All Products
Search
Document Center

Object Storage Service:Use RAM Policy Editor for OSS

Last Updated:Aug 13, 2024

This topic describes how to use RAM Policy Editor.

Address

RAM Policy Editor

Usage

A Resource Access Management (RAM) policy consists of one or more rules. RAM Policy Editor allows you to add or remove rules for a policy and generate policy JSON text in a graphical interface. You can copy the generated policy JSON text and paste it into the policy JSON editor in the RAM console. For more information, see Create custom policies.

To add a rule to a policy in RAM Policy Editor, you must configure the following fields for the rule: Effect, Actions, Resources, and Conditions.

  • Effect

    Specifies whether the rule allows or denies access to resources.

  • Actions

    Specifies the actions performed to access resources. In most cases, you can select from the following general actions provided in the drop-down list:

    • oss:*: specifies all supported actions.

    • oss:Get*: specifies all read actions.

    • oss:Put*: specifies all write actions.

    For more information, visit RAM Policy Editor README.

  • Resources

    Specifies one or more resources. Common resource configuration scenarios:

    • Specify only a bucket, with objects in the bucket excluded. Example: my-bucket.

    • Specify all objects within a bucket, with the bucket itself excluded. Example: my-bucket/*.

    • Specify a directory within a bucket, with the objects in the directory excluded. Example: my-bucket/dir.

    • Specify all objects within a directory, with the directory itself excluded. Example: my-bucket/dir/* (the policy does not apply to the dir directory).

    • Specify the complete resource path. Example acs:oss:*:174649585760xxxx:my-bucket/dir(174649585760xxxx is the user UID, which you can check in the OSS console)

  • EnablePath

    To specify a directory in a policy, you also need to grant the permission to call the ListObjects operation on the parent directory of directory. For example, to grant read and write permissions on my-bucket/users/dir/*, you also need to allow the ListObjects operation on the following resources:

    ListObjects my-bucket
    ListObjects my-bucket/users
    ListObjects my-bucket/users/dir

    If you select the EnablePath check box, the preceding permissions are automatically granted.

  • Conditions

    Specifies the conditions that must be met to access the resources. You can specify multiple conditions in a policy.

Examples

The following sample policy grants all OSS permissions on the specified resources: