DocsICP FilingConsole
官方文档
首页

Accessing OSS through access points

更新时间:
复制 MD 格式
产品详情
我的收藏

Access points provide independent entry points for buckets. Create a separate access point for each application or team, then use access point policies to manage permissions individually—avoiding complex rules in a single bucket policy.

How it works

An access point acts as a proxy layer for a bucket. When you create one, OSS generates a unique access point alias that replaces the bucket name in requests. Each access point has its own access point policy (defining allowed actions, resources, and identities) and network origin (internet or a specified VPC) for isolated, scenario-based access.

When a user requests through an access point, the system evaluates the RAM policy, bucket policy, and access point policy together. A request succeeds only when both the combined RAM/bucket policies and the access point policy evaluate to Allow. Permission evaluation logic.

By default, an access point has no bucket access. Configure permission delegation in the bucket policy using the oss:DataAccessPointArn, oss:DataAccessPointAccount, or oss:AccessPointNetworkOrigin condition keys to explicitly grant the access point access to the bucket.

Quick start

Create an access point, delegate permissions in the bucket policy, then access resources through the access point alias.

Step 1: Create an access point

Create an access point and configure its access point policy to define who can perform what actions on which OSS resources and under what conditions.

  1. Go to the Access Point List and click Create Access Point.

  2. Enter an Access Point Name, select the associated bucket and Network Origin, and then click Next.

    Note

    • If you set Network Origin to VPC, you must enter a VPC ID. You can obtain the VPC ID from the VPC Console.

    • The region of the specified VPC must be one of the regions that support OSS gateway endpoints. If the regions do not match, authentication requests cannot be correctly associated with the specified VPC, resulting in authentication failures.

  3. Turn off the Block Public Access option and configure an access point policy.

    GUI

    Parameter

    Description

    Applied To

    Select whether to authorize access to the Whole Bucket or Specific Resources.

    Resource Paths

    • If you set Applied To to Whole Bucket, the Resource Paths is set to accesspoint/{Access Point Name}/*.

    • If you set Applied To to Specific Resources, enter the directory or individual object to authorize. You can add multiple entries.

    Authorized User

    Specify the grantee.

    • RAM user: Select a RAM user that belongs to the current Alibaba Cloud account.

      The logged-on account must be an Alibaba Cloud account or a RAM user with bucket management permissions and ListUsers permission. Otherwise, RAM users cannot be listed.

    • Other Account: Enter the UID of another account or RAM user, or an assumed-role user whose ARN starts with arn:sts, such as arn:sts::1798************:assumed-role/role-name/session-name. You can grant permissions to multiple users, with one entry per line.

    Authorized Operation

    • Simple Settings: Select a common combination of authorized operations. Options include Read-Only (excluding ListObject), Read-Only (including ListObject), Read/Write, Full Access, and Deny Access.

    • Advanced Settings: Customize the Effect (Allow or Reject) and the Action.

    Syntax

    Enter the authorization policy in JSON format in the editor.

    Example policy: Grant read/write permissions to user 20816353761158****.
    {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:GetObject",
      "oss:PutObject",
      "oss:GetObjectAcl",
      "oss:PutObjectAcl",
      "oss:ListObjects",
      "oss:AbortMultipartUpload",
      "oss:ListParts",
      "oss:RestoreObject",
      "oss:ListObjectVersions",
      "oss:GetObjectVersion",
      "oss:GetObjectVersionAcl",
      "oss:RestoreObjectVersion"
    ],
    "Principal": [
      "20816353761158****"
    ],
    "Resource": [
      "acs:oss:{region-id}:179882766168****:accesspoint/{ap-name}/object/*"
    ]
  }, {
    "Effect": "Allow",
    "Action": [
      "oss:ListObjects",
      "oss:GetObject"
    ],
    "Principal": [
      "20816353761158****"
    ],
    "Resource": [
      "acs:oss:{region-id}:179882766168****:accesspoint/{ap-name}"
    ],
    "Condition": {
      "StringLike": {
        "oss:Prefix": [
          "*"
        ]
      }
    }
  }]
}

    A policy document contains Version and Statement.

    • Version: The policy version. This value is fixed at 1 and cannot be changed.

    • Statement: A policy rule. Each statement contains Effect, Action, Principal, Resource, and Condition.

      Policy element

      Description

      Effect

      The effect of the policy. Valid values are Allow and Deny.

      Action

      The operation to perform on the resource. The asterisk (*) wildcard is supported.

      Principal

      The user, account, or role to which the policy applies.

      Resource

      The resources to which the policy applies.

      Condition

      The conditions under which the policy takes effect.

      If multiple conditions are specified, they are evaluated using a logical AND; all conditions must be met for the policy to take effect.

      All policy elements are defined in Authorization Syntax and Elements.

  4. Click Submit and wait for the access point to be created.

Step 2: Delegate permissions

After creating an access point, configure permission delegation in the bucket policy to grant it bucket access. Three delegation types are available:

  • oss:DataAccessPointArn: Delegates access permissions for a specific access point.

  • oss:DataAccessPointAccount: Delegates access permissions for all access points under the current Alibaba Cloud account.

  • oss:AccessPointNetworkOrigin: Delegates access permissions for all access points that have a specific network origin.

Specific access point

  1. Go to the Bucket List and click the name of the target bucket.

  2. In the left-side navigation pane, choose Access Control > Bucket Policy, and then click the Add Rule by Syntax tab.

  3. Click Edit and enter the authorization policy in JSON format in the editor.

    Note

    Replace the UID, bucket name, region ID, and access point name with your actual values. If the bucket policy already has statements, add this rule to the Statement array.

    {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:*"
    ],
    "Principal": [
      "*"
    ],
    "Resource": [
      "acs:oss:*:179882766168****:example-bucket",
      "acs:oss:*:179882766168****:example-bucket/*"
    ],
    "Condition": {
      "StringEquals": {
        "oss:DataAccessPointArn": [
          "acs:oss:oss-{region-id}:179882766168****:accesspoint/{ap-name}"
        ]
      }
    }
  }]
}

  4. Click Save to apply the bucket policy.

All access points

  1. Go to the Bucket List and click the name of the target bucket.

  2. In the left-side navigation pane, choose Access Control > Bucket Policy, and then click the Add Rule by Syntax tab.

  3. Click Edit and enter the authorization policy in JSON format in the editor.

    Note

    Replace the UID and bucket name with your actual values. If the bucket policy already has statements, add this rule to the Statement array.

    {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:*"
    ],
    "Principal": [
      "*"
    ],
    "Resource": [
      "acs:oss:*:179882766168****:example-bucket",
      "acs:oss:*:179882766168****:example-bucket/*"
    ],
    "Condition": {
      "StringEquals": {
        "oss:DataAccessPointAccount": [
          "179882766168****"
        ]
      }
    }
  }]
}

  4. Click Save to apply the bucket policy.

By network origin

  1. Go to the Bucket List and click the name of the target bucket.

  2. In the left-side navigation pane, choose Access Control > Bucket Policy, and then click the Add Rule by Syntax tab.

  3. Click Edit and enter the authorization policy in JSON format in the editor.

    Note

    • Replace the UID and bucket name with your actual values. If the bucket policy already has statements, add this rule to the Statement array.

    • When oss:AccessPointNetworkOrigin is set to internet, permissions are delegated to all access points whose network origin is the internet. This configuration allows access from both the internet and VPCs. To restrict access to only VPCs, change the value to vpc.

    {
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:*"
    ],
    "Principal": [
      "*"
    ],
    "Resource": [
      "acs:oss:*:179882766168****:example-bucket",
      "acs:oss:*:179882766168****:example-bucket/*"
    ],
    "Condition": {
      "StringEquals": {
        "oss:AccessPointNetworkOrigin": [
          "internet"
        ]
      }
    }
  }]
}

  4. Click Save to apply the bucket policy.

Note

If you receive an error such as "The bucket policy contains public access semantics," turn off Block Public Access for the bucket before delegating permissions.

Step 3: Access resources

Authorized identities (such as RAM users) use the access point alias to access OSS resources.

Compatible APIs

API

Description

PutAccessPointPolicy

Configures an access point policy.

GetAccessPointPolicy

Obtains the configuration of an access point policy.

DeleteAccessPointPolicy

Deletes an access point policy.

ListObjects (GetBucket)

Lists information about all objects in a bucket.

ListObjectsV2 (GetBucketV2)

ListObjectVersions (GetBucketVersions)

Lists all versions of objects in a bucket, including delete markers.

PutObject

Uploads an object.

GetObject

Obtains an object.

CopyObject

Copies an object.

AppendObject

Uploads an object by appending data.

DeleteObject

Deletes a single object.

DeleteMultipleObjects

Deletes multiple objects.

HeadObject

Returns only the metadata of an object, not its content.

GetObjectMeta

Returns partial metadata of an object, such as its ETag, size, and LastModified time, but not its content.

PostObject

Uploads an object by using an HTML form.

RestoreObject

Restores an Archive, Cold Archive, or Deep Cold Archive object.

SelectObject

Executes an SQL statement on a target object and returns the result.

InitiateMultipartUpload

Initializes a multipart upload.

UploadPart

Uploads a part in a multipart upload.

UploadPartCopy

Creates a part by copying data from an existing object.

CompleteMultipartUpload

Completes a multipart upload by assembling the previously uploaded parts.

AbortMultipartUpload

Cancels a multipart upload and deletes any parts that were uploaded.

ListMultipartUploads

Lists all in-progress multipart uploads.

ListParts

Lists the parts that have been uploaded for a specific multipart upload.

PutObjectACL

Modifies the access permissions of an object.

GetObjectACL

Views the access permissions of an object.

PutSymlink

Creates a symbolic link.

GetSymlink

Reads the target of a symbolic link.

PutObjectTagging

Sets or updates object tags.

GetObjectTagging

Retrieves the tags for an object.

DeleteObjectTagging

Deletes all tags from an object.

SDK

Only the Java and Python SDKs support access point aliases.

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
import com.aliyun.sdk.service.oss2.models.GetObjectRequest;

import java.io.File;

/**
 * OSS Java SDK V2 example: Download an object to a local file by using an access point.
 */
public class DownloadObjectWithAccessPoint {

    public static void main(String[] args) {
        // Create an OSS client.
        String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
        CredentialsProvider provider = new StaticCredentialsProvider(accessKeyId, accessKeySecret);
        OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(provider)
                .region("<region-id>")
                .build();

        // Download the object to a local file by using an access point alias.
        String bucket = "example-ap-b156d01070a10322664d6704cd1d47****-ossalias";
        String key = "example.jpg";
        File file = new File("example.jpg");
        client.getObjectToFile(GetObjectRequest.newBuilder()
                .bucket(bucket)
                .key(key)
                .build(), file);
        System.out.println("Download complete: " + key + " -> " + file.getPath());

        // Close the client.
        try {
            client.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""OSS Python SDK V2 example: Download an object to a local file by using an access point."""

import alibabacloud_oss_v2 as oss


def main() -> None:
    """Main function"""
    # Create an OSS client.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
    config = oss.config.load_default()
    config.credentials_provider = credentials_provider
    config.region = "<region-id>"
    config.endpoint = "oss-<region-id>.aliyuncs.com"
    client = oss.Client(config)

    # Download the object to a local file by using an access point alias.
    bucket = "example-ap-b156d01070a10322664d6704cd1d47****-ossalias"
    key = "example.jpg"
    file_path = "example.jpg"
    request = oss.GetObjectRequest(bucket, key)
    client.get_object_to_file(request, file_path)
    print(f"Download complete: {key} -> {file_path}")


if __name__ == "__main__":
    main()

ossutil

Use the access point alias as the bucket name in ossutil commands.

ossutil cp oss://example-ap-b156d01070a10322664d6704cd1d47****-ossalias/example.jpg /tmp

REST API

Use the access point alias in the Host header:

GET /ObjectName HTTP/1.1
Host: example-ap-b156d01070a10322664d6704cd1d47****-ossalias.oss-{region-id}.aliyuncs.com 
Date: GMT Date
Authorization: SignatureValue

Example scenario

This example uses access points to provide secure, isolated access for multiple departments in a big data analytics scenario.

Scenario

A company (Alibaba Cloud account UID: 137918634953****) stores centrally collected data in a bucket named examplebucket. Ten different business departments must access this bucket with the following requirements:

Department

Access scope

Permissions

Network origin

Departments 1–3

dir1/ directory

Read-only

Internet

Department 4

Entire bucket

Read/Write

Internet

Departments 5–10

dir2/ directory

Read/Write

VPC only

Solution design

Design three access points for the different access scenarios, using access point policies for permission control and network restrictions.

Access point

Parameter

Network origin

Grantee

Authorized resource

Permissions

Access Point 1

ap-01

Internet

RAM users for Departments 1–3 (UID: 26571698800555****)

dir1/*

Read-only

Access Point 2

ap-02

Internet

RAM users for Department 4 (UID: 25770968794578****)

* (entire bucket)

Read/Write

Access Point 3

ap-03

VPC

RAM users for Departments 5–10 (UID: 26806658794579****)

dir2/*

Read/Write

Access point policy

ap-01: Read-only access

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:GetObject",
      "oss:GetObjectAcl",
      "oss:ListObjects",
      "oss:RestoreObject",
      "oss:ListObjectVersions",
      "oss:GetObjectVersion",
      "oss:GetObjectVersionAcl",
      "oss:RestoreObjectVersion"
    ],
    "Principal": [
      "26571698800555****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-01/object/dir1/*"
    ]
  },{
    "Effect": "Allow",
    "Action": [
      "oss:ListObjects",
      "oss:GetObject"
    ],
    "Principal": [
      "26571698800555****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-01"
    ],
    "Condition": {
      "StringLike": {
        "oss:Prefix": [
          "dir1/*"
        ]
      }
    }
  }]
}

ap-02: Read/write access

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:GetObject",
      "oss:PutObject",
      "oss:GetObjectAcl",
      "oss:PutObjectAcl",
      "oss:ListObjects",
      "oss:AbortMultipartUpload",
      "oss:ListParts",
      "oss:RestoreObject",
      "oss:ListObjectVersions",
      "oss:GetObjectVersion",
      "oss:GetObjectVersionAcl",
      "oss:RestoreObjectVersion"
    ],
    "Principal": [
      "25770968794578****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-02/object/*"
    ]
  },{
    "Effect": "Allow",
    "Action": [
      "oss:ListObjects",
      "oss:GetObject"
    ],
    "Principal": [
      "25770968794578****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-02"
    ],
    "Condition": {
      "StringLike": {
        "oss:Prefix": [
          "*"
        ]
      }
    }
  }]
}

ap-03: VPC read/write access

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:GetObject",
      "oss:PutObject",
      "oss:GetObjectAcl",
      "oss:PutObjectAcl",
      "oss:ListObjects",
      "oss:AbortMultipartUpload",
      "oss:ListParts",
      "oss:RestoreObject",
      "oss:ListObjectVersions",
      "oss:GetObjectVersion",
      "oss:GetObjectVersionAcl",
      "oss:RestoreObjectVersion"
    ],
    "Principal": [
      "26806658794579****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-03/object/dir2/*"
    ]
  },{
    "Effect": "Allow",
    "Action": [
      "oss:ListObjects",
      "oss:GetObject"
    ],
    "Principal": [
      "26806658794579****"
    ],
    "Resource": [
      "acs:oss:{region-id}:137918634953****:accesspoint/ap-03"
    ],
    "Condition": {
      "StringLike": {
        "oss:Prefix": [
          "dir2/*"
        ]
      }
    }
  }]
}

Bucket policy delegation

This scenario uses oss:DataAccessPointAccount for unified delegation across all access points under the same account. For granular control, use oss:DataAccessPointArn to delegate per access point.

Unified delegation

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:*"
    ],
    "Principal": [
      "*"
    ],
    "Resource": [
      "acs:oss:*:137918634953****:examplebucket",
      "acs:oss:*:137918634953****:examplebucket/*"
    ],
    "Condition": {
      "StringEquals": {
        "oss:DataAccessPointAccount": [
          "137918634953****"
        ]
      }
    }
  }]
}

Individual delegation

{
  "Version": "1",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "oss:*"
    ],
    "Principal": [
      "*"
    ],
    "Resource": [
      "acs:oss:*:137918634953****:examplebucket",
      "acs:oss:*:137918634953****:examplebucket/*"
    ],
    "Condition": {
      "StringEquals": {
        "oss:DataAccessPointArn": [
          "acs:oss:oss-{region-id}:137918634953****:accesspoint/ap-01",
          "acs:oss:oss-{region-id}:137918634953****:accesspoint/ap-02",
          "acs:oss:oss-{region-id}:137918634953****:accesspoint/ap-03"
        ]
      }
    }
  }]
}

Permission evaluation logic

RAM and bucket policy result

Access point policy result

Final result

Allow

Allow

Allow

Allow

Deny

Deny

Allow

Implicit Deny

Implicit Deny

Deny

Allow

Deny

Deny

Deny

Deny

Deny

Implicit Deny

Deny

Implicit Deny

Allow

Implicit Deny

Implicit Deny

Deny

Deny

Implicit Deny

Implicit Deny

Implicit Deny

  • Allow: The request matches an Allow statement and no Deny statements.

  • Explicit deny: The request matches a Deny statement. Deny takes precedence over Allow.

  • Implicit deny: The request matches neither an Allow nor a Deny statement. By default, a RAM identity has no permissions. Any action not explicitly allowed is implicitly denied.

Quotas and limitations

Limitation

Description

Creation method

Create access points using the OSS console, API, or ossutil. SDKs are not supported for creation.

Number of access points

Maximum 1,000 access points per Alibaba Cloud account.

Modification rules

After creation, only the access point policy can be modified. The name and alias are immutable.

Access method

Anonymous access is not supported.

FAQ

IP allowlist support

Yes. Add a condition to the Condition block of your access point policy, for example: "IpAddress": {"acs:SourceIp": ["192.0.2.0/24"]}.

Required permissions for creation

The following permissions are required: oss:CreateAccessPoint, oss:GetAccessPoint, oss:DeleteAccessPoint, oss:ListAccessPoints, oss:PutAccessPointPolicy, oss:GetAccessPointPolicy, oss:DeleteAccessPointPolicy, oss:PutBucketPolicy, oss:GetBucketPolicy, and oss:DeleteBucketPolicy.

Related documents

Previous:Control PolicyNext:Build a secure, multi-tenant private network access architecture using OSS access points and VPC gateway endpoints