All Products
Search

This Product

    Object Storage Service:Use RAM policies to control access

    Document Center

    Object Storage Service:Use RAM policies to control access

    Last Updated:Apr 30, 2025

    This topic describes how to use Resource Access Management (RAM) policies to control access to Object Storage Service (OSS) buckets, directories, and objects.

    Background information

    RAM policies are authorization policies configured based on users. You can configure RAM policies to manage users such as employees, systems, or applications. You can also specify the resources that the users can access. For example, you can create a RAM policy to grant users only read permissions on a bucket.

    RAM policies are in the JSON format. A RAM policy includes the following fields:

    • Statement: the authorization statement. A RAM policy can include multiple authorization statements.

    • Effect: the effect of the RAM policy. Valid values: Allow and Deny.

      Note

      If a RAM policy includes an Allow statement and a Deny statement at the same time, the Deny statement takes precedence over the Allow statement.

    • Action: the authorized actions on resources.

    We recommend that you use RAM Policy Editor to generate RAM policies. For more information, see RAM Policy Editor.

    Compared with RAM policies, bucket policies can be configured in the OSS console. A bucket owner can grant other users permissions to access OSS resources. For more information, see Configure bucket policies to authorize other users to access OSS resources.

    Buckets and directories

    OSS uses a flat data model structure. All objects are stored in buckets. Directories and subdirectories used in hierarchical file systems do not exist in OSS. However, you can simulate a directory hierarchy in the OSS console to group, classify, and manage objects. The following figure shows sample directories in the OSS console. ram

    OSS is a distributed object storage service in which objects are identified as key-value pairs. You can retrieve the content of an object based on the object name. For example, an object named oss-dg.pdf and the following directories are stored in a bucket named examplebucket: Development, Marketing, and Private.

    • When you create a directory, the OSS console creates an object whose key is in the DirectoryName/ format.

    • When you upload an object to a directory, the OSS console sets the key of the object to the DirectoryName/ObjectName format.

      In the key, DirectoryName is the prefix and the forward slash (/) is the delimiter. You can list all objects sharing a common prefix and delimiter in the bucket. If you click a directory in the OSS console, the objects in the directory are listed, as shown in the following figure.

      development

      Note

      To list the objects in the Development directory of the examplebucket bucket, the OSS console sends a request to OSS to list the objects whose names include the specified prefix Development and a forward slash (/) delimiter. In the preceding example, three objects that have the following keys are stored in the examplebucket bucket: Development/Alibaba Cloud.pdf, Development/ProjectA.docx, and Development/ProjectB.docx.

    Before you start this tutorial, you must understand the concept of root-level bucket content. For example, the examplebucket bucket contains the following objects:

    • Development/Alibaba Cloud.pdf

    • Development/ProjectA.docx

    • Development/ProjectB.docx

    • Marketing/data2020.xlsx

    • Marketing/data2021.xlsx

    • Private/2017/images.zip

    • Private/2017/promote.pptx

    • oss-dg.pdf

    The keys of these objects determine a logical hierarchy that has the Development, Marketing, and Private directories as root-level directories and oss-dg.pdf as a root-level object. If you click the bucket name in the OSS console, the common prefix and delimiter that are shared by multiple objects, such as Development/, Marketing/, and Private/, are displayed as root-level directories. The oss-dg.pdf object does not have a prefix. The object is displayed as a root-level object.

    ram

    Requests and responses

    Before you grant permissions to RAM users, you must understand how the OSS console interacts with OSS.

    • Send a request to access a bucket

      When you click the examplebucket bucket in the OSS console, the OSS console sends a GetBucket(ListObjects) request to OSS.

      • Sample request

        GET /?prefix=&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6q*******************:DNrn******************

        In the preceding request, the value of the prefix parameter is left empty and the value of the delimiter parameter is a forward slash (/).

      • Sample response

        HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://doc.oss-cn-hangzhou.aliyuncs.com">
<Name>examplebucket</Name>
<Prefix></Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>oss-dg.pdf</Key>
        ...
    </Contents>
   <CommonPrefixes>
        <Prefix>Development</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Marketing</Prefix>
   </CommonPrefixes>
      <CommonPrefixes>
        <Prefix>Private</Prefix>
   </CommonPrefixes>
</ListBucketResult>

      • Response parsing

        The OSS console parses the response returned by OSS and displays the root-level objects and directories in the bucket.

        ram

    • Send a request to access a directory in the bucket

      When you click the Development/ directory of the examplebucket bucket in the OSS console, the OSS console sends a GetBucket(ListObjects) request to OSS. The request includes the prefix and delimiter parameters.

      • Sample request

        GET /?prefix=Development/&delimiter=/ HTTP/1.1
Host: examplebucket.oss-cn-hangzhou.aliyuncs.com
Date: Fri, 24 Feb 2012 08:43:27 GMT
Authorization: OSS qn6q*******************:DNrn******************

        In the preceding request, the value of the prefix parameter is Development/ and the value of the delimiter parameter is a forward slash (/).

      • Sample response

        In the response, OSS returns the objects whose keys include the specified prefix.

        HTTP/1.1 200 OK
x-oss-request-id: 534B371674E88A4D8906****
Date: Fri, 7 Aug 2020 08:43:27 GMT
Content-Type: application/xml
Content-Length: 712
Connection: keep-alive
Server: AliyunOSS
<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://doc.oss-cn-hangzhou.aliyuncs.com">
<Name>examplebucket</Name>
<Prefix>Development/</Prefix>
<Marker></Marker>
<MaxKeys>100</MaxKeys>
<Delimiter>/</Delimiter>
    <IsTruncated>false</IsTruncated>
    <Contents>
        <Key>ProjectA.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>ProjectB.docx</Key>
        ...
    </Contents>
    <Contents>
        <Key>Alibaba Cloud.pdf</Key>
        ...
    </Contents>
</ListBucketResult>

      • Response parsing

        The OSS console parses the response returned by OSS and displays the objects in the Development/ directory.

        development

    Scenarios

    For example, you are the owner of the examplebucket bucket, and the access control list (ACL) of every object and directory in the bucket is private. You want to grant RAM user Anne the read and write permissions on the Development directory in the bucket and the subdirectories and objects in the directory. You want to grant RAM user Leo the read-only permissions on the Marketing directory and the subdirectories and objects in the directory. You also want to prevent all RAM users of the current Alibaba Cloud account from accessing the Private directory.

    Step 1: Create a bucket and upload an object

    1. Log on to the OSS console and create a bucket named examplebuckt. For more information, see Create buckets.

    2. Create the following directories: Development, Marketing, and Private. For more information, see Create directories.

    3. Upload objects to the directories based on the following requirements:

      • Upload the oss-dg.pdf object to the root directory of the examplebucket bucket.

      • Upload the Alibaba Cloud.pdf, ProjectA.docx, and ProjectB.docx objects to the Development directory.

      • Upload the data2020.xlsx and data2021.xlsx objects to the Marketing directory.

      • Upload the images.zip and promote.pptx objects to the Private directory.

    Step 2: Create RAM users Anne and Leo

    Create RAM users Anne and Leo in the RAM console. For more information, see Create a RAM user.

    Step 3: Grant RAM user Anne the read and write permissions on the Development directory

    1. Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. On the Create Policy page, click the JSON tab.

      4. Enter the following policy document and click OK.

        {
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Development",
                        "Development/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:PutObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Development/*"
            ]
        }
    ]
}

      5. In the dialog box that appears, enter the name and description of the policy and click OK.

    2. Attach the AllowAnneToReadAndWriteFolderDevelopment policy to RAM user Anne. For more information, see Grant permissions to a RAM user.

    Step 4: Grant RAM user Leo the read-only permissions on the Marketing directory

    Refer to Step 3 to create a custom policy named AllowLeoToReadAndWriteFolderMarketing. Grant RAM user Leo the read-only permissions on the Marketing directory and all objects in the Marketing directory by using the following policy:

    {
    "Version":"1",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Marketing",
                        "Marketing/*"
                    ]
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Marketing/*"
            ]
        }
    ]
}

    Step 5: Deny access from all RAM users in the current Alibaba Cloud account to the Private directory

    1. Create a user group and add members to the user group. For more information, see Create a RAM user group and Add a RAM user to a RAM user group.

      After you create the user group, add all RAM users within the Alibaba Cloud to the user group.

    2. Create a custom policy named DenyAllRamToAccessFolderPrivate.

      1. In the left-side navigation pane, choose Permissions > Policies.

      2. On the Policies page, click Create Policy.

      3. Enter the following policy document and click OK. 

        {
    "Version":"1",
    "Statement":[
        {
            "Effect":"Deny",
            "Action":[
                "oss:*"
            ],
            "Resource":[
                "acs:oss:*:*:examplebucket/Private/*"
            ],
            "Condition":{

            }
        },
        {
            "Effect":"Deny",
            "Action":[
                "oss:ListObjects"
            ],
            "Resource":[
                "acs:oss:*:*:*"
            ],
            "Condition":{
                "StringLike":{
                    "oss:Prefix":[
                        "Private/",
                        "Private/*"
                    ]
                }
            }
        }
    ]
}

      4. In the dialog box that appears, enter the name and description of the policy and click OK.

    3. Attach the DenyAllRamToAccessFolderPrivate policy to the user group. For more information, see Grant permissions to a RAM user group.

      After you attach the policy to the user group, the RAM users in the user group cannot access the Private directory in the examplebucket bucket. When the RAM users send a request to list the Private/2017/images.zip and Private/2017/promote.pptx objects in the Private directory, OSS returns an error response.