Configure a custom OSS bucket for DataAgent
DataAgent lets you configure a custom Alibaba Cloud Object Storage Service (OSS) bucket to store local uploads, session history, and result reports, giving you full control over data storage, access, and retention.
Use cases
-
Manage data analysis files: Store uploaded files (CSV, Excel, etc.) in a designated OSS bucket for tracking and reuse.
-
Persist session history: Save session replays to review past analyses or share with team members.
-
Archive result reports: Store DataAgent artifacts — analysis reports, visualizations — for long-term retention. Share them through OSS download links.
-
Isolate data by workspace: Assign a separate OSS bucket to each workspace for project-level data isolation.
Configuration priority
DataAgent applies OSS configurations in this priority order:
Workspace OSS configuration > Global OSS configuration > Built-in OSS configuration
-
Workspace-level configuration takes the highest precedence.
-
If no workspace configuration exists, the global configuration applies.
-
If no global configuration is set, the built-in default storage is used.
Prerequisites
-
The OSS configuration toggle is enabled at the global or workspace level.
-
You have selected which content types to store: local uploads, session history, or result reports.
-
You have an OSS bucket of the Standard storage class in the same region as your business services.
-
You have configured the required RAM permissions.
RAM permissions
Configuring OSS storage requires the following RAM permissions:
|
Configuration level |
Required RAM permission |
|
Global OSS configuration |
|
|
Workspace OSS configuration |
|
The AliyunDMSDataAgentFullAccess system policy includes the dms:UpsertDataAgentCustomUserConfig permission by default. The dms:UpsertDataAgentGlobalCustomUserConfig permission requires an owner or administrator of the main account to create a custom policy.
Custom role configuration
To allow DataAgent to access your OSS bucket, create a custom RAM role and grant it a least-privilege policy.
Step 1: Create a custom policy
-
Log in to the RAM Policy Console.
-
Click Create Policy.
-
Select the JSON Editor mode.
-
Copy the policy example for your storage types from "Minimum OSS bucket permissions" below.
-
Enter
CustomPolicyForAliyunDataAgentAccessOssas the policy name. -
Click OK to create the policy.
Step 2: Create a custom role
-
Log in to the RAM Role Console.
-
Click Create Role and select Cloud Service as the principal type.
-
Select Data Management/DMSEnterprise from the Principle Name drop-down list, and click OK.
-
In the dialog box that appears, enter
CustomRoleForAliyunDataAgentAccessOssas the role name, and click OK.NoteCustomRoleForAliyunDataAgentAccessOssis the role name, which differs from the policy name created in the previous step. -
Return to the role list, click the role name, and click Grant Permission on the details page.
-
Search for and select the
CustomPolicyForAliyunDataAgentAccessOsspolicy that you created in the previous step. -
Click OK to confirm the authorization.
Minimum OSS bucket permissions
DataAgent stores three types of files, each requiring different OSS permissions. Grant only the permissions you need.
Local uploads
This feature is supported only in the global configuration, not at the workspace level.
|
RAM permission |
Description |
|
oss:GetObject |
Read data from uploaded files. |
|
oss:PutObject |
Upload files. |
|
oss:DeleteObject |
Delete uploaded files (optional). |
Session history files
Supported in both global and workspace-level configurations.
|
RAM permission |
Description |
|
oss:GetObject |
Read session replay history. |
|
oss:PutObject |
Upload session history files. |
|
oss:ListObjects |
List session history files. The resource for this permission must be configured at the bucket level. |
Result report files
Supported in both global and workspace-level configurations.
|
RAM permission |
Description |
|
oss:GetObject |
Read result artifacts. |
|
oss:PutObject |
Upload result artifacts. |
Complete configuration example
The following policy covers all three storage types. This example uses the China (Hangzhou) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListObjects"
],
"Resource": "acs:oss:oss-cn-hangzhou:${your-aliyun-parent-uid}:${your-oss-bucket-name}"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:PutObject",
"oss:DeleteObject"
],
"Resource": "acs:oss:oss-cn-hangzhou:${your-aliyun-parent-uid}:${your-oss-bucket-name}/*"
}
]
}
-
Replace
${your-aliyun-parent-uid}with the UID of your Alibaba Cloud main account. -
Replace
${your-oss-bucket-name}with the name of your OSS bucket. -
The resource for the
oss:ListObjectspermission must be at the bucket level (without a/*suffix), while the resources for other permissions must be at the object level (with a/*suffix).
CORS configuration
Configure Cross-Origin Resource Sharing (CORS) rules if the DataAgent web interface needs to upload files directly or replay session history. In the OSS console, add the following allowed origins to your bucket:
http://*.console.aliyun.com
https://*.console.aliyun.com
http://*.dms.aliyun.com
https://*.dms.aliyun.com
http://*.dms.alibabacloud.com
https://*.dms.alibabacloud.com
If you integrate DataAgent OpenAPI into your own web application, also add your domain to the allowed origins.