OSS 对象存储

信息

OSS (Object Storage Service) 是阿里云提供的对象存储服务，也是公有云产品中最为常用的云服务之一

OSS 策略配置

在使用 OSS 存储数据时，通常需要配置访问权限和安全策略，以确保数据的安全性和访问控制。OSS策略分为Bucket ACL和Bucket Policy两种，前者用于设置Bucket级别的权限，后者用于设置更细粒度的权限控制。

Bucket Policy基于RAM（Resource Access Management）策略语法，可以定义更复杂的权限规则，例如允许特定用户或角色访问特定资源，或者限制访问时间和IP地址等。通过合理配置OSS策略，可以有效保护数据安全，同时满足不同用户和应用的访问需求。

设置内网可直接读公网需要加签读取

操作步骤如下：

1. 将ACL设置为Private（默认的就是Private），这种情况下公网和内网均需要加签读取
2. 设置Bucket Policy，用“Add by Syntax”方式直接编辑下面的策略描述
3. 控制台访问或OSS Browser访问，不受影响

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:GetObjectAcl",
        "oss:ListObjects",
        "oss:RestoreObject",
        "oss:GetVodPlaylist",
        "oss:ListObjectVersions",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionAcl",
        "oss:RestoreObjectVersion"
      ],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file/*"],
      "Condition": {
        "StringEquals": {"acs:SourceVpc": ["vpc-xxx"]}
      }
    },
    {
      "Effect": "Allow",
      "Action": ["oss:ListObjects", "oss:GetObject"],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file"],
      "Condition": {
        "StringLike": {"oss:Prefix": ["*"]},
        "StringEquals": {"acs:SourceVpc": ["vpc-xxx"]}
      }
    }
  ]
}

如果想设置 vpc 或者其他内网网段也可直接访问（例如通过专线接入的云外网络、办公网等），可参考如下策略

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:GetObjectAcl",
        "oss:ListObjects",
        "oss:RestoreObject",
        "oss:GetVodPlaylist",
        "oss:ListObjectVersions",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionAcl",
        "oss:RestoreObjectVersion"
      ],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file/*"],
      "Condition": {
        "IpAddress": {"acs:SourceIp": ["10.17.0.0/16", "10.18.0.0/16"]}
      }
    },
    {
      "Effect": "Allow",
      "Action": ["oss:ListObjects", "oss:GetObject"],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file"],
      "Condition": {
        "StringLike": {"oss:Prefix": ["*"]},
        "IpAddress": {"acs:SourceIp": ["10.17.0.0/16", "10.18.0.0/16"]}
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:GetObjectAcl",
        "oss:ListObjects",
        "oss:RestoreObject",
        "oss:GetVodPlaylist",
        "oss:ListObjectVersions",
        "oss:GetObjectVersion",
        "oss:GetObjectVersionAcl",
        "oss:RestoreObjectVersion"
      ],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file/*"],
      "Condition": {
        "StringEquals": {"acs:SourceVpc": ["vpc-xxx"]}
      }
    },
    {
      "Effect": "Allow",
      "Action": ["oss:ListObjects", "oss:GetObject"],
      "Principal": ["*"],
      "Resource": ["acs:oss:*:528xxxxxxxx:xxx-file"],
      "Condition": {
        "StringLike": {"oss:Prefix": ["*"]},
        "StringEquals": {"acs:SourceVpc": ["vpc-xxx"]}
      }
    }
  ]
}