Resource Access Management (RAM) policies are user-based authorization policies that control access to your Object Storage Service (OSS) resources. This topic describes how to effectively manage permissions using RAM policies.
Background information
Syntax and structure of RAM policies
A RAM policy contains a version number (Version) and one or more statements (Statement). Each statement contains an effect (Effect), an action (Action), a resource (Resource), and an optional condition (Condition). For more information about the syntax and structure of access policies, see Policy structure and syntax.
The Version, Statement, and Effect elements in RAM policies for OSS are used in the same way as they are in other RAM policies. For more information about the Action, Resource, and Condition elements, see the following topics:
Common RAM policies for OSS
AliyunOSSFullAccess: Grants a RAM user full management permissions on OSS resources.
AliyunOSSReadOnlyAccess: Grants a RAM user read-only access permissions on OSS resources.
Access control methods for OSS
For more information about the access control methods that OSS supports, see Access control.
OSS Action classification
Actions are categorized as service-level, bucket-level, or object-level operations.
Service-level operations
API
Action
Description
oss:ListBuckets
Lists all buckets that belong to the requester.
oss:ListUserDataRedundancyTransition
Lists all storage redundancy conversion tasks of the requester.
None
oss:ActivateProduct
Activates OSS and Content Moderation.
None
oss:CreateOrder
Creates an order for an OSS resource plan.
oss:PutPublicAccessBlock
Enables Block Public Access for all OSS resources that belong to your account.
oss:GetPublicAccessBlock
Queries the Block Public Access configuration for all OSS resources that belong to your account.
oss:DeletePublicAccessBlock
Deletes the Block Public Access configuration for all OSS resources that belong to your account.
Bucket-level operations
API
Action
Description
oss:PutBucket
Creates a bucket.
oss:ListObjects
Lists information about all objects in a bucket.
oss:GetBucketInfo
Queries information about a bucket.
oss:GetBucketLocation
Queries the location of a bucket.
oss:GetBucketStat
Queries the storage capacity of a bucket and the number of objects in the bucket.
oss:PutBucketVersioning
Configures the versioning state for a bucket.
oss:GetBucketVersioning
Queries the versioning state of a bucket.
oss:ListObjectVersions
Lists information about all versions of objects, including delete markers, in a bucket.
oss:PutBucketAcl
Sets or modifies the access control list (ACL) of a bucket.
oss:GetBucketAcl
Queries the ACL of a bucket.
oss:DeleteBucket
Deletes a bucket.
oss:InitiateBucketWorm
Creates a retention policy.
oss:AbortBucketWorm
Deletes an unlocked retention policy.
oss:CompleteBucketWorm
Locks a retention policy.
oss:ExtendBucketWorm
Extends the retention period of objects in a bucket for which a retention policy is locked.
oss:GetBucketWorm
Queries information about a retention policy.
oss:PutBucketLogging
Enables log storage for a bucket.
oss:PutObject
When you enable log storage for a source bucket, specifies that the logs from the source bucket are written to a destination bucket.
oss:GetBucketLogging
Queries the log storage configuration of a bucket.
oss:DeleteBucketLogging
Disables log storage for a bucket.
oss:PutBucketWebsite
Configures a bucket to host a static website and configures redirection rules for the bucket.
oss:GetBucketWebsite
Queries the static website hosting status and redirection rules of a bucket.
oss:DeleteBucketWebsite
Disables static website hosting for a bucket and deletes the redirection rules of the bucket.
oss:PutBucketReferer
Configures hotlink protection for a bucket.
oss:GetBucketReferer
Queries the hotlink protection (Referer) configuration of a bucket.
oss:PutBucketLifecycle
Configures lifecycle rules for a bucket.
oss:GetBucketLifecycle
Queries the lifecycle rules of a bucket.
oss:DeleteBucketLifecycle
Deletes the lifecycle rules of a bucket.
oss:PutBucketTransferAcceleration
Configures transfer acceleration for a bucket.
oss:GetBucketTransferAcceleration
Queries the transfer acceleration configuration of a bucket.
oss:ListMultipartUploads
Lists all in-progress multipart upload events. In-progress multipart upload events are multipart upload events that are initiated but not completed or aborted.
oss:PutBucketCors
Configures cross-origin resource sharing (CORS) rules for a bucket.
oss:GetBucketCors
Queries the current CORS rules of a bucket.
oss:DeleteBucketCors
Disables CORS for a bucket and deletes all CORS rules of the bucket.
oss:PutBucketPolicy
Configures a bucket policy for a bucket.
oss:GetBucketPolicy
Queries the bucket policy of a bucket.
oss:DeleteBucketPolicy
Deletes the bucket policy of a bucket.
oss:PutBucketTagging
Adds or modifies the tags of a bucket.
oss:GetBucketTagging
Queries the tags of a bucket.
oss:DeleteBucketTagging
Deletes the tags of a bucket.
oss:PutBucketEncryption
Configures encryption rules for a bucket.
oss:GetBucketEncryption
Queries the encryption rules of a bucket.
oss:DeleteBucketEncryption
Deletes the encryption rules of a bucket.
oss:PutBucketRequestPayment
Configures the pay-by-requester mode.
oss:GetBucketRequestPayment
Queries the pay-by-requester configuration.
oss:PutBucketReplication
Configures a data replication rule for a bucket.
oss:ReplicateGet
Configures cross-account data replication rules for a bucket or specifies the RAM role for replication.
oss:PutBucketRTC
Enables or disables replication time control (RTC) for an existing cross-region replication rule.
oss:GetBucketReplication
Queries the data replication rules that are configured for a bucket.
oss:DeleteBucketReplication
Stops data replication for a bucket and deletes the replication configuration of the bucket.
oss:GetBucketReplicationLocation
Queries the regions where destination buckets for replication can be located.
oss:GetBucketReplicationProgress
Queries the data replication progress of a bucket.
oss:PutBucketInventory
Configures inventory rules for a bucket.
oss:GetBucketInventory
Queries a specified inventory task of a bucket.
oss:GetBucketInventory
Queries all inventory tasks of a bucket in a batch.
oss:DeleteBucketInventory
Deletes a specified inventory task of a bucket.
oss:PutBucketAccessMonitor
Configures the access tracking status of a bucket.
oss:GetBucketAccessMonitor
Queries the access tracking status of a bucket.
oss:OpenMetaQuery
Enables metadata management for a bucket.
oss:GetMetaQueryStatus
Queries information about the metadata index of a bucket.
oss:DoMetaQuery
Queries objects that meet specified conditions and lists object information based on specified fields and sorting methods.
oss:CloseMetaQuery
Disables metadata management for a bucket.
oss:InitUserAntiDDosInfo
Creates an Anti-DDoS for OSS instance.
oss:UpdateUserAntiDDosInfo
Changes the status of an Anti-DDoS for OSS instance.
oss:GetUserAntiDDosInfo
Queries information about the Anti-DDoS for OSS instances that belong to a specified account.
oss:InitBucketAntiDDosInfo
Initializes protection for a bucket.
oss:UpdateBucketAntiDDosInfo
Updates the protection status of a bucket.
oss:ListBucketAntiDDosInfo
Queries the list of protection information for a bucket.
oss:PutBucketResourceGroup
Specifies the resource group to which a bucket belongs.
oss:GetBucketResourceGroup
Queries the ID of the resource group to which a bucket belongs.
oss:CreateCnameToken
Creates a CNAME token that is required to verify the ownership of a domain name.
oss:GetCnameToken
Queries a created CNAME token.
oss:PutCname
Binds a custom domain name to a bucket.
yundun-cert:DescribeSSLCertificatePrivateKey
yundun-cert:DescribeSSLCertificatePublicKeyDetail
yundun-cert:CreateSSLCertificate
Binds a certificate when you bind a custom domain name to a bucket.
oss:ListCname
Queries the list of all custom domain names (Cnames) that are bound to a bucket.
oss:DeleteCname
Deletes a Cname that is bound to a bucket.
oss:PutStyle
Configures an image style.
oss:GetStyle
Queries an image style.
oss:ListStyle
Lists image styles.
oss:DeleteStyle
Deletes an image style.
oss:PutBucketArchiveDirectRead
Enables or disables real-time access of Archive objects for a bucket.
oss:GetBucketArchiveDirectRead
Queries whether real-time access of Archive objects is enabled for a bucket.
oss:CreateAccessPoint
Creates an access point.
oss:GetAccessPoint
Queries information about a single access point.
oss:DeleteAccessPoint
Deletes an access point.
oss:ListAccessPoints
Queries information about user-level and bucket-level access points.
oss:PutAccessPointPolicy
Configures a policy for an access point.
oss:GetAccessPointPolicy
Queries information about the policy for an access point.
oss:DeleteAccessPointPolicy
Deletes the policy for an access point.
oss:PutBucketHttpsConfig
Enables or disables TLS version settings for a bucket.
oss:GetBucketHttpsConfig
Queries the TLS version settings of a bucket.
None
oss:ReplicateList
The list permission involved in the replication process. This permission allows OSS to list the historical data in the source bucket and then replicate the historical data one by one.
oss:CreateAccessPointForObjectProcess
Creates an object FC access point.
oss:GetAccessPointForObjectProcess
Queries basic information about an object FC access point.
oss:DeleteAccessPointForObjectProcess
Deletes an object FC access point.
oss:ListAccessPointsForObjectProcess
Queries information about user-level object FC access points.
oss:PutAccessPointConfigForObjectProcess
Modifies the configuration of an object FC access point.
oss:GetAccessPointConfigForObjectProcess
Queries the configuration of an object FC access point.
oss:PutAccessPointPolicyForObjectProcess
Configures a permission policy for an object FC access point.
oss:GetAccessPointPolicyForObjectProcess
Queries the permission policy configuration of an object FC access point.
oss:DeleteAccessPointPolicyForObjectProcess
Deletes the permission policy of an object FC access point.
oss:WriteGetObjectResponse
Customizes the returned data and response headers.
oss:CreateBucketDataRedundancyTransition
Creates a storage redundancy conversion task.
oss:GetBucketDataRedundancyTransition
Queries a storage redundancy conversion task.
oss:DeleteBucketDataRedundancyTransition
Deletes a storage redundancy conversion task.
oss:ListBucketDataRedundancyTransition
Lists all storage redundancy conversion tasks in a bucket.
oss:PutBucketPublicAccessBlock
Enables Block Public Access for a bucket.
oss:GetBucketPublicAccessBlock
Queries the Block Public Access configuration of a bucket.
oss:DeleteBucketPublicAccessBlock
Deletes the Block Public Access configuration of a bucket.
oss:PutAccessPointPublicAccessBlock
Enables Block Public Access for an access point.
oss:GetAccessPointPublicAccessBlock
Queries the Block Public Access configuration of an access point.
oss:DeleteAccessPointPublicAccessBlock
Deletes the Block Public Access configuration of an access point.
oss:GetBucketPolicyStatus
Checks whether the current bucket policy allows public access.
Object-level operations
API
Action
Description
oss:PutObject
Uploads an object.
oss:PutObjectTagging
Specifies the tags of an object using the x-oss-tagging header when you upload the object.
kms:GenerateDataKey
kms:Decrypt
Specifies that the metadata of an object includes X-Oss-Server-Side-Encryption: KMS when you upload the object.
oss:PutObject
Uploads an object to a specified bucket using an HTML form.
oss:PutObject
Uploads an object using append upload.
oss:PutObjectTagging
Specifies the tags of an object using the x-oss-tagging header when you upload the object using append upload.
oss:PutObject
Initiates a multipart upload task.
oss:PutObjectTagging
Specifies the tags of an object using the x-oss-tagging header when you initiate a multipart upload task.
kms:GenerateDataKey
kms:Decrypt
Specifies that the metadata of an object includes X-Oss-Server-Side-Encryption: KMS when you initiate a multipart upload task.
oss:PutObject
Uploads data in parts based on the specified object name and upload ID.
oss:PutObject
After all parts of an object are uploaded, you must call this operation to complete the multipart upload of the object.
oss:PutObjectTagging
After all parts of an object are uploaded, you must call this operation to complete the multipart upload of the object and specify the tags of the object.
oss:AbortMultipartUpload
Aborts a multipart upload event and deletes the uploaded parts.
oss:PutObject
Creates a symbolic link for a target object in OSS.
oss:PutObjectTagging
Creates a symbolic link with specified object tags for a target object in OSS.
oss:GetObject
Queries an object.
kms:Decrypt
Downloads an object that is encrypted using a specified KMS key.
oss:GetObjectVersion
Downloads a specified version of an object.
oss:GetObject
Queries the metadata of an object.
oss:GetObject
Queries the metadata of an object, including the ETag, size, and last modified time of the object.
oss:GetObject
Executes an SQL statement on a target object and returns the result.
oss:GetObject
Queries the symbolic link of a target object.
oss:DeleteObject
Deletes an object.
oss:DeleteObjectVersion
Deletes a specified version of an object.
oss:DeleteObject
Deletes multiple objects from a bucket.
oss:GetObject
oss:PutObject
Copies an object to the same bucket or a different bucket in the same region.
oss:GetObjectVersion
Copies a specified version of an object to the same bucket or a different bucket in the same region.
oss:GetObjectTagging
oss:PutObjectTagging
Copies an object with specified tags to the same bucket or a different bucket in the same region.
kms:DecryptnerateDataKey
kms:Decrypt
Specifies that the metadata of the destination object includes X-Oss-Server-Side-Encryption: KMS when you copy an object.
oss:GetObjectVersionTagging
Copies a specified tagged version of an object to the same bucket or a different bucket in the same region.
oss:GetObject
oss:PutObject
Calls the UploadPartCopy operation by adding the x-oss-copy-source request header to an UploadPart request to copy data from an existing object to upload a part.
oss:GetObjectVersion
Calls the UploadPartCopy operation by adding the x-oss-copy-source request header to an UploadPart request to copy data from a specified version of an existing object to upload a part.
oss:ListParts
Lists all successfully uploaded parts that belong to a specified upload ID.
oss:PutObjectAcl
Modifies the ACL of an object in a bucket.
oss:PutObjectVersionAcl
Modifies the ACL of a specified version of an object in a bucket.
oss:GetObjectAcl
Queries the ACL of an object in a bucket.
oss:GetObjectVersionAcl
Queries the ACL of a specified version of an object in a bucket.
oss:RestoreObject
Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:RestoreObjectVersion
Restores a specified version of an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.
oss:PutObjectTagging
Sets or updates the tags of an object.
oss:PutObjectVersionTagging
Sets or updates the tags of a specified version of an object.
oss:GetObjectTagging
Queries the tags of an object.
oss:GetObjectVersionTagging
Queries the tags of a specified version of an object.
oss:DeleteObjectTagging
Deletes the tags of a specified object.
oss:DeleteObjectVersionTagging
Deletes the tags of a specified version of an object.
oss:PutLiveChannel
Before you upload audio and video data over RTMP, you must call this operation to create a LiveChannel.
oss:ListLiveChannel
Lists specified LiveChannels.
oss:DeleteLiveChannel
Deletes a specified LiveChannel.
oss:PutLiveChannelStatus
Switches the status between enabled and disabled.
oss:GetLiveChannel
Queries the configuration of a specified LiveChannel.
oss:GetLiveChannelStat
Queries the stream ingest status of a specified LiveChannel.
oss:GetLiveChannelHistory
Queries the stream ingest records of a specified LiveChannel.
oss:PostVodPlaylist
Generates a playlist for video-on-demand (VOD) for a specified LiveChannel.
oss:GetVodPlaylist
Queries the playlist that is generated by the streams ingested to a specified LiveChannel within a specified time range.
None
oss:PublishRtmpStream
Pushes audio and video data streams to RTMP.
None
oss:ProcessImm
The permission to process data using IMM in OSS.
oss:GetObject
Grants the permission to process data using IMM through POST requests.
oss:PutObject
Grants the permission to process data using the SaveAs feature of IMM.
oss:PostProcessTask
Saves a processed image to a specified bucket.
imm:CreateOfficeConversionTask
Grants the permission to use IMM to convert documents or create snapshots.
imm: GenerateWebofficeToken
Obtains the access token for WebOffice.
imm:RefreshWebofficeToken
Refreshes the access token for WebOffice.
None
oss:ReplicateGet
The read permission involved in the replication process. This permission allows OSS to read data and metadata from the source and destination buckets, including objects, parts, and multipart uploads.
None
oss:ReplicatePut
The write permission involved in the replication process. This permission allows OSS to perform replication-related write operations on the destination bucket, such as writing objects, multipart uploads, parts, and symbolic links, and modifying metadata.
None
oss:ReplicateDelete
The delete permission involved in the replication process. This permission allows OSS to perform replication-related delete operations on the destination bucket, such as DeleteObject, AbortMultipartUpload, and DeleteMarker.
ImportantThis action is required only if you set Data Replication Method to Sync Add/Delete/Modify Operations.
Resource pool QoS
API
Action
Description
oss:PutBucketQoSInfo
Configures throttling for a bucket in a resource pool.
oss:GetBucketQoSInfo
Queries the throttling configuration of a bucket in a resource pool.
oss:DeleteBucketQoSInfo
Deletes the throttling configuration of a specified bucket in a resource pool.
oss:PutBucketRequesterQoSInfo
Configures bucket-level throttling for a requester.
oss:GetBucketRequesterQoSInfo
Queries the bucket-level throttling configuration for a specified requester.
oss:ListBucketRequesterQoSInfo
Queries the bucket-level throttling configurations for all requesters.
oss:DeleteBucketRequesterQoSInfo
Deletes the throttling configuration of a requester for a bucket.
oss:ListResourcePools
Queries information about all resource pools that belong to the current account.
oss:GetResourcePoolInfo
Queries the throttling configuration of a specified resource pool.
oss:ListResourcePoolBuckets
Queries the list of buckets that are included in a specified resource pool.
oss:PutResourcePoolRequesterQoSInfo
Configures throttling for a requester of a resource pool.
oss:GetResourcePoolRequesterQoSInfo
Queries the throttling configuration of a specified requester in a resource pool.
oss:ListResourcePoolRequesterQoSInfos
Queries the throttling configurations of all requesters in a resource pool.
oss:DeleteResourcePoolRequesterQoSInfo
Deletes the throttling configuration of a specified requester in a resource pool.
Vector buckets
API
Action
Description
PutVectorBucket
oss:PutVectorBucket
Creates a vector bucket.
GetVectorBucket
oss:GetVectorBucket
Queries the details of a vector bucket.
ListVectorBuckets
oss:ListVectorBuckets
Lists all vector buckets that belong to the requester.
DeleteVectorBucket
oss:DeleteVectorBucket
Deletes a vector bucket.
oss:PutBucketLogging
Enables log storage for a vector bucket.
oss:PutObject
When you enable log storage for a source vector bucket, specifies that the logs from the source vector bucket are written to a destination bucket.
oss:GetBucketLogging
Queries the log storage configuration of a vector bucket.
oss:DeleteBucketLogging
Disables log storage for a vector bucket.
oss:PutBucketPolicy
Configures an authorization policy for a specified vector bucket.
oss:GetBucketPolicy
Queries the authorization policy of a specified vector bucket.
oss:DeleteBucketPolicy
Deletes the authorization policy of a specified vector bucket.
PutVectorIndex
oss:PutVectorIndex
Creates a vector index.
GetVectorIndex
oss:GetVectorIndex
Queries the details of a vector index.
ListVectorIndexes
oss:ListVectorIndexes
Lists all vector indexes in a vector bucket.
DeleteVectorIndex
oss:DeleteVectorIndex
Deletes a vector index.
PutVectors
oss:PutVectors
Writes vector data.
GetVectors
oss:GetVectors
Queries specified vector data.
ListVectors
oss:ListVectors
Lists all vector data in a vector index.
DeleteVectors
oss:QueryVectors
Performs a vector similarity search.
QueryVectors
oss:DeleteVectors
Deletes specified vector data from a vector index.
OSS Resource description
In OSS, a resource can be a single resource or a set of resources. The asterisk (*) wildcard character is supported. A single RAM policy can contain multiple resources.
Buckets
Classification | Format | Example |
Bucket-level |
|
|
Object-level |
|
|
Resource pool-level |
|
|
Vector buckets
Resource level | Format | Example |
All vector resources |
|
|
Vector bucket |
|
|
Vector index |
|
|
Vector data |
|
|
The region field can only be set to the asterisk (*) wildcard character.
OSS Condition description
The OSS Condition element specifies the conditions under which a policy takes effect. It consists of a conditional operator type, a condition key, and a condition value.
The following tables describe the conditional operator types and condition keys for OSS.
Conditional operator types
Conditional operator type
Supported types
String
StringEquals
StringNotEquals
StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
StringLike
StringNotLike
Number
NumericEquals
NumericNotEquals
NumericLessThan
NumericLessThanEquals
NumericGreaterThan
NumericGreaterThanEquals
Date and time
DateEquals
DateNotEquals
DateLessThan
DateLessThanEquals
DateGreaterThan
DateGreaterThanEquals
Boolean
Bool
IP address
IpAddress
NotIpAddress
IpAddressIncludeBorder
Condition keys
Condition key
Description
acs:SourceIp
Specifies a standard IP address range. The asterisk (*) wildcard character is supported.
acs:SourceVpc
Specifies a VPC. You can set this to a specific VPC ID or vpc-*.
ImportantWhen you use
acs:SourceVpcto restrict access from a VPC, make sure that the region of the VPC is a region where gateway endpoints are supported by OSS. Otherwise, authentication requests cannot be associated with the VPC, which causes authentication failures. For more information about the regions where gateway endpoints are supported by OSS, see Regions that support gateway endpoints.acs:UserAgent
Specifies the HTTP User-Agent header.
Type: string.
acs:CurrentTime
The time when the request arrives at the OSS server.
Format: ISO 8601.
acs:SecureTransport
The protocol type of the request. Valid values:
true: Only HTTPS requests are allowed.
false: Only HTTP requests are allowed.
If
acs:SecureTransportis not set, both HTTP and HTTPS requests are allowed.oss:x-oss-acl
Restricts the type of bucket ACL. Valid values:
private: Specifies that access is private.
public-read
public-read-write: Grants public read and write permissions.
For more information, see Bucket ACL.
oss:x-oss-object-acl
Restricts the type of object ACL. Valid values:
private
public-read
public-read-write: All users can read and write.
default: The object inherits the ACL of the bucket.
For more information, see Object ACL.
oss:Prefix
Used in a ListObjects request to list objects with a specified prefix.
oss:Delimiter
Used in a ListObjects request to group object names by a character.
acs:AccessId
The AccessId carried in the request.
oss:BucketTag
The bucket tag.
A single bucket tag can be used as a condition. When you set multiple bucket tags, you must add
oss:BucketTag/before each bucket tag to form multiple conditions.acs:MFAPresent
Specifies whether multi-factor authentication (MFA) is enabled.
Valid values:
true: MFA is enabled.
false: MFA is not enabled.
oss:ExistingObjectTag
The requested object has existing tags.
A single object tag can be used as a condition. When you use multiple object tags, you must add
oss:ExistingObjectTag/before each tag.This condition key is mainly used for operations that read files, such as GetObject and HeadObject, and for object tagging operations, such as PutObjectTagging and GetObjectTagging.
oss:RequestObjectTag
The object tags carried in the request.
A single object tag can be used as a condition. When you use multiple object tags, you must add
oss:RequestObjectTag/before each tag.This condition key is mainly used for operations that write files, such as PutObject and PostObject, and for object tagging operations, such as PutObjectTagging and GetObjectTagging.