All Products
Search

This Product

    Object Storage Service:set-acl

    Document Center

    Object Storage Service:set-acl

    Last Updated:Jan 15, 2026

    An Access Control List (ACL) is a policy that controls access to buckets and objects. You can set an ACL during bucket creation or object upload, and modify it at any time. The set-acl command sets or modifies the ACL for a bucket or an object.

    Usage notes

    • To configure or modify a bucket ACL, you must have the oss:PutBucketAcl permission. To configure or modify an object ACL, you must have the oss:PutObjectAcl permission. To modify ACLs for multiple objects in a batch operation, you must have both the oss:PutObjectAcl and oss:ListObjects permissions. For more information, see Attach a custom policy to a RAM user.

    • With ossutil 1.6.16 and later, you can directly use ossutil as the binary name. . For earlier versions, you must use the OS-specific binary name. For more information, see ossutil command reference.

    Configure or modify the ACL for a bucket

    • Syntax

      ossutil set-acl oss://bucketname acl -b [--retry-times <value>]

      The parameters and options are described below.

      Parameter/Option

      Description

      bucketname

      The name of the target bucket.

      acl

      The ACL of the bucket. Valid values:

      • private (default): Only the bucket owner has read and write access to objects in the bucket.

      • public-read: Only the bucket owner has write access. All other users, including anonymous users, have read-only access. Granting public-read access can lead to data leaks and unexpected charges. If malicious users upload illegal content, you may face legal consequences. Do not grant public-read access unless it is absolutely necessary.

      • public-read-write: Anyone, including anonymous users, can read and write objects in the bucket. This permission lets any user read, write, and delete objects, which can lead to data loss and unexpected charges. Use this permission with extreme caution.

      -b

      Specifies that the operation targets a bucket. Without this option, the command targets an object by default.

      --retry-times

      The number of times to retry a failed operation. Default value: 10. Valid values: 1 to 500.

    • Example

      Run the following command to set the ACL of a bucket named examplebucket to private: 

      ossutil set-acl oss://examplebucket private -b

    Configure or modify the ACL for objects

    • Syntax

      ossutil set-acl oss://bucketname[/prefix] acl
[-r]
[--include <value>] 
[--exclude <value>]
[--version-id <value>]
[--job <value>] 
[--retry-times <value>]
[--encoding-type <value>]

      The parameters and options are described below.

      Parameter/Option

      Description

      bucketname

      The name of the bucket that contains the objects whose ACL you want to configure or modify.

      prefix

      The prefix in the names of resources, such as directories and objects.

      acl

      The ACL of the objects. Valid values:

      • default: The ACL of the objects is the same as that of the bucket in which the objects are stored.

      • private (default): Only the bucket owner can perform read and write operations on the objects in the bucket. Other users cannot access the objects in the bucket.

      • public-read: Only the bucket owner can perform write operations on the objects in the bucket. Other users, including anonymous users, can perform only read operations on the objects in the bucket. This may result in unrestricted access to the data in your bucket and unexpectedly high fees. If a user uploads prohibited data or information, your legal rights may be infringed. We recommend that you do not set the ACL to public-read unless necessary.

      • public-read-write: All users, including anonymous users, can perform read and write operations on the objects in the bucket. This may result in unrestricted access to the data in your bucket and unexpectedly high fees. Exercise caution when you set the ACL to public-read-write.

      -r

      If you specify this option, ossutil configures the ACL of all objects whose names contain the prefix specified by the prefix option. If you do not specify this option, ossutil configures the ACL only of the object specified by cloud_url.

      --include

      Specifies that the command applies to all objects that meet the specified conditions.

      For more information, see --include and --exclude.

      --exclude

      Specifies that the command applies to all objects that do not meet the specified conditions.

      For more information, see --include and --exclude.

      --version-id

      The version ID of the object whose ACL you want to configure or modify. This parameter applies only to objects in buckets for which versioning is enabled or suspended.

      --job

      The number of concurrent tasks that can be performed across multiple objects. Valid values: 1 to 10000. Default value: 3.

      --retry-times

      The number of retries after the command fails to run. Default value: 10. Valid values: 1 to 500.

      --encoding-type

      The method used to encode the value of the prefix parameter that follows oss://bucket_name. Valid value: url. If you do not specify this option, the prefix is not encoded.

    • Examples

      • You can run the following command to set the ACL of an object named exampleobject.txt in a bucket named examplebucket to private: 

        ossutil set-acl oss://examplebucket/exampleobject.txt private

      • Run the following command to set the ACL of the specified version (CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****) of the exampleobject.txt object in a bucket named examplebucket to private: 

        ossutil set-acl oss://examplebucket/exampleobject.txt private --version-id CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****

      • Run the following command to set the ACL of objects whose names contain the test prefix in a bucket named examplebucket to default: 

        ossutil set-acl oss://examplebucket/test default -r

      • Run the following command to set the ACL of objects whose names contain the .jpg extension in a bucket named examplebucket to private: 

        ossutil set-acl oss://examplebucket private --include "*.jpg" -r

      • Run the following command to set the ACL of objects whose names contain the "abc" string and do not contain the .png or .txt extension in a bucket named examplebucket to default: 

        ossutil set-acl oss://examplebucket default --include "*abc*" --exclude "*.png" --exclude "*.txt" -r

    Common options

    If you use ossutil to access a bucket in a different region, add the -e option to specify the Endpoint of the bucket's region. If you use ossutil to access a bucket that belongs to a different Alibaba Cloud account, add the -i option to specify the AccessKey ID and the -k option to specify the AccessKey secret of the account.

    For example, to set the ACL of the testbucketbucket (located in the China (Shanghai) region and owned by another account) to private, run this command:

    ossutil set-acl oss://testbucket private -b -e oss-cn-shanghai.aliyuncs.com -i yourAccessKeyID  -k yourAccessKeySecret

    For more information about other common options for this command, see Common options.