OSS Access Control: ACL/RAM/Bucket Policy and Troubleshoo...

TL;DR

• Scenario: Multi-team and cross-account collaboration requires OSS to simultaneously meet public access, least privilege, and auditability
• Conclusion: Use RAM Policy for identity, Bucket Policy for source and resource constraints, and ACL only for simple scenarios like public read; explicit deny takes precedence
• Output: Access control selection guide + policy examples + common errors quick reference

Control Methods

1. ACL (Access Control List)

Bucket ACL:

• private: Owner only access
• public-read: Everyone can read, only Owner can write
• public-read-write: Everyone can read and write

Object ACL:

• private: Owner only access
• public-read: Everyone can read, only Owner can write
• public-read-write: Everyone can read and write
• default: Inherits Bucket ACL

2. RAM Policy

RAM (Resource Access Management) is Alibaba Cloud’s core identity management and access control component:

• Principal: Specifies the authorized RAM user or role
• Action: Defines allowed or denied specific API operations
• Resource: Limits the resource scope the policy applies to
• Condition: Sets additional conditions for policy effectiveness (such as IP address, access time)

3. Bucket Policy

Resource-based authorization policy, supports:

• Graphical configuration interface
• Cross-account access authorization
• Access restrictions based on IP, Referer conditions
• Forced HTTPS access

Example Policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "oss:GetObject",
      "Resource": "acs:oss:*:*:examplebucket/*",
      "Condition": {
        "IpAddress": {"oss:SourceIp": ["192.168.0.0/24"]}
      }
    }
  ]
}

Key Points

1. Combination Approach: Use RAM Policy for identity, Bucket Policy for resources and sources, and ACL only for simple scenarios like public read
2. Evaluation Rules: Explicit deny takes precedence (Deny > Allow)
3. Least Privilege Principle: Authorize on demand, avoid over-opening
4. Audit Trail: RAM user operations are recorded in ActionTrail

Common Error Codes

Error Code	Description
AccessDenied	Access denied, insufficient permissions
SignatureDoesNotMatch	Signature does not match
InvalidAccessKeyId	Invalid AccessKey
NoSuchBucket	Bucket does not exist
NoSuchKey	Object does not exist
Forbidden	Access forbidden