Bucket Policy是阿里云OSS推出的针对Bucket的授权策略,您可以通过Bucket Policy授权其他用户访问您指定的OSS资源。例如,您可以对同账号以及跨账号下的不同RAM用户,或者匿名用户等授予访问或管理Bucket资源的不同权限,例如只读、读写权限等。
通用说明
以下均为资源拥有者(即UID为174649585760xxxx的Bucket Owner)通过Bucket Policy授权指定用户(例如UID为27737962156157xxxx的RAM用户)不同权限的示例。与RAM Policy不同的是,Bucket Policy还包含了用于指定授权用户的Principal元素。Bucket Policy的其他元素,例如Action,Condition等用法遵循RAM Policy的语法规则。有关各元素的使用详情,请参见RAM Policy概述。
注意事项
配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且不包含Condition的情况下,则Bucket Policy仅对Bucket Owner以外的所有用户生效。详情请参见示例三。
配置Bucket Policy时,如果授权用户(Principal)选择了匿名账号(*),且包含Condition的情况下,则Bucket Policy会对包含Bucket Owner在内的所有用户生效。详情请参见示例四。
示例一:授予指定RAM用户对某个Bucket的读写权限
以下示例用于授权UID为27737962156157xxxx以及20214760404935xxxx的RAM用户拥有目标存储空间examplebucket的读写权限:
{
"Version": "1",
"Statement": [{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:GetObjectAcl",
"oss:PutObjectAcl",
"oss:AbortMultipartUpload",
"oss:ListParts",
"oss:RestoreObject",
"oss:GetVodPlaylist",
"oss:PostVodPlaylist",
"oss:PublishRtmpStream",
"oss:ListObjectVersions",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl",
"oss:RestoreObjectVersion"
],
"Principal": [
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
]
}, {
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Principal": [
"27737962156157xxxx",
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"*"
]
}
}
}
]
}示例二:授予指定用户拥有某个Bucket下指定目录的只读权限
以下示例用于授权UID为20214760404935xxxx的RAM用户拥有目标存储空间examplebucket下hangzhou/2020和shanghai/2015目录的只读权限。
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:GetObjectVersion",
"oss:GetObjectVersionAcl"
],
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/hangzhou/2020/*",
"acs:oss:*:174649585760xxxx:examplebucket/shanghai/2015/*"
]
},
{
"Action": [
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Condition": {
"StringLike": {
"oss:Prefix": [
"hangzhou/2020/*",
"shanghai/2015/*"
]
}
},
"Effect": "Allow",
"Principal": [
"20214760404935xxxx"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例三:授予匿名用户仅拥有列举某个Bucket下所有文件的权限
以下示例用于授予匿名用户仅拥有列举目标存储空间examplebucket下所有文件的权限:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例四:授予匿名用户读取某个指定Bucket的所有数据以及Bucket配置的权限
以下示例用于授予匿名用户拥有读取examplebucket下的所有数据以及该Bucket相关配置的权限。
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:Get*"
"oss:ListObjects",
"oss:ListObjectVersions"
],
"Effect": "Allow",
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket"
]
}
]
}示例五:拒绝非指定VPC ID且非指定内网IP地址段的用户访问某个Bucket资源
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且该VPC ID不在192.168.0.0/16 IP地址段范围内的用户访问目标存储空间examplebucket。即只有指定VPC内的指定IP地址段才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.168.0.0/16"
]
}
}
}
]
}示例六:拒绝非指定VPC ID且非指定公网地址的用户访问某个Bucket资源
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****,且公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket。即只有VPC ID为t4nlw426y44rd3iq4****或者192.0.2.0的公网IP地址才可以在满足其他鉴权条件的情况下访问examplebucket,其他任何来源都会被禁止访问该Bucket。该示例主要用于限制访问来源。
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
}
]
}示例七:拒绝非指定VPC ID的用户访问某个Bucket资源的权限
以下示例用于拒绝VPC ID不为t4nlw426y44rd3iq4****的用户访问目标存储空间examplebucket的权限:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotEquals": {
"acs:SourceVpc": [
"vpc-t4nlw426y44rd3iq4****"
]
}
}
}
]
}示例八:拒绝非指定公网IP地址的用户访问某个Bucket资源的权限
以下示例用于拒绝公网IP地址不为192.0.2.0的用户访问目标存储空间examplebucket的权限:
{
"Version": "1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringNotLike": {
"acs:SourceVpc": [
"vpc-*"
]
},
"NotIpAddress": {
"acs:SourceIp": [
"192.0.2.0"
]
}
}
},
{
"Effect": "Deny",
"Action": [
"oss:GetObject"
],
"Principal": [
"*"
],
"Resource": [
"acs:oss:*:174649585760xxxx:examplebucket/*"
],
"Condition": {
"StringLike": {
"acs:SourceVpc": [
"vpc-*"
]
}
}
}
]
}