Bucket Policy是阿里云OSS推出的针对Bucket的授权策略,您可以通过Bucket Policy授权其他用户访问您指定的OSS资源。例如,您可以对同账号以及跨账号下的不同RAM用户,或者匿名用户等授予访问或管理Bucket资源的不同权限,例如只读、读写权限等。

通用说明

以下均为资源拥有者(即UID为174649585760xxxx的Bucket Owner)通过Bucket Policy授权指定用户(例如UID为27737962156157xxxx的RAM用户)不同权限的示例。与RAM Policy不同的是,Bucket Policy还包含了用于指定授权用户的Principal元素。Bucket Policy的其他元素,例如Action,Condition等用法遵循RAM Policy的语法规则。有关各元素的使用详情,请参见RAM Policy概述

注意事项

配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且不包含Condition的情况下,则Bucket Policy仅对Bucket Owner以外的所有用户生效。详情请参见示例三

配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且包含Condition的情况下,则Bucket Policy会对包含Bucket Owner在内的所有用户生效。详情请参见示例四

示例一:授予指定RAM用户对某个Bucket的读写权限

以下示例用于授权UID为27737962156157xxxx以及20214760404935xxxx的RAM用户拥有目标存储空间examplebucket的读写权限:

{    
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "oss:GetObject",
            "oss:PutObject",
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",
            "oss:ListObjects",
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:GetVodPlaylist",
            "oss:PostVodPlaylist",
            "oss:PublishRtmpStream",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket/*"
        ]
      }, {
        "Effect": "Allow",
        "Action": [
            "oss:ListObjects",
            "oss:GetObject"
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ],
        "Condition": {
            "StringLike": {
                "oss:Prefix": [
                    "*"
                ]
            }
        }
      }]      
}

示例二:授予指定用户拥有某个Bucket下指定目录的只读权限

以下示例用于授权UID为20214760404935xxxx的RAM用户拥有目标存储空间examplebucket下hangzhou/2020shanghai/2015目录的只读权限。

{
     "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl"
            ],
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
            ]
        },
        {
            "Action": [
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Condition": {
                "StringLike": {
                    "oss:Prefix": [
                        "hangzhou/2020/*",
                        "shanghai/2015/*"
                    ]
                }
            },
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        }
    ],
}

示例三:授予匿名用户仅拥有列举某个Bucket下所有文件的权限

以下示例用于授予匿名用户仅拥有列举目标存储空间examplebucket下所有文件的权限:

{   
   "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Effect": "Allow",            
            "Principal": [
                "*"
            ],            
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        },
    ],    
}

示例四:拒绝指定IP地址段对某个Bucket执行任意操作

以下示例用于拒绝源IP地址不在192.168.0.0/16范围内的匿名用户对存储空间examplebucket执行任意操作。

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "oss:*",
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket"
            ],
            "Condition":{
                "NotIpAddress": {
                    "acs:SourceIp": ["192.168.0.0/16"]
                }
            }
        }
    ]
}