All Products
Search
Document Center

Object Storage Service:How do I use RAM with OSS to have finer-grained access control?

Last Updated:May 09, 2024

Resource Access Management (RAM) is an Alibaba Cloud service that enables you to manage user identities and resource permissions. For example, you can use RAM to grant different employees or applications in your company the required permissions on Object Storage Service (OSS) resources. Before you use RAM to manage the permissions on Alibaba Cloud services, we recommend that you learn about the RAM features that work with Alibaba Cloud services. This facilitates optimized access control settings that suit your business requirements. This topic describes RAM features that work with OSS.

RAM features that OSS supports

The following table describes support for RAM features in OSS.

RAM feature

Support

RAM user credentials

Yes

Security Token Service (STS) tokens

Yes

Identity-based policies (account level)

Yes

Identity-based policies (resource group level)

Partial

Action-level permissions

Yes

Resource-level permissions

Yes

Service-specific condition keys

Yes

Tag-based authorization

Partial

Normal service roles

Yes

Service-linked roles

No

Note

For more information about all Alibaba Cloud services that work with RAM, see Services that work with RAM. For more information about all Alibaba Cloud services that work with STS, see Alibaba Cloud services that support STS.

RAM user credentials

You can use RAM user credentials to access OSS.

A RAM user is a physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. When you use RAM user credentials to access OSS, OSS checks the permissions of the RAM user on the requested OSS resources.

  • Credentials are configured when you create the RAM user. You can create a RAM user only by using the administrator account. If you use a RAM user to access a service by using the console of the service, you must provide the username and password of the RAM user. If you use a RAM user to access a service by calling API operations, you must provide the Access Key pair of the RAM user. We recommend that you regularly change the password of a RAM and avoid embedding the AccessKey pair in project code to improve credential security. For more information, see Identity management.

    Note

    An administrator account is an Alibaba Cloud account, or a RAM user or a RAM role that has administrative rights.

  • By default, a RAM user does not have any permissions. After you create a RAM user, you must use the administrator account to attach the required policies to the RAM user to grant the RAM user permissions to access or manage resources. Identity-based policies include system policies and custom policies. For more information about system policies and custom policies for OSS, see System policies for OSS and Custom policies for OSS. System policies are created by Alibaba Cloud, whereas custom policies are created by you.

References

STS tokens

You can use STS tokens to access OSS.

An STS token is an identity credential that is issued by STS to a RAM role for accessing Alibaba Cloud resources. A RAM role is a virtual RAM identity that does not have long-term identity credentials. A RAM role must be assumed by a trusted entity to access resources.

Compared with long-term access credentials, such as AccessKey pairs, STS tokens help lower risks of access credential leaks and improve resource security. For more information about the trusted entities and the typical scenarios in which RAM roles and STS tokens are used, see RAM role overview.

By default, a RAM role does not have any permissions. To use a RAM role to access or manage cloud resources, you must use the administrator account to attach the required policies to the RAM role. Identity-based policies include system policies and custom policies. For more information about system policies and custom policies for OSS, see System policies for OSS and Custom policies for OSS. System policies are created by Alibaba Cloud, whereas custom policies are created by you.

References

Identity-based policies

OSS supports identity-based policies.

You can attach identity-based policies to RAM identities, such as RAM users, RAM user groups, or RAM roles. Identity-based policies define what operations RAM identities can perform on which resources and under what conditions.

  • From the policy management perspective, identity-based policies include system policies and custom policies System policies are created and maintained by Alibaba Cloud. You can only use system policies. You cannot modify or delete system policies. You can create and maintain custom policies. You can create custom policies in the RAM console or by calling API operations.

  • From the perspective of authorization scope, identity-based policies include account-level policies and resource group-level policies. The authorization scope of account-level policies is all resources within an Alibaba Cloud account. The authorization scope of resource group-level policies is all resources in a resource group. Account-level policies take precedence over resource group-level policies. For more information about the definitions and authorization scopes, see Policy models. You can specify the authorization scope when you grant permissions to a RAM identity.

References

Action-level permissions

OSS supports action-level permissions.

In a policy, the Action element specifies the actions that an identity can or cannot perform. In most cases, the name of an action is the same as the name of the corresponding API operation of the cloud service. The value of the Action element follows the oss:<action-name> format.

The Action element in a policy allows you to scope down access permissions to specific actions.

You can use action-level permissions in custom policies to implement finer-grained access control.

Sample Action element in a RAM policy for OSS

"Action": [
    "oss:ListBuckets",
    "oss:GetBucketStat",
    "oss:GetBucketInfo"
]

Resource-level permissions

OSS supports resource-level permissions.

In a policy, the Resource element specifies one or more resources on which an identity can or cannot perform operations. A resource is a manageable entity in an Alibaba Cloud service. For example, resources can be Object Storage Service (OSS) buckets or Elastic Compute Service (ECS) instances. A resource in the Resource element is identified by the Alibaba Cloud Resource Name (ARN) of the resource, which is in the acs:oss:<region>:<account-id>:<relative-id> format. If an action does not support resource-level permissions, use a wildcard (*) to specify that the action applies to all resources in the account.

The Resource element allows you to scope down access permissions to specific resources. You can use resource-level permissions in custom policies to implement finer-grained access control. For more information about resources in OSS, see RAM policies.

Sample Resource element in a RAM policy for OSS

"Resource": [
    "acs:oss:*:*:mybucket",
    "acs:oss:*:*:mybucket/*"
]

Service-specific condition keys

OSS supports service-specific condition keys.

The Condition element specifies the conditions that are required for a policy to take effect. This element is optional. The Condition element can contain one or more conditions. Each condition consists of conditional operators, condition keys, and condition values. Condition operators are defined by RAM. Condition keys include common condition keys in the acs:<condition-key> format and service-specific condition keys in the oss:<condition-key> format. Condition values vary with the condition keys. For more information about the Condition element, see Policy elements.

If an Alibaba Cloud service supports condition keys specific to the service, you can configure conditions that are required for a policy to take effect to grant permissions on specific operations and resource objects. You can use service-specific condition keys in custom policies to implement finer-grained access control. For a list of OSS-specific condition keys, see RAM policies.

Sample OSS-specific Condition element in a RAM policy for OSS

"Condition": {
    "StringEquals": {
        "vpc:TargetAccountRDId": [
            "12****"
        ]
},
"Bool": {
        "acs:SecureTransport": [
            "true"
        ]
}

Tag-based authorization

OSS supports tag-based authorization

Tags in RAM policies are custom attribute labels that come in two forms: acs:ResourceTag/{tag-key} and acs:RequestTag/{tag-key}. Tags can be used to classify, search, and aggregate cloud resources with the same attributes from different dimensions. This makes resource management easier. For more information about services that work with tags, see Services that work with Tag.

Tag-based authorization allows you to grant the same permissions to cloud resources that have the same tags when you manage permissions on the cloud resources. You can use tags in custom RAM policies for finer-grained access control.

Normal service roles

OSS supports normal service roles.

A normal service role is a RAM role whose trusted entity is an Alibaba Cloud service. A normal service role is used to authorize access across Alibaba Cloud services. When you use specific features of OSS, normal service roles are automatically created and granted the permissions that are required to access another service. OSS assumes the normal service roles to access the intended service.

When you use same-region replication (SRR) within the same Alibaba Cloud account or across Alibaba Cloud accounts or use the inventory feature, normal service roles are required. For more information, see SRR within the same account and Bucket inventory.

You can also manually create, modify, and delete normal service roles, and modify the permissions of normal service roles. Take note that modifying a normal service role or permissions granted to the normal service role may affect your use of specific OSS features.