When permission requirements change, modifying the Bucket ACL automatically synchronizes permissions for all inheriting Objects—ensuring policy consistency. Objects uploaded without explicit ACLs inherit the bucket ACL by default. By default, objects inherit the access control list (ACL) of their bucket. This allows you to manage permissions efficiently by changing the bucket's ACL, which automatically updates access for all objects that inherit it. If an object is uploaded without a specific ACL, it uses the bucket's ACL.
ACL types
The following table describes the types of bucket ACLs.
ACL | Description |
public-read-write | All users, including anonymous users, can read data from and write data to the bucket. Warning Setting a bucket's ACL to public-read-write allows anyone on the internet to read and write objects. This poses a significant security risk, leading to potential data exposure, unexpected charges, and the upload of malicious or illegal content to your bucket. This type is strongly discouraged unless absolutely necessary. |
public-read | Only the bucket owner can write data to objects in the bucket. Other users, including anonymous users, can only read objects in the bucket. Warning Setting a bucket's ACL to public-read allows anyone on the internet to read its objects. This can lead to unintended data exposure and unexpected charges. Exercise caution. |
private | Only the bucket owner can read data from and write data to objects in the bucket. Other users cannot access the objects in the bucket. |
Set or modify bucket ACLs
Set a bucket's ACL during its creation or modify its ACL at any time.
Console
Log on to the OSS console.
In the left-side navigation pane, click Buckets. On the Buckets page, find and click the desired bucket.
In the left-side navigation pane, choose .
On the ACL tab, click Settings to modify the ACL of the bucket.
Click Save.
ossutil
Use ossutil to set the ACL of a bucket. Refer to Install ossutil for its installation.
The following command sets the ACL of examplebucket to private.
ossutil api put-bucket-acl --bucket examplebucket --acl privateFor more information about this command, see put-bucket-acl.
ossbrowser
ossbrowser supports bucket-level operations similar to those in the OSS console. Follow the on-screen instructions to modify the ACL of a bucket. For further instructions, see Common operations.
OSS SDKs
The following sample code provides examples on how to modify the ACL of a bucket by using OSS SDKs for common programming languages. For more information about how to modify the ACL of a bucket by using OSS SDKs for other programming languages, see SDK overview.
import com.aliyun.oss.*;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.common.comm.SignVersion;
import com.aliyun.oss.model.CannedAccessControlList;
public class Demo {
public static void main(String[] args) throws Exception {
// In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
// Specify the name of the bucket. Example: examplebucket.
String bucketName = "examplebucket";
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Create an OSS Client instance.
// Call the shutdown method to release associated resources when the OSS Client is no longer in use.
ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);
OSS ossClient = OSSClientBuilder.create()
.endpoint(endpoint)
.credentialsProvider(credentialsProvider)
.clientConfiguration(clientBuilderConfiguration)
.region(region)
.build();
try {
// Specify the ACL of the bucket. In this example, the ACL of the examplebucket bucket is set to private.
ossClient.setBucketAcl(bucketName, CannedAccessControlList.Private);
} catch (OSSException oe) {
System.out.println("Caught an OSSException, which means your request made it to OSS, "
+ "but was rejected with an error response for some reason.");
System.out.println("Error Message:" + oe.getErrorMessage());
System.out.println("Error Code:" + oe.getErrorCode());
System.out.println("Request ID:" + oe.getRequestId());
System.out.println("Host ID:" + oe.getHostId());
} catch (ClientException ce) {
System.out.println("Caught an ClientException, which means the client encountered "
+ "a serious internal problem while trying to communicate with OSS, "
+ "such as not being able to access the network.");
System.out.println("Error Message:" + ce.getMessage());
} finally {
if (ossClient != null) {
ossClient.shutdown();
}
}
}
}const OSS = require('ali-oss');
const client = new OSS({
// Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
region: '<Your region>',
// Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
// Specify the name of the bucket.
bucket: 'yourBucketName',
});
async function putBucketACL() {
// Set the ACL of the bucket to private.
const acl = 'private'
try {
await client.putBucketACL('<Your Bucket Name>', acl)
} catch (error) {
console.log(error)
}
}
putBucketACL()#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;
int main(void)
{
/* Initialize information about the account that is used to access OSS. */
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
std::string Endpoint = "yourEndpoint";
/* Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou. */
std::string Region = "yourRegion";
/* Specify the name of the bucket. Example: examplebucket. */
std::string BucketName = "examplebucket";
/* Initialize the SDK. This must be called before using the SDK. */
InitializeSdk();
ClientConfiguration conf;
conf.signatureVersion = SignatureVersionType::V4;
/* Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
client.SetRegion(Region);
/* Set the ACL of the bucket to private. */
SetBucketAclRequest request(BucketName, CannedAccessControlList::Private);
auto outcome = client.SetBucketAcl(request);
if (outcome.isSuccess()) {
std::cout << " setBucketAcl successfully " << std::endl;
}
else {
/* Handle the error. */
std::cout << "SetBucketAcl fail" <<
",code:" << outcome.error().Code() <<
",message:" << outcome.error().Message() <<
",requestId:" << outcome.error().RequestId() << std::endl;
return -1;
}
/* Shut down the SDK to release resources. */
ShutdownSdk();
return 0;
}#include "oss_api.h"
#include "aos_http_io.h"
/* Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. */
const char *endpoint = "yourEndpoint";
/* Specify the name of the bucket. Example: examplebucket. */
const char *bucket_name = "examplebucket";
/* Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou. */
const char *region = "yourRegion";
void init_options(oss_request_options_t *options)
{
options->config = oss_config_create(options->pool);
/* Use a char* string to initialize data of the aos_string_t type. */
aos_str_set(&options->config->endpoint, endpoint);
/* Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. */
aos_str_set(&options->config->access_key_id, getenv("OSS_ACCESS_KEY_ID"));
aos_str_set(&options->config->access_key_secret, getenv("OSS_ACCESS_KEY_SECRET"));
// Specify two additional parameters.
aos_str_set(&options->config->region, region);
options->config->signature_version = 4;
/* Specify whether to use CNAME to access OSS. The value 0 indicates that CNAME is not used. */
options->config->is_cname = 0;
/* Configure network parameters, such as the timeout period. */
options->ctl = aos_http_controller_create(options->pool, 0);
}
int main(int argc, char *argv[])
{
/* Call the aos_http_io_initialize method in main() to initialize global resources, such as network resources and memory resources. */
if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
exit(1);
}
/* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code used to create a memory pool is included in the APR library. */
aos_pool_t *pool;
/* Create a memory pool. The value of the second parameter is NULL. This value indicates that the pool does not inherit other memory pools. */
aos_pool_create(&pool, NULL);
/* Create and initialize options. This parameter includes global configuration information, such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
oss_request_options_t *oss_client_options;
/* Allocate the memory resources in the memory pool to the options. */
oss_client_options = oss_request_options_create(pool);
/* Initialize oss_client_options. */
init_options(oss_client_options);
/* Initialize the parameters. */
aos_string_t bucket;
aos_table_t *resp_headers = NULL;
aos_status_t *resp_status = NULL;
/* Assign char* data to a bucket of the aos_string_t type. */
aos_str_set(&bucket, bucket_name);
/* Set the ACL of the bucket to public-read (OSS_ACL_PUBLIC_READ). */
resp_status = oss_put_bucket_acl(oss_client_options, &bucket, OSS_ACL_PUBLIC_READ, &resp_headers);
if (aos_status_is_ok(resp_status)) {
printf("set bucket acl succeeded\n");
} else {
printf("set bucket acl failed\n");
}
/* Release the memory pool. This operation releases the memory resources allocated for the request. */
aos_pool_destroy(pool);
/* Release the allocated global resources. */
aos_http_io_deinitialize();
return 0;
}require 'aliyun/oss'
client = Aliyun::OSS::Client.new(
# In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint.
endpoint: 'https://oss-cn-hangzhou.aliyuncs.com',
# Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured.
access_key_id: ENV['OSS_ACCESS_KEY_ID'],
access_key_secret: ENV['OSS_ACCESS_KEY_SECRET']
)
# Specify the name of the bucket. Example: examplebucket.
bucket = client.get_bucket('examplebucket')
bucket.acl = Aliyun::OSS::ACL::PUBLIC_READ
puts bucket.aclpackage main
import (
"context"
"flag"
"log"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)
// Define global variables.
var (
region string // The region in which your bucket is located.
bucketName string // The name of the bucket.
)
// Specify the init function used to initialize command line parameters.
func init() {
flag.StringVar(®ion, "region", "", "The region in which the bucket is located.")
flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
}
func main() {
// Parse command line parameters.
flag.Parse()
// Check whether the name of the bucket is specified.
if len(bucketName) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, bucket name required")
}
// Check whether the region is specified.
if len(region) == 0 {
flag.PrintDefaults()
log.Fatalf("invalid parameters, region required")
}
// Load the default configurations and specify the credential provider and region.
cfg := oss.LoadDefaultConfig().
WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
WithRegion(region)
// Create an OSS client.
client := oss.NewClient(cfg)
// Create a request to configure the ACL of the bucket.
putRequest := &oss.PutBucketAclRequest{
Bucket: oss.Ptr(bucketName), // The name of the bucket.
Acl: oss.BucketACLPrivate, // Set the ACL to private.
}
// Perform the operation to configure the ACL.
putResult, err := client.PutBucketAcl(context.TODO(), putRequest)
if err != nil {
log.Fatalf("failed to put bucket acl %v", err)
}
// Display the result.
log.Printf("put bucket acl result: %#v\n", putResult)
// Create a request to query the ACL.
getRequest := &oss.GetBucketAclRequest{
Bucket: oss.Ptr(bucketName), // The name of the bucket
}
// Perform the operation to query the ACL.
getResult, err := client.GetBucketAcl(context.TODO(), getRequest)
if err != nil {
log.Fatalf("failed to get bucket acl %v", err)
}
// Display the result.
log.Printf("get bucket acl result:%#v\n", getResult)
}
import argparse
import alibabacloud_oss_v2 as oss
# Create a command line argument parser and add description information
parser = argparse.ArgumentParser(description="put bucket acl sample")
# Add required command line arguments: region, bucket, and acl
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)
parser.add_argument('--bucket', help='The name of the bucket.', required=True)
# Add optional command line argument: endpoint, used to specify the domain name for other services to access OSS
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')
# Add required command line argument: acl, used to specify the access permission ACL for the bucket, such as private, public-read, public-read-write
parser.add_argument('--acl', help='Specify the access permission ACL for the bucket.', required=True)
def main():
# Parse command line arguments
args = parser.parse_args()
# Load authentication information from environment variables
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Use SDK default configuration
cfg = oss.config.load_default()
# Set credentials provider
cfg.credentials_provider = credentials_provider
# Set region
cfg.region = args.region
# If endpoint is provided, update endpoint in the configuration
if args.endpoint is not None:
cfg.endpoint = args.endpoint
# Create OSS client
client = oss.Client(cfg)
# Call put_bucket_acl method to set the bucket ACL
result = client.put_bucket_acl(oss.PutBucketAclRequest(
bucket=args.bucket,
acl=args.acl,
))
# Print the status code and request ID of the request
print(f'status code: {result.status_code}, request id: {result.request_id}')
# Obtain the ACL of the specified bucket
result = client.get_bucket_acl(oss.GetBucketAclRequest(
bucket=args.bucket,
))
# Print the status code, request ID, and ACL information in the result
print(f'status code: {result.status_code},'
f' request id: {result.request_id},'
f' acl: {result.acl},'
)
if __name__ == "__main__":
main()
<?php
// Introduce autoload files to load dependent libraries.
require_once __DIR__ . '/../vendor/autoload.php';
use AlibabaCloud\Oss\V2 as Oss;
// Specify descriptions for command line parameters.
$optsdesc = [
"region" => ['help' => The region in which the bucket is located.', 'required' => True], // (Required) Specify the region in which the bucket is located.
"endpoint" => ['help' => The domain names that other services can use to access OSS', 'required' => False], // (Optional) Specify the endpoint that can be used by other services to access OSS.
"bucket" => ['help' => The name of the bucket, 'required' => True], // (Required) Specify the name of the bucket.
];
// Generate a long options list to parse the command line parameters.
$longopts = \array_map(function ($key) {
return "$key:"; // Add a colon (:) to the end of each parameter to indicate that a value is required.
}, array_keys($optsdesc));
// Parse the command line parameters.
$options = getopt("", $longopts);
// Check whether the required parameters are configured.
foreach ($optsdesc as $key => $value) {
if ($value['required'] === True && empty($options[$key])) {
$help = $value['help'];
echo "Error: the following arguments are required: --$key, $help"; // Specify that the required parameters are not configured.
exit(1);
}
}
// Obtain the values of the command line parameters.
$region = $options["region"]; // The region in which the bucket is located.
$bucket = $options["bucket"]; // The name of the bucket.
// Use environment variables to load the AccessKey ID and AccessKey secret.
$credentialsProvider = new Oss\Credentials\EnvironmentVariableCredentialsProvider();
// Use the default configurations of the SDK.
$cfg = Oss\Config::loadDefault();
// Specify the credential provider.
$cfg->setCredentialsProvider($credentialsProvider);
// Specify the region.
$cfg->setRegion($region);
// Specify the endpoint if an endpoint is provided.
if (isset($options["endpoint"])) {
$cfg->setEndpoint($options["endpoint"]);
}
// Create an OSSClient instance.
$client = new Oss\Client($cfg);
// Create a PutBucketAclRequest object and set the bucket ACL to private.
$request = new Oss\Models\PutBucketAclRequest(
bucket: $bucket,
acl: Oss\Models\BucketACLType::PRIVATE);
// Use the putBucketAcl method to specify the bucket ACL.
$result = $client->putBucketAcl($request);
// Display the result.
printf(
'status code:' . $result->statusCode . PHP_EOL . // The returned HTTP status code.
'request id:' . $result->requestId // The request ID of the request, which is the unique identifier of the request.
);
API
If your business requires a high level of customization, you can directly call RESTful APIs. To directly call an API, you must include the signature calculation in your code. For more information, see PutBucketAcl.
Tracking bucket ACL modifications
Maintaining governance and responding to security incidents requires a clear audit trail of permission changes. In cases of anomalous access patterns, unintended data exposure, security findings, or during compliance audits, use ActionTrail to identify the principal and timestamp for each change.
On the ActionTrail page, select the region where the bucket is located, set Service Name to
Object Storage Service(OSS)and Event Name toPutBucketAclto view the ACL change record.Click View Details to the right of the change record, then click Configuration Timeline to see the recorded values before and after the change.
FAQ
Does CDN back-to-origin require a bucket's ACL to be public-read or public-read-write?
No. You can configure CDN to fetch data from a private bucket. For more information, see Configure origin fetch from private OSS buckets.
References
To grant users long-term, fine-grained permissions, such as the read-only or write-only permissions on objects whose names contain a specific prefix in a bucket, use a bucket policy or a RAM policy. For more information, see Examples and Common examples of RAM policies.
Use temporary access credentials provided by Security Token Service (STS) to grant users short-term fine-grained permissions, such as the permissions to list all objects in a bucket. For more information, see Use temporary credentials provided by STS to access OSS.