Object Storage Service:Manage file access permissions (Go SDK V1)

Usage notes

• In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.

• In this topic, access credentials are obtained from environment variables. For more information about how to configure access credentials, see Configure access credentials.

• In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Configure OSSClient instances.

• To configure the ACL for an object, you must have the oss:PutObjectAcl permission. To query object ACLs, you must have the oss:GetObjectAcl permission. For more information, see Attach a custom policy to a RAM user.

Read and write permission types

An object has four types of access control lists (ACLs):

Object ACLs have a higher priority than bucket ACLs. For example, if the ACL of a bucket is private but the ACL of an object in the bucket is public-read-write, all users have read and write permissions for the object. If an ACL is not configured for an object, the object inherits the ACL of the bucket.

Sample code

The following code provides a complete example of how to set and retrieve object access permissions:

package main

import (
	"log"

	"github.com/aliyun/aliyun-oss-go-sdk/oss"
)

func main() {
	// Obtain access credentials from environment variables. Before you run this sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are set.
	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
	if err != nil {
		log.Fatalf("Failed to create credentials provider: %v", err)
	}

	// Create an OSSClient instance.
	// Set yourEndpoint to the Endpoint of the bucket. For example, for the China (Hangzhou) region, set the Endpoint to https://oss-cn-hangzhou.aliyuncs.com. For other regions, set the Endpoint as needed.
	// Set yourRegion to the region where the bucket is located. For example, for the China (Hangzhou) region, set the value to cn-hangzhou. For other regions, set the value as needed.
	clientOptions := []oss.ClientOption{oss.SetCredentialsProvider(&provider)}
	clientOptions = append(clientOptions, oss.Region("yourRegion"))
	// Set the signature version.
	clientOptions = append(clientOptions, oss.AuthVersion(oss.AuthV4))
	client, err := oss.New("yourEndpoint", "", "", clientOptions...)
	if err != nil {
		log.Fatalf("Failed to create OSS client: %v", err)
	}

	// Set yourBucketName to the name of the bucket.
	bucketName := "yourBucketName"
	bucket, err := client.Bucket(bucketName)
	if err != nil {
		log.Fatalf("Failed to get bucket '%s': %v", bucketName, err)
	}

	// Set the ACL of the object.
	// Set yourObjectName to the full path of the object. Do not include the bucket name.
	objectName := "yourObjectName"
	err = bucket.SetObjectACL(objectName, oss.ACLPublicReadWrite)
	if err != nil {
		log.Fatalf("Failed to set object ACL for '%s': %v", objectName, err)
	}

	// Get the ACL of the object.
	aclRes, err := bucket.GetObjectACL(objectName)
	if err != nil {
		log.Fatalf("Failed to get object ACL for '%s': %v", objectName, err)
	}

	log.Printf("Object ACL for '%s': %s", objectName, aclRes.ACL)
}

References

• For the complete sample code for object ACLs, see GitHub example.

• For more information about the API operation used to set object ACLs, see SetObjectACL.

• For more information about the API operation used to retrieve object ACLs, see GetObjectACL.