This topic describes how to use bucket policies to securely share data across departments or project teams by allowing some users to only download data and preventing them from writing or deleting data in Object Storage Service (OSS).
Background information
In this example, Department A wants to store data in a bucket named example-bucket and allow users in Department B to download the shared data. This topic shows how to follow the principle of least privilege to control access to shared data. The following figure shows the expected permissions of the administrators and users in Department A and Department B to access the example-bucket bucket.
Authorization process
In this example, the administrator of Department A can use the following steps to configure bucket policies that grant different access permissions on the bucket.
The administrator of Department A creates a bucket named example-bucket to store shared data.
Step 2: Grant permissions to upload shared data
The administrator of Department A configures a bucket policy for example-bucket to allow users in Department A to upload data to the bucket.
Step 3: Grant permissions to download shared data and deny writes and deletion of shared data
The administrator of Department A configures a bucket policy for example-bucket to allow users in Department B to download shared data but not to write or delete shared data.
Perform the following steps to upload data to example-bucket as a user of Department A:
Verify the permissions of the users in Department B to ensure that they can only download shared data and cannot write or delete shared data.
Prerequisites
RAM users for the administrators and users in Department A and Department B are created within the Alibaba Cloud account of the enterprise.
For more information, see Create a RAM user.
The UIDs of the RAM users are obtained. For more information about how to query UIDs, see View the information about a RAM user.
Appropriate permissions are granted to the RAM users.
In this example, the administrator of Department A needs to create buckets and configure bucket policies. Therefore, the AliyunOSSFullAccess policy must be attached to the RAM user group of the administrator. For more information, see Grant permissions to a RAM user.
Step 1: Create a bucket
Perform the following steps to create a bucket in the China (Hangzhou) region as the administrator of Department A:
Log on to the OSS console as the administrator of Department A.
In the left-side navigation pane, click Buckets. On the Buckets page, click Create Bucket.
In the Create Bucket panel, configure the parameters.
In this example, the bucket is named example-bucket. For more information about how to configure parameters to create a bucket, see Create buckets.
Click OK.
Step 2: Grant permissions to upload shared data
Perform the following steps as the administrator of Department A to allow users in Department A to upload data to example-bucket:
Click the name of the bucket created in Step 1.
In the left-side navigation tree, choose .
On the Add in GUI tab of the Bucket Policy tab, click Authorize.
In the Authorize panel, configure the following parameters and retain the default settings for other parameters.
Parameter
Description
Applied To
Select Whole Bucket to apply the bucket policy to the whole bucket.
Authorized User
Select RAM User.
From the RAM user drop-down list, select the RAM users to which you want to grant the permissions to upload data to the bucket. You can also enter a username or keyword in the search box to search for specific RAM users by fuzzy match.
Authorized Operation
Select Basic Settings and click Read/Write.
This option indicates that authorized users can perform read and write operations on the bucket.
Click OK.
Users in Department A are granted permissions to upload data to the bucket.
Step 3: Grant permissions to download shared data and deny writes and deletion of shared data
Perform the following steps as the administrator of Department A to allow users in Department B to download shared data from example-bucket:
Click the name of the bucket created in Step 1.
In the left-side navigation tree, choose .
On the Add in GUI tab of the Bucket Policy tab, click Authorize.
In the Authorize panel, configure the following parameters and retain the default settings for other parameters.
Parameter
Description
Applied To
Select Whole Bucket to apply the bucket policy to the whole bucket.
Authorized User
Select Other Accounts. Enter the UIDs of the RAM users that you want to allow to download shared data.
Authorized Operation
Select Basic Settings and click Read-only (including ListObject).
This option indicates that authorized users can only view, list, and download data but cannot write or delete data stored in example-bucket.
Click OK.
Users in Department B are granted permissions to download data from the bucket. They are not allowed to write data to the bucket or delete data from the bucket.
Step 4: Upload data to the bucket
Perform the following steps to upload data to example-bucket as a user of Department A:
Log on to the OSS console as a RAM user in Department A.
Open the object upload page at
https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object/upload.On the Upload page, configure parameters to upload data.
Select Current Directory for Upload To. For more information about parameter settings in an upload, see Upload objects.
On the Upload Tasks tab of the Task List panel, check the task progress. After the upload is complete, close the panel.
The data is uploaded to example-bucket.
Step 5: Verify permissions
Perform the following steps in the OSS console to verify that users in Department B can download but cannot write or delete shared data:
Log on to the OSS console as a RAM user in Department B.
Open the Objects page at
https://oss.console.aliyun.com/bucket/hangzhou/example-bucket/object.On the Objects page, perform the following permission checks:
Verify download permissions of users in Department B on shared data.
Find an object in the example-bucket bucket and choose
> Download in the Actions column. If the object cannot be downloaded, the download permissions are incorrectly configured.
If the object is downloaded, the download permissions are correctly configured.
Verify upload permissions of users in Department B on shared data.
Follow Step 4 to upload data to example-bucket.
If the upload operation fails, the intended upload permissions are correctly configured.
If the upload operation is successful, the intended upload permissions are incorrectly configured.
Verify deletion permissions of users in Department B on shared data.
Find an object in the example-bucket bucket and choose
> Delete. If the delete operation fails, the intended delete permissions are correctly configured.
If the delete operation is successful, the intended delete permissions are incorrectly configured.