Configure a custom OSS bucket for DataAgent

Updated at:
Copy as MD

DataAgent lets you configure a custom Alibaba Cloud Object Storage Service (OSS) bucket to store local uploads, session history, and result reports, giving you full control over data storage, access, and retention.

Use cases

  • Manage data analysis files: Store uploaded files (CSV, Excel, etc.) in a designated OSS bucket for tracking and reuse.

  • Persist session history: Save session replays to review past analyses or share with team members.

  • Archive result reports: Store DataAgent artifacts — analysis reports, visualizations — for long-term retention. Share them through OSS download links.

  • Isolate data by workspace: Assign a separate OSS bucket to each workspace for project-level data isolation.

Configuration priority

DataAgent applies OSS configurations in this priority order:

Workspace OSS configuration > Global OSS configuration > Built-in OSS configuration

  • Workspace-level configuration takes the highest precedence.

  • If no workspace configuration exists, the global configuration applies.

  • If no global configuration is set, the built-in default storage is used.

Prerequisites

  • The OSS configuration toggle is enabled at the global or workspace level.

  • You have selected which content types to store: local uploads, session history, or result reports.

  • You have an OSS bucket of the Standard storage class in the same region as your business services.

  • You have configured the required RAM permissions.

RAM permissions

Configuring OSS storage requires the following RAM permissions:

Configuration level

Required RAM permission

Global OSS configuration

dms:UpsertDataAgentGlobalCustomUserConfig

Workspace OSS configuration

dms:UpsertDataAgentCustomUserConfig

Note

The AliyunDMSDataAgentFullAccess system policy includes the dms:UpsertDataAgentCustomUserConfig permission by default. The dms:UpsertDataAgentGlobalCustomUserConfig permission requires an owner or administrator of the main account to create a custom policy.

Custom role configuration

To allow DataAgent to access your OSS bucket, create a custom RAM role and grant it a least-privilege policy.

Step 1: Create a custom policy

  1. Log in to the RAM Policy Console.

  2. Click Create Policy.

  3. Select the JSON Editor mode.

  4. Copy the policy example for your storage types from "Minimum OSS bucket permissions" below.

  5. Enter CustomPolicyForAliyunDataAgentAccessOss as the policy name.

  6. Click OK to create the policy.

Step 2: Create a custom role

  1. Log in to the RAM Role Console.

  2. Click Create Role and select Cloud Service as the principal type.

  3. Select Data Management/DMSEnterprise from the Principle Name drop-down list, and click OK.

  4. In the dialog box that appears, enter CustomRoleForAliyunDataAgentAccessOss as the role name, and click OK.

    Note

    CustomRoleForAliyunDataAgentAccessOss is the role name, which differs from the policy name created in the previous step.

  5. Return to the role list, click the role name, and click Grant Permission on the details page.

  6. Search for and select the CustomPolicyForAliyunDataAgentAccessOss policy that you created in the previous step.

  7. Click OK to confirm the authorization.

Minimum OSS bucket permissions

DataAgent stores three types of files, each requiring different OSS permissions. Grant only the permissions you need.

Local uploads

Note

This feature is supported only in the global configuration, not at the workspace level.

RAM permission

Description

oss:GetObject

Read data from uploaded files.

oss:PutObject

Upload files.

oss:DeleteObject

Delete uploaded files (optional).

Session history files

Supported in both global and workspace-level configurations.

RAM permission

Description

oss:GetObject

Read session replay history.

oss:PutObject

Upload session history files.

oss:ListObjects

List session history files. The resource for this permission must be configured at the bucket level.

Result report files

Supported in both global and workspace-level configurations.

RAM permission

Description

oss:GetObject

Read result artifacts.

oss:PutObject

Upload result artifacts.

Complete configuration example

The following policy covers all three storage types. This example uses the China (Hangzhou) region.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:ListObjects"
      ],
      "Resource": "acs:oss:oss-cn-hangzhou:${your-aliyun-parent-uid}:${your-oss-bucket-name}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:PutObject",
        "oss:DeleteObject"
      ],
      "Resource": "acs:oss:oss-cn-hangzhou:${your-aliyun-parent-uid}:${your-oss-bucket-name}/*"
    }
  ]
}
Important
  • Replace ${your-aliyun-parent-uid} with the UID of your Alibaba Cloud main account.

  • Replace ${your-oss-bucket-name} with the name of your OSS bucket.

  • The resource for the oss:ListObjects permission must be at the bucket level (without a /* suffix), while the resources for other permissions must be at the object level (with a /* suffix).

CORS configuration

Configure Cross-Origin Resource Sharing (CORS) rules if the DataAgent web interface needs to upload files directly or replay session history. In the OSS console, add the following allowed origins to your bucket:

http://*.console.aliyun.com
https://*.console.aliyun.com
http://*.dms.aliyun.com
https://*.dms.aliyun.com
http://*.dms.alibabacloud.com
https://*.dms.alibabacloud.com
Note

If you integrate DataAgent OpenAPI into your own web application, also add your domain to the allowed origins.

FAQ

Q: How do I decide which region to choose for my OSS bucket?

A: Select the same region as your DataAgent service for optimal performance and minimal network costs.

Q: Can I configure different OSS buckets for different workspaces?

A: Yes. Each workspace has an independent OSS configuration. Workspaces without a specific configuration fall back to the global setting.

Q: Does configuring CORS affect the security of my OSS bucket?

A: No. CORS only allows specified domains to access your bucket through a browser. It does not affect RAM permissions or bucket policies. For additional security, configure a Referer whitelist and use signed URLs.

Q: Why must the resource for oss:ListObjects be at the bucket level?

A: The oss:ListObjects action lists objects in a bucket. Its permission scope is inherently at the bucket level, so the resource ARN does not need to include the /* suffix. This is the standard syntax for OSS RAM permissions.

Q: Can I configure only one storage type?

A: Yes. Enable only the storage types you need and grant only the corresponding permissions.