阿里云OSS对象存储自定义策略 - 只允许RAM用户读写特定桶
有些时候,我们是需要RAM用户只有读写某个特定桶的权限的,这个时候我们需要在RAM配置自定义策略.
你可以使用网页根据步骤创建,也可以参考以下链接直接使用JSON方式创建:
https://www.alibabacloud.com/help/en/oss/user-guide/tutorial-use-ram-policies-to-control-access-to-oss
自定义策略1
用户只有桶内的权限,需要填写预设自定义桶路径。例如:oss:\example
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
| { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject", "oss:PutObject", "oss:GetObjectAcl", "oss:DeleteObject", "oss:PutObjectAcl" ], "Resource": [ "acs:oss:*:*:examplebucket", "acs:oss:*:*:examplebucket/*" ] } ] }
|
在OSS Broswer验证:
该RAM账号本身无OSS权限,只是增加了该策略权限。
默认情况下,如果不填写预设OSS路径,也就是oss:\examplebucket会报错,因为你没有List Bucket的权限。
你可以加这个权限,也可以直接添加预设OSS路径即可。
加权限的话,是需要额外加另一个Action,因为你需要Resource不一样。
自定义策略2
给与读取桶的权限(但这个给的有点多)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets", "oss:GetBucketStat", "oss:GetBucketInfo", "oss:GetBucketTagging", "oss:GetBucketLifecycle", "oss:GetBucketWorm", "oss:GetBucketVersioning", "oss:GetBucketAcl" ], "Resource": "acs:oss:*:*:*" }, { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*" ], "Resource": "acs:oss:*:*:test-bucket" }, { "Effect": "Allow", "Action": [ "oss:List*", "oss:Get*" ], "Resource": "acs:oss:*:*:test-bucket/*" } ] }
|
自定义策略3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:ListBuckets" ], "Resource": "acs:oss:*:*:test-bucket/*" }, { "Effect": "Allow", "Action": [ "oss:ListObjects", "oss:GetObject", "oss:PutObject", "oss:GetObjectAcl" ], "Resource": "acs:oss:*:*:test-bucket/*" } ] }
|