Use RAM policies to control access to OSS - Object Storage Service

This tutorial shows how to use Resource Access Management (RAM) policies to control access to Object Storage Service (OSS) buckets, directories, and objects in the directories.

Background information

RAM policies are authorization policies configured based on users. You can configure RAM policies to manage users, such as employees, systems, or applications. You can specify which resources are accessible to the users. For example, you can create a RAM policy to grant users only read permissions on a bucket.

RAM policies are in the JSON format. A RAM policy includes the following fields:

Statement: the authorization statement. A RAM policy can include multiple authorization statements.
Effect: the effect of the RAM policy. Valid values: Allow and Deny.
Note
If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.
Action: the authorized actions on resources.

We recommend that you use RAM Policy Editor to generate RAM policies. For more information, see RAM Policy Editor.

Compared with RAM policies, bucket policies can be configured in the OSS console. A bucket owner can grant other users permissions to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

Buckets and directories

OSS uses a flat data model structure. All objects are stored in buckets. Therefore, OSS does not have directories and subdirectories that are used in hierarchical file systems. However, you can simulate a directory hierarchy in the OSS console to group, classify, and manage objects. The following figure shows sample directories in the OSS console. ram

OSS is a distributed object storage service in which objects are identified as key-value pairs. You can retrieve the content of an object based on the object name. For example, an object named oss-dg.pdf and the following directories are stored in a bucket named examplebucket: Development, Marketing, and Private.

When you create the Development directory, an object whose key is Development/ is created in the OSS console. A forward slash (/) is included in the key as a delimiter.
When you upload an object named ProjectA.docx to the Development directory, the object is uploaded in the OSS console and the key of the object is set to Development/ProjectA.docx.
In the key, Development is the prefix and the forward slash (/) is the delimiter. You can list all objects that share a common prefix and delimiter in the bucket. In the OSS console, if you click the Development directory, the objects in the directory are listed. The following figure shows the objects in the Development directory.
Note
To list the objects in the Development directory of the examplebucket bucket, the OSS console sends a request to OSS to list the objects whose names include the specified prefix Development and a forward slash (/) as the delimiter. In the preceding example, three objects that have the following keys are stored in the examplebucket bucket: Development/Alibaba Cloud.pdf, Development/ProjectA.docx, and Development/ProjectB.docx.

Before you start this tutorial, you must understand the concept of root-level bucket content. For example, the examplebucket bucket contains the following objects:

Development/Alibaba Cloud.pdf
Development/ProjectA.docx
Development/ProjectB.docx
Marketing/data2020.xlsx
Marketing/data2021.xlsx
Private/2017/images.zip
Private/2017/promote.pptx
oss-dg.pdf

The keys of these objects determine a logical hierarchy that has the Development, Marketing, and Private directories as root-level directories and oss-dg.pdf as a root-level object. If you click the bucket name in the OSS console, the common prefix and delimiter that are shared by multiple objects, such as Development/, Marketing/, and Private/, are displayed as root-level directories. The oss-dg.pdf object does not have a prefix. The object is displayed as a root-level object.

ram

Requests and responses

Before you grant permissions to RAM users, you must understand how the OSS console interacts with OSS when you click a bucket name in the OSS console.

Send a request to access a bucket

When you click the examplebucket bucket in the OSS console, the OSS console sends a GetBucket (ListObjects) request to OSS.

Sample requests

GET /?prefix=&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6q*******************:DNrn******************

In the preceding request, the value of the prefix parameter is left empty and the value of the delimiter parameter is a forward slash (/).

Sample responses

HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://doc.oss-cn-hangzhou.aliyuncs.com">
<Name>examplebucket</Name>
<Prefix></Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>oss-dg.pdf</Key>
        ...
    </Contents>
   <CommonPrefixes>
        <Prefix>Development</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Marketing</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Private</Prefix>
   </CommonPrefixes>
</ListBucketResult>

Response parsing
The OSS console parses the response that is returned by OSS and displays the root-level objects and directories in the bucket.

Send a request to access a directory in the bucket

When you click the Development/ directory of the examplebucket bucket in the OSS console, the OSS console sends a GetBucket (ListObjects) request to OSS. The request includes the prefix and delimiter parameters.

Sample requests

GET /?prefix=Development/&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6q*******************:DNrn******************

In the preceding request, the value of the prefix parameter is Development/ and the value of the delimiter parameter is a forward slash (/).

Sample responses

In the response, OSS returns the objects whose keys include the specified prefix.

HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://doc.oss-cn-hangzhou.aliyuncs.com">
<Name>examplebucket</Name>
<Prefix>Development/</Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>ProjectA.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>ProjectB.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>Alibaba Cloud.pdf</Key>
        ...
    </Contents>
</ListBucketResult>

Response parsing
The OSS console parses the response that is returned by OSS and displays the objects in the Development/ directory.

Scenarios

For example, you are the owner of the examplebucket bucket, and the access control list (ACL) of every object and directory in the bucket is private by default. You want to grant RAM user Anne the read and write permissions on the Development directory in the bucket and the subdirectories and objects in the directory. You want to grant RAM user Leo the read-only permissions on the Marketing directory and the subdirectories and objects in the directory. You also want to prevent all RAM users of the current Alibaba Cloud account from accessing the Private directory.

Step 1: Create a bucket and upload objects to the bucket

Create a bucket named examplebucket.
1. Log on to the OSS console by using your Alibaba Cloud account.
2. Create a bucket named examplebucket. For more information, see Create buckets.
Create the following directories in the bucket: Development, Marketing, and Private. For more information, see Create directories.
Upload objects to specified directories based on the following requirements:
- Upload the oss-dg.pdf object to the root directory of the examplebucket bucket.
- Upload the Alibaba Cloud.pdf, ProjectA.docx, and ProjectB.docx objects to the Development directory.
- Upload the data2020.xlsx and data2021.xlsx objects to the Marketing directory.
- Upload the images.zip and promote.pptx objects to the Private directory.
For more information, see Upload objects.

Step 2: Create RAM users Anne and Leo

Create RAM users Anne and Leo in the RAM console. For more information, see Create a RAM user.

Step 3: Grant RAM user Anne the read and write permissions on the Development directory

Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.

Enter the following policy content and click Next to edit policy information.

Grant RAM user Anne the read and write permissions on the Development directory and all objects in the directory by using the following policy content:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Development",
                        "Development/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:PutObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Development/*"
            ]
        }
    ]
}

Specify the Name and Desciption parameters for the policy.
Click OK.

Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne. For more information, see Grant permissions to a RAM user.

Step 4: Grant RAM user Leo the read-only permissions on the Marketing directory

Refer to Step 3 to create a custom policy named AllowLeoToReadAndWriteFolderMarketing. Grant RAM user Leo the read-only permissions on the Marketing directory and all objects in the Marketing directory by using the following policy content. The policy content contains the following configurations:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Marketing",
                        "Marketing/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Marketing/*"
            ]
        }
    ]
}

Step 5: Deny access from all RAM users in the current Alibaba Cloud account to the Private directory

Create a user group and add members to the user group.
For more information about how to create a user group, see Create a RAM user group. After you create the user group, add all RAM users in the current Alibaba Cloud account to the user group. For more information, see Add a RAM user to a RAM user group.

Create a custom policy named DenyAllRamToAccessFolderPrivate.

In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

Enter the following policy content and click Next to edit policy information.

Deny access from all RAM users in the current Alibaba Cloud account to the Private directory by using the following policy content:

{
    "Version":"1",
    "Statement":[
        {
            "Effect":"Deny",
            "Action":[
                "oss:*"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Private/*"
            ],
            "Condition":{

            }
        },
        {
            "Effect":"Deny",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:*"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Private/",
                        "Private/*"
                    ]
                }
            }
        }
    ]
}

Specify the Name and Desciption parameters for the policy.
Click OK.

Attach the DenyAllRamToAccessFolderPrivate policy to the user group. For more information, see Grant permissions to a RAM user group.
After you attach the policy to the user group, the RAM users in the user group cannot access the Private directory in the examplebucket bucket. When the RAM users send a request to list the Private/2017/images.zip and Private/2017/promote.pptx objects in the Private directory, OSS returns an error response.