Bucket policies are resource-based authorization policies. Bucket owners can use bucket policies to authorize other users to access specific resources in Object Storage Service (OSS). This topic describes how to run the bucket-policy command to add, modify, query, or delete bucket policies.
Usage notes
To add or modify bucket policies, you must have the
oss:PutBucketPolicypermission. To query bucket policies, you must have theoss:GetBucketPolicypermission. To delete bucket policies, you must have theoss:DeleteBucketPolicypermission. For more information, see Attach a custom policy to a RAM user.For ossutil 1.6.16 and later, you can directly use ossutil as the binary name in the command line. You do not need to update the binary name based on the operating system. For ossutil earlier than 1.6.16, you need to update the binary name based on the operating system. For more information, see ossutil command reference.
For more information about bucket policies, see Bucket policies.
Add or modify bucket policies
Before you add or modify bucket policies, you must create a JSON file on your local computer and configure bucket policies in the JSON file. You can configure multiple bucket policies in a single JSON file. However, the total size of the bucket policies cannot exceed 16 KB.
When you add or modify bucket policies, ossutil reads bucket policies from the JSON file and adds the policies to the specified bucket. When you add bucket policies, existing bucket policies are overwritten.
Command syntax
ossutil bucket-policy --method put oss://bucketname local_json_fileThe following table describes the preceding parameters.
Parameter
Description
bucketname
The name of the bucket for which you want to add or modify bucket policies.
local_json_file
The name of the local JSON file in which you configure bucket policies.
Examples
Create a file named local_json_file on your local computer and configure different bucket policies based on different scenarios.
The following examples show how to configure common bucket policies.
NoteThe following examples show how a bucket owner whose UID is
174649585760xxxxin the Resource parameter configures bucket policies to grant different permissions to RAM users, such as a RAM user whose UID is20214760404935xxxxin the Principal parameter and an anonymous user*.Specify that only anonymous requests from the specified IP address are allowed to access all resources in a bucket named examplebucket:
{ "Statement": [ { "Action": [ "oss:GetObject", "oss:GetObjectAcl", "oss:ListObjects", "oss:RestoreObject", "oss:GetVodPlaylist", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:GetObjectVersionAcl", "oss:RestoreObjectVersion" ], "Condition": { "IpAddress": { "acs:SourceIp": [ "10.10.10.10" ] } }, "Effect": "Allow", "Principal": [ "*" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket/*" ] }, { "Action": [ "oss:ListObjects", "oss:GetObject" ], "Condition": { "StringLike": { "oss:Prefix": [ "*" ] }, "IpAddress": { "acs:SourceIp": [ "10.10.10.10" ] } }, "Effect": "Allow", "Principal": [ "*" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket" ] } ], "Version": "1" }Grant a RAM user read-only permissions on the
hangzhou/2020andhangzhou/2015directories of a bucket named examplebucket:{ "Statement": [ { "Action": [ "oss:GetObject", "oss:GetObjectAcl", "oss:ListObjects", "oss:RestoreObject", "oss:GetVodPlaylist", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:GetObjectVersionAcl", "oss:RestoreObjectVersion" ], "Effect": "Allow", "Principal": [ "20214760404935xxxx" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*", "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2015/*" ] }, { "Action": [ "oss:ListObjects", "oss:GetObject" ], "Condition": { "StringLike": { "oss:Prefix": [ "hangzhou/2020/*", "hangzhou/2015/*" ] } }, "Effect": "Allow", "Principal": [ "20214760404935xxxx" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket" ] } ], "Version": "1" }Reject anonymous requests to all objects in the
hangzhou/2021/directory of a bucket named examplebucket:{ "Statement": [ { "Action": [ "oss:RestoreObject", "oss:ListObjects", "oss:AbortMultipartUpload", "oss:PutObjectAcl", "oss:GetObjectAcl", "oss:ListParts", "oss:DeleteObject", "oss:PutObject", "oss:GetObject", "oss:GetVodPlaylist", "oss:PostVodPlaylist", "oss:PublishRtmpStream", "oss:ListObjectVersions", "oss:GetObjectVersion", "oss:GetObjectVersionAcl", "oss:RestoreObjectVersion" ], "Effect": "Deny", "Principal": [ "*" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2021/*" ] }, { "Action": [ "oss:ListObjects", "oss:GetObject" ], "Condition": { "StringLike": { "oss:Prefix": [ "hangzhou/2021/*" ] } }, "Effect": "Deny", "Principal": [ "*" ], "Resource": [ "acs:oss:*:174649585760xxxx:examplebucket" ] } ], "Version": "1" }
Add a bucket policy to the examplebucket bucket.
ossutil bucket-policy --method put oss://examplebucket local_json_fileIf the following output is displayed, the bucket policy is added to the examplebucket bucket:
1.125101(s) elapsed
Query bucket policies
Command syntax
ossutil bucket-policy --method get oss://bucketname local_json_fileParameter
Description
bucketname
The name of the bucket whose bucket policies you want to query.
local_json_file
The local JSON file that is used to store the queried bucket policies. If this parameter is not specified, queried bucket policies are displayed without being stored in the JSON file.
Examples
Run the following command to query the bucket policies of a bucket named examplebucket:
ossutil bucket-policy --method get oss://examplebucket local_json_fileIf the following output is displayed, the bucket policies of examplebucket are queried and written to the local JSON file:
0.212407(s) elapsed
Delete bucket policies
If you no longer need to use bucket policies to authorize other users to access your OSS resources, delete the configured bucket policies.
Command syntax
ossutil bucket-policy --method delete oss://bucketnameExamples
Run the following command to delete all bucket policies of a bucket named examplebucket:
ossutil bucket-policy --method delete oss://examplebucketIf the following output is displayed, all bucket policies of examplebucket are deleted:
0.530750(s) elapsed
Common options
If you use ossutil to switch to a bucket that is located in another region, add the -e option to the command to specify the endpoint of the region in which the specified bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to the command to specify the AccessKey ID of the specified account, and add the -k option to the command to specify the AccessKey secret of the specified account.
For example, you can run the following command to configure a bucket policy for a bucket named examplebucket, which is located in the China (Hangzhou) region and is owned by another Alibaba Cloud account:
ossutil bucket-policy --method put oss://examplebucket local_json_file -e oss-cn-hangzhou.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzAxxxx -k 67DLVBkH7EamOjy2W5RVAHUY9HxxxxFor more information about common options, see Common options.