All Products
Search

This Product

    Object Storage Service:Use RAM Policy Editor for OSS

    Document Center

    Object Storage Service:Use RAM Policy Editor for OSS

    Last Updated:Aug 13, 2024

    This topic describes how to use RAM Policy Editor.

    Address

    RAM Policy Editor

    Usage

    A Resource Access Management (RAM) policy consists of one or more rules. RAM Policy Editor allows you to add or remove rules for a policy and generate policy JSON text in a graphical interface. You can copy the generated policy JSON text and paste it into the policy JSON editor in the RAM console. For more information, see Create custom policies.

    To add a rule to a policy in RAM Policy Editor, you must configure the following fields for the rule: Effect, Actions, Resources, and Conditions.

    • Effect

      Specifies whether the rule allows or denies access to resources.

    • Actions

      Specifies the actions performed to access resources. In most cases, you can select from the following general actions provided in the drop-down list:

      • oss:*: specifies all supported actions.

      • oss:Get*: specifies all read actions.

      • oss:Put*: specifies all write actions.

      For more information, visit RAM Policy Editor README.

    • Resources

      Specifies one or more resources. Common resource configuration scenarios:

      • Specify only a bucket, with objects in the bucket excluded. Example: my-bucket.

      • Specify all objects within a bucket, with the bucket itself excluded. Example: my-bucket/*.

      • Specify a directory within a bucket, with the objects in the directory excluded. Example: my-bucket/dir.

      • Specify all objects within a directory, with the directory itself excluded. Example: my-bucket/dir/* (the policy does not apply to the dir directory).

      • Specify the complete resource path. Example acs:oss:*:174649585760xxxx:my-bucket/dir(174649585760xxxx is the user UID, which you can check in the OSS console)

    • EnablePath

      To specify a directory in a policy, you also need to grant the permission to call the ListObjects operation on the parent directory of directory. For example, to grant read and write permissions on my-bucket/users/dir/*, you also need to allow the ListObjects operation on the following resources: 

      ListObjects my-bucket
ListObjects my-bucket/users
ListObjects my-bucket/users/dir

      If you select the EnablePath check box, the preceding permissions are automatically granted.

    • Conditions

      Specifies the conditions that must be met to access the resources. You can specify multiple conditions in a policy.

    Examples

    The following sample policy grants all OSS permissions on the specified resources: