All Products
Search
Document Center

Object Storage Service:Access control

Last Updated:Dec 03, 2024

By default, the access control list (ACL) of Object Storage Service (OSS) resources, including buckets and objects, is set to private to ensure data security. Only the owners of the resources and authorized users can access these resources. OSS allows you to configure a variety of policies to grant third-party users specific permissions to access or use your OSS resources.

The following table describes the access control policies that you can configure for objects stored in buckets.

Parameter

Description

Scenario

RAM Policy

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage access permissions on resources. RAM policies are authorization policies configured based on users. You can configure RAM policies to manage your users, such as employees, systems, or applications, and control user permissions on your resources. For example, you can configure a RAM policy to allow your users to only read one bucket.

  • Grant the same permissions to the RAM users of the same Alibaba Cloud account.

  • Configure the same permissions required to access all OSS resources or multiple buckets.

  • Configure the permissions required to perform specific operations. For example, you can configure a RAM policy to specify the permissions required to list all buckets that belong to the same Alibaba Cloud account.

  • Limit the permissions of temporary access credentials used to access OSS.

Bucket Policy

A bucket policy is a resource-based authorization policy. Unlike RAM policies, bucket policies can be easily configured on the GUI of the console. In addition, the owner of a bucket can configure bucket policies for the bucket without RAM permissions. You can configure bucket policies to grant permissions to the RAM users of other Alibaba Cloud accounts or anonymous users who access OSS by using the specified IP addresses.

  • Grant different permissions to the RAM users of the same Alibaba Cloud account.

  • Grant permissions to the RAM users of other Alibaba Cloud accounts or anonymous users.

Bucket ACLs

You can configure the ACL of a bucket when you create the bucket or modify the ACL of a created bucket. Only the owner of a bucket can configure or modify the ACL of the bucket. You can set the ACL of a bucket to one of the following values: public-read-write, public-read, and private.

Configure the same access permissions for all objects in a bucket.

Object ACLs

You can also configure the ACL of each object stored in OSS. You can configure the ACL of an object when you upload the object or modify the ACL of an uploaded object. You can set the ACL of an object to one of the following values: default, public-read-write, public-read, and private.

Configure the access permissions of a single object.

For example, you configure RAM policies or bucket policies for a bucket to set the ACL of all objects in the bucket or objects whose names contain the specified prefix to private. In this case, if you want an object in the bucket to be accessed by all anonymous users from the Internet, you can set the ACL of the object to public-read.

References

  • For more information about how to enable Block Public Access for buckets and objects, see Block Public Access.

  • For more information about permission management mechanisms of OSS, see Authorization.