本文中含有需要您注意的重要提示信息,忽略該信息可能對您的業務造成影響,請務必仔細閱讀。
通過RAM Policy,您可以集中管理您的用戶(例如員工、系統或應用程序)以及控制用戶可以訪問您名下哪些資源的權限,例如授權RAM用戶列舉并讀取某個存儲空間(Bucket)的資源。
為RAM用戶授權自定義的權限策略
創建自定義權限策略。
您可以結合實際使用場景,選用下文列舉的常見授權示例,然后通過腳本配置方式創建自定義權限策略。具體操作,請參見創建自定義權限策略。
關于權限策略中包含版本號(Version)和授權語句(Statement),以及授權語句中包含的授權效力(Effect)、操作(Action)、資源(Resource)以及限制條件(Condition,可選項)等更多信息,請參見RAM Policy。
重要在OSS中,Resource支持使用通配符星號(*)來表示某類具體的資源。Resource的格式為
acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}。例如當Resource為acs:oss:*:*:mybucket/*,表示mybucket下的所有資源。當Resource為acs:oss:*:*:mybucket/abc*.txt,表示mybucket下前綴為abc且格式為.txt的所有文件。為RAM用戶授權自定義權限策略。
示例一:授予RAM用戶對某個Bucket的完全控制權限
以下示例為授權RAM用戶對名為mybucket的Bucket擁有完全控制的權限。
對于移動應用來說,授予用戶對Bucket的完全控制權限有極高風險,應盡量避免。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
}
]
}示例二:拒絕RAM用戶刪除某個bucket下指定的多個文件的權限
以下示例為拒絕RAM用戶刪除名為mybucket的Bucket下前綴為abc且格式為.txt的所有文件。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/abc*.txt"
]
}
]
}示例三:授予RAM用戶列舉并讀取某個Bucket下所有資源的權限
授予RAM用戶通過OSS SDK或OSS命令行工具列舉并讀取某個Bucket資源的權限
以下示例為授予RAM用戶通過OSS SDK或OSS命令行工具列舉并讀取名為
mybucket的Bucket下所有資源的權限。說明ListObjects操作(Action),必須要整個Bucket作為Resource。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "oss:ListObjects", "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": "oss:GetObject", "Resource": "acs:oss:*:*:mybucket/*" } ] }授予RAM用戶通過OSS控制臺列舉并讀取某個Bucket的資源
以下示例為授予RAM用戶通過OSS控制臺列舉并讀取名為
mybucket的Bucket下所有資源的權限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:mybucket" }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:mybucket/*" } ] }
示例四:拒絕RAM用戶刪除某個Bucket的權限
以下示例用于拒絕RAM用戶刪除名為mybucket的Bucket的權限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:*",
"Resource": [
"acs:oss:*:*:mybucket",
"acs:oss:*:*:mybucket/*"
]
},
{
"Effect": "Deny",
"Action": [
"oss:DeleteBucket"
],
"Resource": [
"acs:oss:*:*:mybucket"
]
}
]
}示例五:授予RAM用戶訪問某個Bucket下多個目錄的權限
假設用于存放照片的Bucket為mybucket,該Bucket下有一些目錄,代表照片的拍攝地,每個拍攝地目錄下還包含了年份子目錄。
mybucket[Bucket]
├── beijing
│ ├── 2014
│ └── 2015
├── hangzhou
│ ├── 2013
│ ├── 2014
│ └── 2015
└── qingdao
├── 2014
└── 2015您希望授予RAM用戶訪問mybucket/hangzhou/2014/和mybucket/hangzhou/2015/目錄的只讀權限。目錄級別的授權屬于授權的高級功能,根據使用場景不同,授權策略的復雜程度也不同,以下幾種場景可供參考。
授予RAM用戶僅擁有讀取目錄
mybucket/hangzhou/2014/和mybucket/hangzhou/2015/中文件內容的權限由于RAM用戶知道文件的完整路徑,建議直接使用完整的文件路徑來讀取目錄下的文件內容。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] } ] }授予RAM用戶使用OSS命令行工具訪問目錄
mybucket/hangzhou/2014/和mybucket/hangzhou/2015/并列舉目錄中文件的權限RAM用戶不清楚目錄中有哪些文件,可以使用OSS命令行工具或API直接獲取目錄信息,此場景下需要添加
ListObjects權限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition":{ "StringLike":{ "oss:Prefix": [ "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }授予RAM用戶使用OSS控制臺訪問目錄的權限
使用OSS控制臺訪問目錄
mybucket/hangzhou/2014/和mybucket/hangzhou/2015/時,RAM用戶可以從根目錄開始,逐層進入要訪問的目錄。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:GetObject", "oss:GetObjectAcl" ], "Resource": [ "acs:oss:*:*:mybucket/hangzhou/2014/*", "acs:oss:*:*:mybucket/hangzhou/2015/*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects" ], "Resource": [ "acs:oss:*:*:mybucket" ], "Condition": { "StringLike": { "oss:Delimiter": "/", "oss:Prefix": [ "", "hangzhou/", "hangzhou/2014/*", "hangzhou/2015/*" ] } } } ] }
示例六:拒絕RAM用戶刪除某個Bucket下任意文件的權限
以下示例用于拒絕RAM用戶刪除名為mybucket的存儲空間下任意文件的權限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:*:mybucket/*"
]
}
]
}示例七:拒絕RAM用戶訪問指定標簽Object的權限
以下為添加Deny策略,用于拒絕RAM用戶訪問存儲空間examplebucket下對象標簽為status:ok以及key1:value1的Object的權限。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:ExistingObjectTag/status":"ok",
"oss:ExistingObjectTag/key1":"value1"
}
}
}
]
}示例八:授予RAM用戶通過特定的IP地址訪問OSS的權限
在
Allow授權中增加IP地址限制以下示例為在
Allow授權中增加IP地址限制,授予RAM用戶僅允許通過192.168.0.0/16和198.51.100.0/24兩個IP地址段讀取名為mybucketBucket下所有資源的權限。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ], "Condition":{ "IpAddress": { "acs:SourceIp": ["192.168.0.0/16", "198.51.100.0/24"] } } } ] }在
Deny授權中增加IP地址限制以下示例為在
Deny授權中增加IP地址限制,拒絕源IP地址不在192.168.0.0/16范圍內的RAM用戶對OSS執行任何操作。{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketAcl" ], "Resource": [ "acs:oss:*:*:*" ] }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject" ], "Resource": [ "acs:oss:*:*:mybucket", "acs:oss:*:*:mybucket/*" ] }, { "Effect": "Deny", "Action": "oss:*", "Resource": [ "acs:oss:*:*:*" ], "Condition":{ "NotIpAddress": { "acs:SourceIp": ["192.168.0.0/16"] } } } ] }說明由于權限策略的鑒權規則是Deny優先,所以訪問者從
192.168.0.0/16以外的IP地址訪問mybucket中的內容時,OSS會提示沒有權限。
示例九:通過RAM或STS服務向其他用戶授權
通過RAM或STS服務授權IP地址為192.168.0.1的用戶使用Java SDK客戶端執行以下操作。
列舉examplebucket中以
foo為前綴的對象。允許向examplebucket中上傳、下載和刪除以
file開頭的對象。
符合上述場景的RAM Policy配置示例如下:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetBucketAcl",
"oss:ListObjects"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk",
"oss:Prefix": "foo"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
},
{
"Action": [
"oss:PutObject",
"oss:GetObject",
"oss:DeleteObject"
],
"Resource": [
"acs:oss:*:177530505652xxxx:mybucket/file*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:UserAgent": "java-sdk"
},
"IpAddress": {
"acs:SourceIp": "192.168.0.1"
}
}
}
]
}示例十:限制上傳文件的ACL不能為公共讀或者公共讀寫
以下RAM Policy用于限制上傳至examplebucket的文件ACL不能為公共讀或者公共讀寫。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl"
],
"Resource": [
"acs:oss:*:*:examplebucket",
"acs:oss:*:*:examplebucket/*"
],
"Condition": {
"StringEquals": {
"oss:x-oss-object-acl": [
"public-read",
"public-read-write"
]
}
}
}
]
}示例十一:授予RAM用戶使用IMM相關功能的權限
以下RAM Policy用于授予RAM用戶使用IMM文檔處理的權限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:PostProcessTask",
"oss:ProcessImm"
],
"Resource": "*"
},
{
"Action": [
"imm:CreateOfficeConversionTask",
"imm:GetWebofficeURL"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "acs:ram:*:*:role/aliyunimmdefaultrole"
}
]
}示例十二:授予RAM用戶轉換存儲冗余類型的權限
授予RAM用戶轉換某個Bucket存儲冗余類型的權限。
以下示例為RAM用戶授予轉換mybucket的存儲冗余類型的權限。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:mybucket" } ] }授予RAM用戶轉換所有Bucket存儲冗余類型的權限。
重要以下示例會授予RAM用戶轉換您的阿里云賬號下所有Bucket的存儲冗余類型的權限,請謹慎操作。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:CreateBucketDataRedundancyTransition", "oss:GetBucketDataRedundancyTransition", "oss:ListBucketDataRedundancyTransition", "oss:DeleteBucketDataRedundancyTransition" ], "Resource": "acs:oss:*:*:*" } ] }
示例十三:授予RAM用戶創建OSS資源包、預留空間、無地域屬性預留空間訂單的權限
以下RAM Policy用于授予RAM用戶創建OSS資源包、預留空間、無地域屬性預留空間訂單的權限。
RAM用戶創建OSS資源包、預留空間、無地域屬性預留空間訂單后,可以聯系云賬號擁有者完成訂單支付。如果要使RAM用戶能夠完成OSS資源包訂單支付,云賬號擁有者需要授予RAM用戶支付訂單的權限bss:PayOrder。bss:PayOrder屬于高危權限,涉及資金操作,非必要請勿授予。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:CreateOrder",
"Resource": "acs:oss:*:*:*"
}
]
}示例十四:授予RAM用戶開通OSS的權限
以下RAM Policy用于授予RAM用戶開通OSS的權限。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "oss:ActivateProduct",
"Resource": "acs:oss:*:*:*"
}
]
}