Resource Access Management (RAM) policies are user-based authorization policies. You can configure RAM policies to manage user access to your Object Storage Service (OSS) resources. This topic describes how to manage permissions effectively with RAM Policies.
Background information
Syntax and structure of RAM policies
A RAM policy contains a version number and a list of statements. Each statement contains the following elements: Effect, Action, Resource, and Condition. The Condition element is optional. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
You can use the Version, Statement, and Effect elements in the RAM policies for OSS in the same manner as you use the elements in the policies for RAM. For more information about how to use the Action, Resource, and Condition elements in RAM policies for OSS, see the following sections in this topic:
Common RAM policies for OSS
AliyunOSSFullAccess: grants a RAM user the full permissions on OSS resources.
AliyunOSSReadOnlyAccess: grants a RAM user the read-only permissions on OSS resources.
Access control
For more information about the access control methods supported by OSS, see Overview.
Action element in RAM policies for OSS
RAM policies for OSS support service-level, bucket-level, and object-level operations.
Service-level operations
API
Action
Description
oss:ListBuckets
Lists all buckets owned by the requester.
oss:ListUserDataRedundancyTransition
Lists all redundancy type change tasks of the requester.
N/A
oss:ActivateProduct
Activates OSS and enables Content Risk Detection.
N/A
oss:CreateOrder
Places an order for an OSS resource plan.
oss:PutPublicAccessBlock
Enables Block Public Access for OSS resources.
oss:GetPublicAccessBlock
Queries the Block Public Access configurations of OSS resources.
oss:DeletePublicAccessBlock
Deletes the Block Public Access configurations of OSS resources.
Bucket-level operations
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists all objects in a bucket.
oss:GetBucketInfo
Queries information about a bucket.
oss:GetBucketLocation
Queries the location information about a bucket.
oss:GetBucketStat
Queries the storage usage of the bucket and the number of objects stored within.
oss:PutBucketVersioning
Configures the versioning state for a bucket.
oss:GetBucketVersioning
Queries the versioning state of a bucket.
oss:ListObjectVersions
Lists the versions of all objects in a bucket, including delete markers.
oss:PutBucketAcl
Configures or modifies the access control list (ACL) of a bucket.
oss:GetBucketAcl
Queries the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period (days) of objects in a bucket for which a retention policy is locked.
oss:GetBucketWorm
Queries the retention policies of a bucket.
oss:PutBucketLogging
Enables logging for a bucket.
oss:PutObject
Specifies that logs are written into another bucket when you enable logging for a source bucket.
oss:GetBucketLogging
Queries the logging configurations of a bucket.
oss:DeleteBucketLogging
Disables logging for a bucket.
oss:PutBucketWebsite
Enables static website hosting for a bucket and configures redirection rules for the bucket.
oss:GetBucketWebsite
Queries the static website hosting status and the redirection rules of a bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and deletes the redirection rules of the bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Queries the hotlink protection configurations of a bucket.
oss:PutBucketLifecycle
Configures lifecycle rules for a bucket.
oss:GetBucketLifecycle
Queries the lifecycle rules of a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rules of a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Queries the transfer acceleration configurations of a bucket.
oss:ListMultipartUploads
Lists all ongoing multipart upload tasks, which include tasks that are initiated but are not completed or canceled.
oss:PutBucketCors
Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors
Queries the CORS rules of a bucket.
oss:DeleteBucketCors
Disables CORS for a bucket and deletes all CORS rules of the bucket.
oss:PutBucketPolicy
Configures policies for a bucket.
oss:GetBucketPolicy
Queries the policies of a bucket.
oss:DeleteBucketPolicy
Deletes the policies of a bucket.
oss:PutBucketTagging
Adds tags to or modifies the tags of a bucket.
oss:GetBucketTagging
Queries the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures encryption rules for a bucket.
oss:GetBucketEncryption
Queries the encryption rules of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rules of a bucket.
oss:PutBucketRequestPayment
Enables pay-by-requester for a bucket.
oss:GetBucketRequestPayment
Queries the pay-by-requester configurations of a bucket.
oss:PutBucketReplication
Configures a data replication rule for a bucket.
oss:ReplicateGet
Configures cross-account data replication rules for the bucket or specifies the RAM role for managing the permissions required for cross-account replication.
oss:PutBucketRTC
Enables or disables Replication Time Control (RTC) for existing cross-region replication (CRR) rules.
oss:GetBucketReplication
Queries the data replication rules of a bucket.
oss:DeleteBucketReplication
Stops the data replication tasks of a bucket and deletes the data replication configurations of the bucket.
oss:GetBucketReplicationLocation
Queries the region of a destination bucket to which data can be replicated.
oss:GetBucketReplicationProgress
Queries the progress of a data replication task of a bucket.
oss:PutBucketInventory
Configures inventories for a bucket.
oss:GetBucketInventory
Queries specific inventories of a bucket.
oss:GetBucketInventory
Queries all inventories of a bucket.
oss:DeleteBucketInventory
Deletes a specific inventory of a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Queries the access tracking status of a bucket.
oss:OpenMetaQuery
Enables metadata management for a bucket.
oss:GetMetaQueryStatus
Queries the metadata index library of a bucket.
oss:DoMetaQuery
Queries objects that meet specific conditions and lists object information based on specific fields and sorting methods.
oss:CloseMetaQuery
Disables metadata management for a bucket.
oss:InitUserAntiDDosInfo
Creates Anti-DDoS instances.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS instance.
oss:GetUserAntiDDosInfo
Queries information about Anti-DDoS instances that belong to an Alibaba Cloud account.
oss:InitBucketAntiDDosInfo
Initializes Anti-DDoS instances for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the status of Anti-DDoS instances of a bucket.
oss:ListBucketAntiDDosInfo
Queries the protection list of an Anti-DDoS instance of a bucket.
oss:PutBucketResourceGroup
Configures a resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CNAME token used to verify the ownership of a domain name.
oss:GetCnameToken
Queries existing CNAME tokens.
oss:PutCname
Maps a custom domain name to a bucket.
yundun-cert:DescribeSSLCertificatePrivateKey
yundun-cert:DescribeSSLCertificatePublicKeyDetail
yundun-cert:CreateSSLCertificate
Maps a custom domain name to a bucket and associate a certificate with the domain name.
oss:ListCname
Queries all custom domain names that are mapped to a bucket.
oss:DeleteCname
Deletes the CNAME record that maps a custom domain name to a bucket.
oss:PutStyle
Configures image styles.
oss:GetStyle
Queries image styles.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes image styles.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Queries whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Queries information about an access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Queries user-level or bucket-level access points.
oss:PutAccessPointPolicy
Configures an access point policy.
oss:GetAccessPointPolicy
Queries information about an access point policy.
oss:DeleteAccessPointPolicy
Deletes an access point policy.
oss:PutBucketHttpsConfig
Enables or disables Transport Layer Security (TLS) version management for a bucket.
oss:GetBucketHttpsConfig
Queries the TLS version configurations of a bucket.
N/A
oss:ReplicateList
The list permissions in the replication process. Lists historical data in a source bucket and then replicates the historical data to a destination bucket.
oss:CreateAccessPointForObjectProcess
Creates an Object FC Access Point.
oss:GetAccessPointForObjectProcess
Queries basic information about an Object FC Access Point.
oss:DeleteAccessPointForObjectProcess
Deletes an Object FC Access Point.
oss:ListAccessPointsForObjectProcess
Queries information about user-level Object FC Access Points.
oss:PutAccessPointConfigForObjectProcess
Changes the configurations of an Object FC Access Point.
oss:GetAccessPointConfigForObjectProcess
Queries the configurations of an Object FC Access Point.
oss:PutAccessPointPolicyForObjectProcess
Configures policies for an Object FC Access Point.
oss:GetAccessPointPolicyForObjectProcess
Queries the policies of an Object FC Access Point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the policies of an Object FC Access Point.
oss:WriteGetObjectResponse
Configures custom response headers and response data.
oss:CreateBucketDataRedundancyTransition
Creates a redundancy type conversion task for a bucket.
oss:GetBucketDataRedundancyTransition
Queries the redundancy type conversion tasks of a bucket.
oss:DeleteBucketDataRedundancyTransition
Deletes a redundancy type conversion task of a bucket.
oss:ListBucketDataRedundancyTransition
Lists all redundancy type conversion tasks of a bucket.
oss:PutBucketPublicAccessBlock
Enables Block Public Access for a bucket.
oss:GetBucketPublicAccessBlock
Queries the Block Public Access configurations of a bucket.
oss:DeleteBucketPublicAccessBlock
Deletes the Block Public Access configurations of a bucket.
oss:PutAccessPointPublicAccessBlock
Enables Block Public Access for an access point.
oss:GetAccessPointPublicAccessBlock
Queries the Block Public Access configurations of an access point.
oss:DeleteAccessPointPublicAccessBlock
Deletes the Block Public Access configurations of an access point.
oss:GetBucketPolicyStatus
Checks whether the current bucket policy allows public access.
Object-level operations
API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObjectTagging
Specifies the tags of the object by using the x-oss-tagging header in the upload process.
kms:GenerateDataKey
kms:Decrypt
Uploads an object whose metadata includes X-Oss-Server-Side-Encryption: KMS
oss:PutObject
Uploads an object to a bucket by using an HTML form.
oss:PutObject
Uploads an object by using append upload.
oss:PutObjectTagging
Specifies the tags of the object by using the x-oss-tagging header when you upload an object by appending it to an existing object.
oss:PutObject
Initiates a multipart upload task.
oss:PutObjectTagging
Specifies the tags of the object by using the x-oss-tagging header when you initialize a multipart upload task.
kms:GenerateDataKey
kms:Decrypt
Specfies that the object metadata includes X-Oss-Server-Side-Encryption: KMS when you initialize a multipart upload task.
oss:PutObject
Uploads an object by part based on the object name and upload ID.
oss:PutObject
Completes the multipart upload task of an object after all parts of the object are uploaded.
oss:PutObjectTagging
Completes the multipart upload task of an object and specifies its tags after all parts of the object are uploaded.
oss:AbortMultipartUpload
Cancels a multipart upload task and deletes uploaded parts.
oss:PutObject
Creates a symbolic link for an object.
oss:PutObjectTagging
Creates a symbolic link for the specified tags of an object.
oss:GetObject
Queries an object.
kms:Decrypt
Downloads the object encrypted with a KMS-generated key.
oss:GetObjectVersion
Downloads a specified version of an object.
oss:GetObject
Queries the metadata of an object.
oss:GetObject
Queries the metadata of an object, including the ETag, object size, and last modified time.
oss:GetObject
Executes SQL statements on an object and queries the execution results.
oss:GetObject
Queries the symbolic link of an object.
oss:DeleteObject
Deletes an object.
oss:DeleteObjectVersion
Deletes a specific version of an object.
oss:DeleteObject
Deletes multiple objects from a bucket at a time.
oss:GetObject
oss:PutObject
Copies objects to the same bucket or to a different bucket in the same region.
oss:GetObjectVersion
Copies a specific version of an object between the same or different buckets within the same region.
oss:GetObjectTagging
oss:PutObjectTagging
Copies an object with specified tags between the same or different buckets within the same region.
kms:DecryptnerateDataKey
kms:Decrypt
Specifies that the object metadata includes X-Oss-Server-Side-Encryption: KMS when you upload the object.
oss:GetObjectVersionTagging
Copies the tagging information of a specified version of an object in the same or between different buckets within the same region.
oss:GetObject
oss:PutObject
Copies data from an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.
oss:GetObjectVersion
Copies data from the specified version of an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.
oss:ListParts
Lists all parts that are uploaded by using an upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:PutObjectVersionAcl
Modifies the ACL of a specified version of an object.
oss:GetObjectAcl
Queries the ACL of an object in a bucket.
oss:GetObjectVersionAcl
Queries the ACL of a specific version of an object.
oss:RestoreObject
Restores Archive, Cold Archive, and Deep Cold Archive objects.
oss:RestoreObjectVersion
Restores a specific version of an Archive, Cold Archive, or Deep Cold Archive object.
oss:PutObjectTagging
Adds tags to or modifies the tags of an object.
oss:PutObjectVersionTagging
Adds tags to or modifies the tags of a specified version of an object.
oss:GetObjectTagging
Queries the tags of an object.
oss:GetObjectVersionTagging
Queries the tags of a specified version of an object.
oss:DeleteObjectTagging
Deletes the tags of an object.
oss:DeleteObjectVersionTagging
Deletes the tags of a specified version of an object.
oss:PutLiveChannel
Creates a LiveChannel before you upload audio and video data by using Real-Time Messaging Protocol (RTMP).
oss:ListLiveChannel
Lists specific LiveChannels.
oss:DeleteLiveChannel
Deletes a LiveChannel.
oss:PutLiveChannelStatus
Changes the status of a LiveChannel to enabled or disabled.
oss:GetLiveChannel
Queries the configurations of a LiveChannel.
oss:GetLiveChannelStat
Queries the stream ingest status of a LiveChannel.
oss:GetLiveChannelHistory
Queries the stream ingest records of a LiveChannel.
oss:PostVodPlaylist
Generates a video on demand (VOD) playlist for a LiveChannel.
oss:GetVodPlaylist
Queries the playlist that is generated by the streams ingested to a LiveChannel within a specific time range.
N/A
oss:PublishRtmpStream
Ingests video streams and audio streams to OSS over RTMP.
N/A
oss:ProcessImm
Grants the permission for using data processing capabilities of IMM in OSS.
oss:GetObject
Grants access to data processing capabilities of IMM via the POST method.
oss:PutObject
Grants the permission for using IMM for saveas.
oss:PostProcessTask
Saves processed images to a bucket.
imm:CreateOfficeConversionTask
Grants the permission for using IMM to perform document conversion or create snapshots.
imm: GenerateWebofficeToken
Obtains the access token of WebOffice.
imm:RefreshWebofficeToken
Updates the access token of WebOffice.
N/A
oss:ReplicateGet
The read permissions in the replication process. Allows OSS to read data and metadata from source and destination buckets in a data replication task, such as objects, parts, and multipart upload tasks.
N/A
oss:ReplicatePut
The write permissions in the replication process. Allows OSS to perform write operations on the destination bucket in a data replication task, such as writing objects, performing multipart upload tasks, uploading parts, configuring symbolic links, and modifying object metadata.
N/A
oss:ReplicateDelete
The delete permissions in the replication process. Allows OSS to perform delete operations on the destination bucket in a data replication task, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action is required only if you set Replication Policy to Add/Delete/Change.
Resource pool QOS
API
Action
Description
oss:PutBucketQoSInfo
Configures bandwidth throttling rules for a bucket in a resource pool.
oss:GetBucketQoSInfo
Queries bandwidth throttling rules for a bucket in a resource pool.
oss:DeleteBucketQoSInfo
Deletes the throttling configurations for a bucket.
oss:PutBucketRequesterQoSInfo
Configures the throttling rules for a requester accessing a bucket.
oss:GetBucketRequesterQoSInfo
Queries the throttling configurations for a requester accessing a bucket.
oss:ListBucketRequesterQoSInfo
Queries the throttling configurations for all requesters accessing a bucket.
oss:DeleteBucketRequesterQoSInfo
Deletes the throttling configurations for a requester accessing buckets.
oss:ListResourcePools
Lists the resource pools associated with the current Alibaba Cloud account
oss:GetResourcePoolInfo
Queries the throttling configurations of a resource pool.
oss:ListResourcePoolBuckets
Lists the buckets within a resource pool.
oss:PutResourcePoolRequesterQoSInfo
Configures the throttling rules for requesters accessing a resource pool.
oss:GetResourcePoolRequesterQoSInfo
Queries the throttling configurations for a requester accessing a resource pool.
oss:ListResourcePoolRequesterQoSInfos
Queries the throttling configurations of all requesters in a resource pool.
oss:DeleteResourcePoolRequesterQoSInfo
Deletes the throttling configurations for a requester in a resource pool.
Resource element in RAM policies for OSS
In RAM policies for OSS, the Resource element specifies one or more specific resources. This element supports the asterisk (*) wildcard character. A RAM policy can contain multiple Resource elements.
Category | Format | Example |
Bucket-level |
|
|
Object-level |
|
|
Resource-pool-level |
|
|
The region field can be set only to an asterisk (*) wildcard character.
Condition element in RAM policies for OSS
The Condition element specifies the conditions that are required for a policy to take effect. Each Condition element consists of conditional operators, condition keys, and condition values.
The following table describes the categories of conditional operators and condition keys.
Categories of conditional operators
Category
Conditional operator
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Number
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
IpAddressIncludeBorder
Condition keys
Condition key
Description
acs:SourceIp
The CIDR block from which the request is sent. This condition supports the asterisk (*) wildcard character.
acs:SourceVpc
The VPC from which the request is sent. You can set this parameter to a specific VPC ID or vpc-*.
ImportantWhen you use
acs:SourceVpcto restrict the VPC, make sure that the region of the VPC matches the region of the gateway endpoint supported by OSS. Otherwise, authentication requests cannot be associated with the corresponding VPC, which leads to authentication failures. For more information, see Regions of gateway endpoints supported by OSS.acs:UserAgent
The User-Agent header in the HTTP request.
Type: string.
acs:CurrentTime
The point in time when the request is received by the OSS server.
Standard: ISO8601.
acs:SecureTransport
Specifies whether to use HTTPS for secure data transfers. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If the
acs:SecureTransportcondition is not specified, HTTPS and HTTP requests are allowed.oss:x-oss-acl
The ACL of the bucket. Valid values:
private
public-read
public-read-write
For more information, see Bucket ACLs.
oss:x-oss-object-acl
The ACL of the object. Valid values:
private
public-read
public-read-write
default: The ACL of the object is the same as the ACL of the bucket in which the object is stored.
For more information, see Object ACLs.
oss:Prefix
The prefix in the names of the objects that you want to list by calling the ListObjects operation.
oss:Delimiter
The character that is used to group the names of the objects that you want to list by calling the ListObjects operation.
acs:AccessId
The AccessKey ID in the request.
oss:BucketTag
The tag of the bucket.
A single bucket tag can be used as a condition. To specify multiple bucket tags as multiple conditions, you must add
oss:BucketTag/before each bucket tag.acs:MFAPresent
Specifies whether to enable multi-factor authentication (MFA).
Valid values:
true
false
oss:ExistingObjectTag
Specifies that the requested object has tags.
A single tag can be used as a condition. To use multiple object tags, you must add
oss:ExistingObjectTag/before each tag.This condition applies to operations that are called to read objects, such as GetObject and HeadObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags in the request.
A single tag can be used as a condition. To use multiple object tags, you must add
oss:RequestObjectTag/before each tag.This condition applies to operations that are called to write objects, such as PutObject and PostObject, and operations related to object tags, such as PutObjectTagging and GetObjectTagging.