You can configure Resource Access Management (RAM) policies to manage the permissions of users, such as employees, systems, or applications, and the resources that can be accessed by the users. For example, you can create a RAM policy to authorize users to list and read the objects that are stored in a specific bucket.
Attach a custom policy to a RAM user
Create a custom policy.
You can refer to the examples described in this topic based on the actual scenarios and create a custom policy by using scripts. For more information, see Create custom policies.
A RAM policy contains a version number and a statement. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information, see RAM policies.
Important
In Object Storage Service (OSS), you can set the Resource element to an asterisk (*) wildcard character to specify resources of a specific type. The value of the Resource element is in the following format: acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}
. For example, if the Resource element is set to acs:oss:*:*:mybucket/*
, all resources in the mybucket bucket are specified. If the Resource element is set to acs:oss:*:*:mybucket/abc*.txt
, all .txt objects whose names contain the abc prefix in the mybucket bucket are specified.
Attach the custom policy to a RAM user.
Example 1: Authorize a RAM user to fully control a bucket
The following RAM policy grants a RAM user full control over the mybucket
bucket.
Warning
To ensure data security, we recommend that you do not grant RAM users full control over a bucket used by mobile apps.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}
Example 2: Prohibit a RAM user from deleting multiple objects in a bucket
The following RAM policy prohibits a RAM user from deleting all .txt objects whose names contain the abc prefix in the mybucket
bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}
Example 3: Authorize a RAM user to list and read objects in a bucket
Authorize a RAM user to list and read objects in a bucket by using OSS SDKs or ossutil
The following RAM policy authorizes a RAM user to list and read all objects in the mybucket
bucket by using OSS SDKs or ossutil:
Note
The Resource element for the ListObjects action must specify all resources in the desired bucket.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ListObjects",
"Resource": "acs:oss:*:*:mybucket"
},
{
"Effect": "Allow",
"Action": "oss:GetObject",
"Resource": "acs:oss:*:*:mybucket/*"
}
]
}
Authorize a RAM user to list and read objects in a bucket by using the OSS console
The following RAM policy authorizes a RAM user to list and read all objects in the mybucket
bucket by using the OSS console:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketLifecycle",
"oss:GetBucketWorm",
"oss:GetBucketVersioning",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:mybucket"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:mybucket/*"
}
]
}
Example 4: Prohibit a RAM user from deleting a bucket
The following RAM policy prohibits a RAM user from deleting the mybucket
bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}
Example 5: Authorize a RAM user to access multiple directories in a bucket
In this example, a bucket named mybucket
is used to store photos. The bucket contains multiple directories that are named based on the locations where the photos were captured. Each directory contains subdirectories that are named based on the years when the photos were captured.
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015
For example, you want to grant a RAM user read-only permissions on the mybucket/hangzhou/2014/
and mybucket/hangzhou/2015/
directories. Directory-level authorization is an advanced feature of RAM policies and requires RAM policies at different complexity levels based on actual scenarios. The following RAM policies are suitable for different scenarios and are provided for reference only.
Grant a RAM user read-only permissions on objects in the mybucket/hangzhou/2014/
and mybucket/hangzhou/2015/
directories
In this scenario, the RAM user knows the full paths of the objects that can be accessed. We recommend that you configure the RAM policy to authorize the RAM user to access the objects by using the full paths of the objects.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:mybucket/hangzhou/2014/*",
"acs:oss:*:*:mybucket/hangzhou/2015/*"
]
}
]
}
Grant a RAM user the permissions to access the mybucket/hangzhou/2014/
and mybucket/hangzhou/2015/
directories and list the objects in the directories by using ossutil
In this scenario, the RAM user does not know the objects in the directories and can use ossutil or call API operations to obtain information about the objects in the directories. In this case, the ListObjects
permission must be specified in the policy.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:mybucket/hangzhou/2014/*",
"acs:oss:*:*:mybucket/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:mybucket"
],
"Condition":{
"StringLike":{
"oss:Prefix": [
"hangzhou/2014/*",
"hangzhou/2015/*"
]
}
}
}
]
}
Grant a RAM user the permissions to access directories by using the OSS console
In this scenario, the RAM user can use the OSS console to access the mybucket/hangzhou/2014/
and mybucket/hangzhou/2015/
directories from the root directory by level.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketLifecycle",
"oss:GetBucketWorm",
"oss:GetBucketVersioning",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": [
"acs:oss:*:*:mybucket/hangzhou/2014/*",
"acs:oss:*:*:mybucket/hangzhou/2015/*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:*:mybucket"
],
"Condition": {
"StringLike": {
"oss:Delimiter": "/",
"oss:Prefix": [
"",
"hangzhou/",
"hangzhou/2014/*",
"hangzhou/2015/*"
]
}
}
}
]
}
Example 6: Prohibit a RAM user from deleting an object from a bucket
The following RAM policy prohibits a RAM user from deleting an object from the mybucket
bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}
Example 7: Prohibit a RAM user from accessing objects that have specific tags
The following RAM policy contains a Deny statement that prohibits a RAM user from accessing objects that are stored in the examplebucket bucket and have the status:ok
and key1:value1
tags:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}
Example 8: Authorize a RAM user to access OSS from specific IP addresses
Allow access from specific IP addresses
The following RAM policy authorizes a RAM user to read all objects in the mybucket
bucket from only IP addresses in the 192.168.0.0/16
and 198.51.100.0/24
CIDR blocks that are specified in the Allow
statement:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
],
"Condition":{
"IpAddress": {
"acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"]
}
}
}
]
}
Deny access from specific IP addresses
The following RAM policy prohibits a RAM user from accessing OSS resources from IP addresses that are not in the 192.168.0.0/16
CIDR block that is specified in the Deny
statement:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": [
"acs:oss:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetObject"
],
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:*"
],
"Condition":{
"NotIpAddress": {
"acs:SourceIp": ["192.168.0.0/16"]
}
}
}
]
}
Note
In a RAM policy, a Deny statement takes precedence over an Allow statement. Therefore, when a RAM user attempts to read data in the mybucket bucket from an IP address that is not in the 192.168.0.0/16
CIDR block, an error message is returned, which indicates that the RAM user does not have the required permissions.
Example 9: Use RAM or STS to authorize users to access OSS resources
Use RAM or Security Token Service (STS) to authorize a user whose IP address is 192.168.0.1
to perform the following operations from the client of OSS SDK for Java:
List objects whose names contain the foo
prefix in the examplebucket bucket
Grant the user the permissions to perform the upload, download, and delete operations on objects whose names contain the file
prefix in the examplebucket bucket
The following RAM policy can meet the preceding access management requirements:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}
Example 10: Use RAM policies to deny uploads of objects whose ACL is public-read or public-read-write
The following RAM policy prohibits users from uploading objects whose access control list (ACL) is public-read or public-read-write to the examplebucket bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl"
],
"Resource": [
"acs:oss:*:*:examplebucket",
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}
Example 11: Authorize a RAM user to use IMM
The following RAM policy grants a RAM user the permissions to use Intelligent Media Management (IMM):
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:PostProcessTask",
"oss:ProcessImm"
],
"Resource": "*"
},
{
"Action": [
"imm:CreateOfficeConversionTask",
"imm:GetWebofficeURL"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}
]
}
Example 12: Authorize a RAM user to change the storage redundancy type of buckets
Grant a RAM user the permissions to change the storage redundancy type of a bucket
The following RAM policy grants a RAM user the permissions to change the storage redundancy type of the mybucket bucket:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:CreateBucketDataRedundancyTransition",
"oss:GetBucketDataRedundancyTransition",
"oss:ListBucketDataRedundancyTransition",
"oss:DeleteBucketDataRedundancyTransition"
],
"Resource": "acs:oss:*:*:mybucket"
}
]
}
Grant a RAM user the permissions to change the storage redundancy type of all buckets
Important
The following RAM policy grants a RAM user the permissions to change the storage redundancy type of all buckets in the Alibaba Cloud account. Exercise caution when you grant the permissions to a RAM user.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:CreateBucketDataRedundancyTransition",
"oss:GetBucketDataRedundancyTransition",
"oss:ListBucketDataRedundancyTransition",
"oss:DeleteBucketDataRedundancyTransition"
],
"Resource": "acs:oss:*:*:*"
}
]
}
Example 13: Authorize a RAM user to place an order for an OSS resource plan
The following RAM policy grants a RAM user the permissions to place an order for an OSS resource plan:
Warning
After a RAM user places an order for an OSS resource plan, the user needs to contact the owner of the Alibaba Cloud account to which the RAM user belongs to pay for the order. To authorize a RAM user to pay for an order, the owner of the Alibaba Cloud account needs to grant the bss:PayOrder
permission to the RAM user. bss:PayOrder
is a high-risk permission. We recommend that you do not grant the permission to a RAM user unless necessary.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:CreateOrder",
"Resource": "acs:oss:*:*:*"
}
]
}
Example 14: Authorize a RAM user to activate OSS
The following RAM policy grants a RAM user the permissions to activate OSS:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ActivateProduct",
"Resource": "acs:oss:*:*:*"
}
]
}