通过RAM Policy,您可以集中管理您的用户(例如员工、系统或应用程序)以及控制用户可以访问您名下哪些资源的权限,例如授权RAM用户列举并读取某个存储空间(Bucket)的资源。
为RAM用户授权自定义的权限策略
创建自定义权限策略。
您可以结合实际使用场景,选用下文列举的常见授权示例,然后通过脚本配置方式创建自定义权限策略。具体操作,请参见创建自定义权限策略。
关于权限策略中包含版本号(Version)和授权语句(Statement),以及授权语句中包含的授权效力(Effect)、操作(Action)、资源(Resource)以及限制条件(Condition,可选项)等更多信息,请参见RAM Policy。
重要在OSS中,Resource支持使用通配符星号(*)来表示某类具体的资源。Resource的格式为
acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}
。例如当Resource为acs:oss:*:*:mybucket/*
,表示mybucket下的所有资源。当Resource为acs:oss:*:*:mybucket/abc*.txt
,表示mybucket下前缀为abc且格式为.txt的所有文件。为RAM用户授权自定义权限策略。
示例一:授予RAM用户对某个Bucket的完全控制权限
以下示例为授权RAM用户对名为mybucket
的Bucket拥有完全控制的权限。
对于移动应用来说,授予用户对Bucket的完全控制权限有极高风险,应尽量避免。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}
示例二:拒绝RAM用户删除某个bucket下指定的多个文件的权限
以下示例为拒绝RAM用户删除名为mybucket
的Bucket下前缀为abc且格式为.txt的所有文件。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}
示例三:授予RAM用户列举并读取某个Bucket下所有资源的权限
授予RAM用户通过OSS SDK或OSS命令行工具列举并读取某个Bucket资源的权限
以下示例为授予RAM用户通过OSS SDK或OSS命令行工具列举并读取名为
mybucket
的Bucket下所有资源的权限。说明ListObjects操作(Action),必须要整个Bucket作为Resource。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:mybucket/*" } ] }
授予RAM用户通过OSS控制台列举并读取某个Bucket的资源
以下示例为授予RAM用户通过OSS控制台列举并读取名为
mybucket
的Bucket下所有资源的权限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:mybucket/*" } ] }
示例四:拒绝RAM用户删除某个Bucket的权限
以下示例用于拒绝RAM用户删除名为mybucket
的Bucket的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}
示例五:授予RAM用户访问某个Bucket下多个目录的权限
假设用于存放照片的Bucket为mybucket
,该Bucket下有一些目录,代表照片的拍摄地,每个拍摄地目录下还包含了年份子目录。
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015
您希望授予RAM用户访问mybucket/hangzhou/2014/
和mybucket/hangzhou/2015/
目录的只读权限。目录级别的授权属于授权的高级功能,根据使用场景不同,授权策略的复杂程度也不同,以下几种场景可供参考。
授予RAM用户仅拥有读取目录
mybucket/hangzhou/2014/
和mybucket/hangzhou/2015/
中文件内容的权限由于RAM用户知道文件的完整路径,建议直接使用完整的文件路径来读取目录下的文件内容。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] } ] }
授予RAM用户使用OSS命令行工具访问目录
mybucket/hangzhou/2014/
和mybucket/hangzhou/2015/
并列举目录中文件的权限RAM用户不清楚目录中有哪些文件,可以使用OSS命令行工具或API直接获取目录信息,此场景下需要添加
ListObjects
权限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition":{ "StringLike":{ "oss:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
授予RAM用户使用OSS控制台访问目录的权限
使用OSS控制台访问目录
mybucket/hangzhou/2014/
和mybucket/hangzhou/2015/
时,RAM用户可以从根目录开始,逐层进入要访问的目录。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
示例六:拒绝RAM用户删除某个Bucket下任意文件的权限
以下示例用于拒绝RAM用户删除名为mybucket
的存储空间下任意文件的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}
示例七:拒绝RAM用户访问指定标签Object的权限
以下为添加Deny策略,用于拒绝RAM用户访问存储空间examplebucket下对象标签为status:ok
以及key1:value1
的Object的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}
示例八:授予RAM用户通过特定的IP地址访问OSS的权限
在
Allow
授权中增加IP地址限制以下示例为在
Allow
授权中增加IP地址限制,授予RAM用户仅允许通过192.168.0.0/16
和198.51.100.0/24
两个IP地址段读取名为mybucket
Bucket下所有资源的权限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }
在
Deny
授权中增加IP地址限制以下示例为在
Deny
授权中增加IP地址限制,拒绝源IP地址不在192.168.0.0/16
范围内的RAM用户对OSS执行任何操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }
说明由于权限策略的鉴权规则是Deny优先,所以访问者从
192.168.0.0/16
以外的IP地址访问mybucket中的内容时,OSS会提示没有权限。
示例九:通过RAM或STS服务向其他用户授权
通过RAM或STS服务授权IP地址为192.168.0.1
的用户使用Java SDK客户端执行以下操作。
列举examplebucket中以
foo
为前缀的对象。允许向examplebucket中上传、下载和删除以
file
开头的对象。
符合上述场景的RAM Policy配置示例如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}
示例十:限制上传文件的ACL不能为公共读或者公共读写
以下RAM Policy用于限制上传至examplebucket的文件ACL不能为公共读或者公共读写。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl"
],
"Resource": [
"acs:oss:*:*:examplebucket",
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}
示例十一:授予RAM用户使用IMM相关功能的权限
以下RAM Policy用于授予RAM用户使用IMM文档处理的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:PostProcessTask",
"oss:ProcessImm"
],
"Resource": "*"
},
{
"Action": [
"imm:CreateOfficeConversionTask",
"imm:GetWebofficeURL"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}
]
}
示例十二:授予RAM用户转换存储冗余类型的权限
授予RAM用户转换某个Bucket存储冗余类型的权限。
以下示例为RAM用户授予转换mybucket的存储冗余类型的权限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:mybucket" } ] }
授予RAM用户转换所有Bucket存储冗余类型的权限。
重要以下示例会授予RAM用户转换您的阿里云账号下所有Bucket的存储冗余类型的权限,请谨慎操作。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:*" } ] }
示例十三:授予RAM用户创建OSS资源包订单的权限
以下RAM Policy用于授予RAM用户创建OSS资源包订单的权限。
RAM用户创建OSS资源包订单后,可以联系云账号拥有者完成订单支付。如果要使RAM用户能够完成OSS资源包订单支付,云账号拥有者需要授予RAM用户支付订单的权限bss:PayOrder
。bss:PayOrder
属于高危权限,涉及资金操作,非必要请勿授予。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:CreateOrder",
"Resource": "acs:oss:*:*:*"
}
]
}
示例十四:授予RAM用户开通OSS的权限
以下RAM Policy用于授予RAM用户开通OSS的权限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ActivateProduct",
"Resource": "acs:oss:*:*:*"
}
]
}