Alibaba Cloud OSS: Least Privilege Access Setup
Learn how to create RAM policies with minimal permissions for secure Alibaba Cloud Object Storage Service access with Cloney.
Overview
When connecting your Alibaba Cloud Object Storage Service (OSS) buckets to Cloney for data migration, it's essential to follow the principle of least privilege. This guide walks you through creating RAM (Resource Access Management) credentials with only the permissions necessary for Cloney to read from or write to your OSS buckets.
Never use your Alibaba Cloud root account credentials. Always create dedicated RAM users with minimal required permissions.
Prerequisites
- An Alibaba Cloud account with administrative access to RAM
- The name and region of the OSS bucket(s) you want to connect
- Knowledge of whether you need read-only (source) or write (destination) access
Step 1: Access the RAM Console
- Sign in to the Alibaba Cloud RAM Console
- In the left navigation pane, click Users under Identities
- Click Create User
- Enter a username (e.g.,
cloney-migration-user) - Select Programmatic Access to enable AccessKey creation
- Click OK
Step 2: Create a Source Bucket Policy (Read-Only)
If your OSS bucket will be used as a source for migration (data will be read from it), create this custom policy:
- In the RAM console, go to Permissions → Policies
- Click Create Policy
- Select Script mode and paste the following policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl",
"oss:ListObjects",
"oss:ListObjectVersions",
"oss:GetBucketLocation",
"oss:GetBucketInfo"
],
"Resource": [
"acs:oss:*:*:YOUR-BUCKET-NAME",
"acs:oss:*:*:YOUR-BUCKET-NAME/*"
]
}
]
}Replace YOUR-BUCKET-NAME with your actual OSS bucket name.
Step 3: Create a Destination Bucket Policy (Write Access)
If your OSS bucket will be used as a destination for migration (data will be written to it), use this policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:PutObject",
"oss:PutObjectAcl",
"oss:GetObject",
"oss:ListObjects",
"oss:GetBucketLocation",
"oss:GetBucketInfo",
"oss:AbortMultipartUpload",
"oss:ListMultipartUploads",
"oss:ListParts"
],
"Resource": [
"acs:oss:*:*:YOUR-BUCKET-NAME",
"acs:oss:*:*:YOUR-BUCKET-NAME/*"
]
}
]
}Step 4: Attach Policy to User
- Name the policy (e.g.,
CloneySourcePolicyorCloneyDestinationPolicy) - Click OK to create the policy
- Go back to Users and click on your newly created user
- Click the Permissions tab
- Click Grant Permission
- Select Custom Policy and find your policy
- Click OK to attach the policy
Step 5: Create AccessKey
- On the user details page, click the AccessKey tab
- Click Create AccessKey
- Complete any security verification required
- Download or copy the AccessKey ID and AccessKey Secret
The AccessKey Secret is only displayed once. Make sure to save it securely.
Using Credentials in Cloney
When configuring Alibaba Cloud OSS in Cloney, you'll need:
- Access Key ID: The AccessKey ID from your RAM user
- Access Key Secret: The AccessKey Secret from your RAM user
- Region: The region where your bucket is located (e.g., oss-cn-hangzhou)
- Bucket Name: The name of your OSS bucket
You can now use these credentials in Cloney to connect your Alibaba Cloud OSS bucket securely.
OSS Regions Reference
Common Alibaba Cloud OSS regions:
| Region ID | Location |
|---|---|
| oss-cn-hangzhou | Hangzhou, China |
| oss-cn-shanghai | Shanghai, China |
| oss-cn-beijing | Beijing, China |
| oss-cn-shenzhen | Shenzhen, China |
| oss-ap-southeast-1 | Singapore |
| oss-ap-northeast-1 | Tokyo, Japan |
| oss-us-west-1 | Silicon Valley, USA |
| oss-eu-central-1 | Frankfurt, Germany |
Ready to Start Your Migration?
Create your Cloney account and begin migrating your data securely today.