All Products
Search

This Product

    Object Storage Service:Manage the ACL of an object (Go SDK V2)

    Document Center

    Object Storage Service:Manage the ACL of an object (Go SDK V2)

    Last Updated:Aug 02, 2025

    This topic describes how to use Go SDK V2 to set and retrieve the access control list (ACL) of an object.

    Usage notes

    • The sample code in this topic uses the China (Hangzhou) region (cn-hangzhou) as an example. The public endpoint is used by default. If you want to access OSS from other Alibaba Cloud products in the same region, use an internal endpoint. For more information about the mappings between OSS regions and endpoints, see OSS regions and endpoints.

    • This topic provides an example of how to obtain access credentials from environment variables. For more information about how to configure access credentials, see Configure access credentials.

    • To set the access permissions of an object, you must have the oss:PutObjectAcl permission. To retrieve the access permissions of an object, you must have the oss:GetObjectAcl permission. For more information, see Grant a custom policy to a RAM user.

    Types of ACLs

    Objects support the following four types of access control lists (ACLs):

    Access permission

    Description

    Access permission value

    Inherit from bucket

    The object inherits the access permissions of the bucket.

    oss.ObjectACLDefault

    Private

    The owner of the object and authorized users have read and write permissions on the object. Other users do not have permissions to perform operations on the object.

    oss.ObjectACLPrivate

    Public-read

    The owner of the object and authorized users have read and write permissions on the object. Other users have only read permissions on the object. Exercise caution when you grant this permission.

    ObjectACLPublicRead

    Public-read-write

    All users have read and write permissions on the object. Exercise caution when you grant this permission.

    oss.ObjectACLPublicReadWrite

    The ACL of an object takes precedence over the ACL of the bucket. For example, if the ACL of the bucket is private and the ACL of an object is public-read-write, all users have read and write permissions on the object. If no ACL is set for an object, the object inherits the ACL of the bucket.

    Sample code

    You can use the following code to set and retrieve the ACL of an object.

    package main

import (
	"context"
	"flag"
	"log"

	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss"
	"github.com/aliyun/alibabacloud-oss-go-sdk-v2/oss/credentials"
)

// Define global variables.
var (
	region     string // The region where the bucket is located.
	bucketName string // The name of the bucket.
	objectName string // The name of the object.
)

// The init function is used to initialize command-line parameters.
func init() {
	flag.StringVar(&region, "region", "", "The region in which the bucket is located.")
	flag.StringVar(&bucketName, "bucket", "", "The name of the bucket.")
	flag.StringVar(&objectName, "object", "", "The name of the object.")
}

func main() {
	// Parse command-line parameters.
	flag.Parse()

	// Check whether the region is empty.
	if len(region) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, region required")
	}

	// Check whether the bucket name is empty.
	if len(bucketName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, bucket name required")
	}

	// Check whether the object name is empty.
	if len(objectName) == 0 {
		flag.PrintDefaults()
		log.Fatalf("invalid parameters, object name required")
	}

	// Load the default configurations and set the credential provider and region.
	cfg := oss.LoadDefaultConfig().
		WithCredentialsProvider(credentials.NewEnvironmentVariableCredentialsProvider()).
		WithRegion(region)

	// Create an OSS client.
	client := oss.NewClient(cfg)

	// Create a request to set the ACL of the object.
	putRequest := &oss.PutObjectAclRequest{
		Bucket: oss.Ptr(bucketName),  // The name of the bucket.
		Key:    oss.Ptr(objectName),  // The name of the object.
		Acl:    oss.ObjectACLPrivate, // Set the ACL of the object to private.
	}

	// Execute the operation to set the ACL of the object.
	putResult, err := client.PutObjectAcl(context.TODO(), putRequest)
	if err != nil {
		log.Fatalf("failed to put object acl %v", err)
	}

	// Print the result of setting the object ACL.
	log.Printf("put object acl result:%#v\n", putResult)

	// Create a request to obtain the ACL (access control list) of the object.
	getRequest := &oss.GetObjectAclRequest{
		Bucket: oss.Ptr(bucketName), // The name of the bucket.
		Key:    oss.Ptr(objectName), // The name of the object.
	}

	// Execute the operation to obtain the ACL of the object.
	getResult, err := client.GetObjectAcl(context.TODO(), getRequest)
	if err != nil {
		log.Fatalf("failed to get object acl %v", err)
	}

	// Print the result of obtaining the object ACL.
	log.Printf("get object acl result:%#v\n", getResult)
}

    References

    • For the complete sample code that is used to set the ACL of an object, see GitHub sample.

    • For more information about the API operation used to set the ACL of an object, see PutObjectAcl.

    • For the complete sample code that is used to retrieve the ACL of an object, see GitHub sample.

    • For more information about the API operation used to retrieve the ACL of an object, see GetObjectAcl.