessPointPolicyForObjectProcess

    Queries the policies of an Object FC Access Point.

    DeleteAccessPointPolicyForObjectProcess

    oss:DeleteAccessPointPolicyForObjectProcess

    Deletes the policies of an Object FC Access Point.

    WriteGetObjectResponse

    oss:WriteGetObjectResponse

    Configures custom response headers and response data.

    CreateBucketDataRedundancyTransition

    oss:CreateBucketDataRedundancyTransition

    Creates a redundancy type conversion task for a bucket.

    GetBucketDataRedundancyTransition

    oss:GetBucketDataRedundancyTransition

    Queries the redundancy type conversion tasks of a bucket.

    DeleteBucketDataRedundancyTransition

    oss:DeleteBucketDataRedundancyTransition

    Deletes a redundancy type conversion task of a bucket.

    ListBucketDataRedundancyTransition

    oss:ListBucketDataRedundancyTransition

    Lists all redundancy type conversion tasks of a bucket.

    PutBucketPublicAccessBlock

    oss:PutBucketPublicAccessBlock

    Enables Block Public Access for a bucket.

    GetBucketPublicAccessBlock

    oss:GetBucketPublicAccessBlock

    Queries the Block Public Access configurations of a bucket.

    DeleteBucketPublicAccessBlock

    oss:DeleteBucketPublicAccessBlock

    Deletes the Block Public Access configurations of a bucket.

    PutAccessPointPublicAccessBlock

    oss:PutAccessPointPublicAccessBlock

    Enables Block Public Access for an access point.

    GetAccessPointPublicAccessBlock

    oss:GetAccessPointPublicAccessBlock

    Queries the Block Public Access configurations of an access point.

    DeleteAccessPointPublicAccessBlock

    oss:DeleteAccessPointPublicAccessBlock

    Deletes the Block Public Access configurations of an access point.

    GetBucketPolicyStatus

    oss:GetBucketPolicyStatus

    Checks whether the current bucket policy allows public access.

  • Object-level operations

    Note

    If object tags are configured when you upload an object, you must have the oss:PutObject and oss:PutObjectTagging permissions.

    API

    Action

    Description

    PutObject

    oss:PutObject

    Uploads an object.

    PostObject

    oss:PutObject

    Uploads an object to a bucket by using an HTML form.

    AppendObject

    oss:PutObject

    Uploads an object by using append upload.

    InitiateMultipartUpload

    oss:PutObject

    Initiates a multipart upload task.

    UploadPart

    oss:PutObject

    Uploads an object by part based on the object name and upload ID.

    CompleteMultipartUpload

    oss:PutObject

    Completes the multipart upload task of an object after all parts of the object are uploaded.

    AbortMultipartUpload

    oss:AbortMultipartUpload

    Cancels a multipart upload task and deletes uploaded parts.

    PutSymlink

    oss:PutObject

    Creates a symbolic link for an object.

    GetObject

    oss:GetObject

    Queries an object.

    HeadObject

    oss:GetObject

    Queries the metadata of an object.

    GetObjectMeta

    oss:GetObject

    Queries the metadata of an object, including the ETag, object size, and last modified time.

    SelectObject

    oss:GetObject

    Executes SQL statements on an object and queries the execution results.

    GetSymlink

    oss:GetObject

    Queries the symbolic link of an object.

    DeleteObject

    oss:DeleteObject

    Deletes an object.

    DeleteMultipleObjects

    oss:DeleteObject

    Deletes multiple objects from a bucket at a time.

    CopyObject

    oss:GetObject

    oss:PutObject

    Copies objects to the same bucket or to a different bucket in the same region.

    UploadPartCopy

    oss:GetObject

    oss:PutObject

    Copies data from an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.

    ListParts

    oss:ListParts

    Lists all parts that are uploaded by using an upload ID.

    PutObjectACL

    oss:PutObjectAcl

    Modifies the ACL of an object in a bucket.

    GetObjectACL

    oss:GetObjectAcl

    Queries the ACL of an object in a bucket.

    RestoreObject

    oss:RestoreObject

    Restores Archive, Cold Archive, and Deep Cold Archive objects.

    PutObjectTagging

    oss:PutObjectTagging

    Adds tags to or modifies the tags of an object.

    GetObjectTagging

    oss:GetObjectTagging

    Queries the tags of an object.

    DeleteObjectTagging

    oss:DeleteObjectTagging

    Deletes the tags of an object.

    GetObject (with version ID specified in the request)

    oss:GetObjectVersion

    Downloads a specific version of an object.

    PutObjectACL (with version ID specified in the request)

    oss:PutObjectVersionAcl

    Modifies the ACL of a specific version of an object.

    GetObjectACL (with version ID specified in the request)

    oss:GetObjectVersionAcl

    Queries the ACL of a specific version of an object.

    RestoreObject (with version ID specified in the request)

    oss:RestoreObjectVersion

    Restores a specific version of an Archive, Cold Archive, or Deep Cold Archive object.

    DeleteObject (with version ID specified in the request)

    oss:DeleteObjectVersion

    Deletes a specific version of an object.

    PutObjectTagging (with version ID specified in the request)

    oss:PutObjectVersionTagging

    Adds tags to or modifies the tags of a specific version of an object.

    GetObjectTagging (with version ID specified in the request)

    oss:GetObjectVersionTagging

    Queries the tags of a specific version of an object.

    DeleteObjectTagging (with version ID specified in the request)

    oss:DeleteObjectVersionTagging

    Deletes the tags of a specific version of an object.

    PutLiveChannel

    oss:PutLiveChannel

    Creates a LiveChannel before you upload audio and video data by using Real-Time Messaging Protocol (RTMP).

    ListLiveChannel

    oss:ListLiveChannel

    Lists specific LiveChannels.

    DeleteLiveChannel

    oss:DeleteLiveChannel

    Deletes a LiveChannel.

    PutLiveChannelStatus

    oss:PutLiveChannelStatus

    Changes the status of a LiveChannel to enabled or disabled.

    GetLiveChannelInfo

    oss:GetLiveChannel

    Queries the configurations of a LiveChannel.

    GetLiveChannelStat

    oss:GetLiveChannelStat

    Queries the stream ingest status of a LiveChannel.

    GetLiveChannelHistory

    oss:GetLiveChannelHistory

    Queries the stream ingest records of a LiveChannel.

    PostVodPlaylist

    oss:PostVodPlaylist

    Generates a video on demand (VOD) playlist for a LiveChannel.

    GetVodPlaylist

    oss:GetVodPlaylist

    Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.

    N/A

    oss:PublishRtmpStream

    Ingests video streams and audio streams to OSS over RTMP.

    ImgSaveAs

    oss:PostProcessTask

    Saves processed images to a bucket.

    N/A

    oss:ReplicateGet

    The read permissions in the replication process. Allows OSS to read data and metadata from source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.

    N/A

    oss:ReplicatePut

    The write permissions in the replication process. Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, performing multipart upload tasks, uploading parts, configuring symbolic links, and modifying object metadata.

    N/A

    oss:ReplicateDelete

    The delete permissions in the replication process. Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.

    Important

    This action is required only if you set Replication Policy to Add/Delete/Change.

Resource element in RAM policies for OSS

In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.

Category

Format

Example

Bucket-level resource

acs:oss:{region}:{bucket_owner}:{bucket_name}

acs:oss:*:*:mybucket

Object-level resource

acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}

acs:oss:*:*:mybucket/abc.txt

Note

The region field can be set only to an asterisk (*) wildcard character.

Condition element in RAM policies for OSS

The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values. For more information, see Condition.

The following table describes the categories of conditional operators and condition keys.

  • Categories of conditional operators

    Category

    Conditional operator

    String

    • StringEquals

    • StringNotEquals

    • StringEqualsIgnoreCase

    • StringNotEqualsIgnoreCase

    • StringLike

    • StringNotLike

    Number

    • NumericEquals

    • NumericNotEquals

    • NumericLessThan

    • NumericLessThanEquals

    • NumericGreaterThan

    • NumericGreaterThanEquals

    Date and time

    • DateEquals

    • DateNotEquals

    • DateLessThan

    • DateLessThanEquals

    • DateGreaterThan

    • DateGreaterThanEquals

    Boolean

    Bool

    IP address

    • IpAddress

    • NotIpAddress

    • IpAddressIncludeBorder

  • Condition keys

    Condition key

    Description

    acs:SourceIp

    The CIDR block from which the request is sent. This condition supports the asterisk (*) wildcard character.

    acs:SourceVpc

    The VPC from which the request is sent. You can set this parameter to a specific VPC ID or vpc-*.

    Important

    When you use acs:SourceVpc to restrict the VPC, make sure that the region of the VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS.

    acs:UserAgent

    The User-Agent header in the HTTP request.

    Type: string.

    acs:CurrentTime

    The point in time when the request is received by the OSS server.

    Standard: ISO 8601.

    acs:SecureTransport

    Specifies whether to use HTTPS for secure data transfers. Valid values:

    • true: Only HTTPS requests are allowed.

    • false: Only HTTP requests are allowed.

    If the acs:SecureTransport condition is not specified, HTTPS and HTTP requests are allowed.

    oss:x-oss-acl

    The ACL of the bucket. Valid values:

    • private

    • public-read

    • public-read-write

    For more information, see Bucket ACLs.

    oss:x-oss-object-acl

    The ACL of the object. Valid values:

    • private

    • public-read

    • public-read-write

    • default: The ACL of the object is the same as the ACL of the bucket in which the object is stored.

    For more information, see Object ACLs.

    oss:Prefix

    The prefix in the names of the objects that you want to list by calling the ListObjects operation.

    oss:Delimiter

    The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.

    acs:AccessId

    The AccessKey ID in the request.

    oss:BucketTag

    The tag of the bucket.

    A single bucket tag can be used as a condition. To specify multiple bucket tags as multiple conditions, you must add oss:BucketTag/ before each bucket tag.

    acs:MFAPresent

    Specifies whether to enable multi-factor authentication (MFA).

    Valid values:

    • true

    • false

    oss:ExistingObjectTag

    Specifies that the requested object has tags.

    A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add oss:ExistingObjectTag/ before each object tag.

    This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

    oss:RequestObjectTag

    The object tags in the request.

    A single object tag can be used as a condition. To specify multiple object tags as multiple conditions, you must add oss:RequestObjectTag/ before each object tag.

    This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.

Examples

You can use RAM policies to grant permissions to users in different scenarios. For more information, see Common examples of RAM policies.