Bucket Policy是阿里云OSS推出的针对Bucket的授权策略,您可以通过Bucket Policy授权其他用户访问您指定的OSS资源。例如,您可以对同账号以及跨账号下的不同RAM用户,或者匿名用户等授予访问或管理Bucket资源的不同权限,例如只读、读写权限等。

通用说明

以下均为资源拥有者(即UID为174649585760xxxx的Bucket Owner)通过Bucket Policy授权指定用户(例如UID为27737962156157xxxx的RAM用户)不同权限的示例。与RAM Policy不同的是,Bucket Policy还包含了用于指定授权用户的Principal元素。Bucket Policy的其他元素,例如Action,Condition等用法遵循RAM Policy的语法规则。有关各元素的使用详情,请参见RAM Policy概述

注意事项

配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且不包含Condition的情况下,则Bucket Policy仅对Bucket Owner以外的所有用户生效。详情请参见示例三

配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且包含Condition的情况下,则Bucket Policy会对包含Bucket Owner在内的所有用户生效。详情请参见示例四

示例一:授予指定RAM用户对某个Bucket的读写权限

以下示例用于授权UID为27737962156157xxxx以及20214760404935xxxx的RAM用户拥有目标存储空间examplebucket的读写权限:

{    
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "oss:GetObject",
            "oss:PutObject",
            "oss:GetObjectAcl",
            "oss:PutObjectAcl",            
            "oss:AbortMultipartUpload",
            "oss:ListParts",
            "oss:RestoreObject",
            "oss:GetVodPlaylist",
            "oss:PostVodPlaylist",
            "oss:PublishRtmpStream",
            "oss:ListObjectVersions",
            "oss:GetObjectVersion",
            "oss:GetObjectVersionAcl",
            "oss:RestoreObjectVersion"
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket/*"
        ]
      }, {
        "Effect": "Allow",
        "Action": [
            "oss:ListObjects"            
        ],
        "Principal": [
            "27737962156157xxxx",
            "20214760404935xxxx"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ],
        "Condition": {
            "StringLike": {
                "oss:Prefix": [
                    "*"
                ]
            }
        }
      }
    ]      
}

示例二:授予指定用户拥有某个Bucket下指定目录的只读权限

以下示例用于授权UID为20214760404935xxxx的RAM用户拥有目标存储空间examplebucket下hangzhou/2020shanghai/2015目录的只读权限。

{
     "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl",
                "oss:GetObjectVersion",
                "oss:GetObjectVersionAcl"
            ],
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
                "acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
            ]
        },
        {
            "Action": [
                "oss:ListObjects",
                "oss:ListObjectVersions"
            ],
            "Condition": {
                "StringLike": {
                    "oss:Prefix": [
                        "hangzhou/2020/*",
                        "shanghai/2015/*"
                    ]
                }
            },
            "Effect": "Allow",
            "Principal": [
                "20214760404935xxxx"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket"
            ]
        }
    ]
}

示例三:授予匿名用户仅拥有列举某个Bucket下所有文件的权限

以下示例用于授予匿名用户仅拥有列举目标存储空间examplebucket下所有文件的权限:

{
    "Version": "1",
    "Statement": [
    {
        "Action": [
            "oss:ListObjects",
            "oss:ListObjectVersions"
        ],
        "Effect": "Allow",
        "Principal": [
            "*"
        ],
        "Resource": [
            "acs:oss:*:174649585760xxxx:examplebucket"
        ]
    }
  ]
}

示例四:拒绝非指定VPC ID且非指定内网IP地址段的用户访问某个Bucket资源

以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且该VPC ID不在192.168.0.0/16 IP地址段范围内的用户访问目标存储空间examplebucket。即只有指定VPC内的指定IP地址段才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.168.0.0/16"
                        ]
                }
            }
        }
    ]
}

示例五:拒绝非指定VPC ID且非指定公网地址的用户访问某个Bucket资源

以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket。即只有VPC ID为t4nlw426y44rd3iq4****或者192.0.2.0的公网IP地址才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        }
    ]
}

示例六:拒绝非指定VPC ID的用户访问某个Bucket资源的权限

以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****的用户访问目标存储空间examplebucket的权限:

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotEquals": {
                    "acs:SourceVpc": [
                        "vpc-t4nlw426y44rd3iq4****"
                        ]
                }
            }
        }
    ]
}

示例七:拒绝非指定公网IP地址的用户访问某个Bucket资源的权限

以下示例用于拒绝公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket的权限:

{
    "Version": "1",
        "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringNotLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                },
                "NotIpAddress": {
                    "acs:SourceIp": [
                        "192.0.2.0"
                        ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "oss:GetObject"
                ],
            "Principal": [
                "*"
            ],
            "Resource": [
                "acs:oss:*:174649585760xxxx:examplebucket/*"
                ],
            "Condition": {
                "StringLike": {
                    "acs:SourceVpc": [
                        "vpc-*"
                        ]
                }
            }
        }
    ]
}