The ossutil 2.0 command line interface enables efficient management of Alibaba Cloud Object Storage Service (OSS) resources on various operating systems, allowing you to quickly upload, download, synchronize, and manage files. It is ideal for developers, O&M engineers, and businesses performing large-scale data migration and daily O&M operations.
Operating system | System architecture | Download link | SHA256 checksum |
Linux | x86_32 | d5647923a96b32d6466258f0c24def271d8309d6914a8d09007fa71b7c9df7c5 | |
x86_64 | 9e02837d806cfe976ae6c1fc22557d8e0a394ca6d298b45fb9f48a360d3a67f4 | ||
arm32 | 5660734e98c7d0da213aa1daca3656c238e97dd607084b9ea94134ff7c8cbf42 | ||
arm64 | 4f76dfd71d2af8265fcb9309b530f4671242cf5993a8fd0f0e089de7e9665f72 | ||
macOS | x86_64 | 6b5fd4902683817e6b419db9ee4b1cb825142e4b95ee603f8aa8e373a69e6bfa | |
arm64 | dc5b73cde2da84c0e2a13935e63bf419a029fac739cfd6febff9a3ad46af22c3 | ||
Windows | x86_32 | 40b8950857ad3a37d979dcabcfd740660f8443ed6703962867c2c802586bf4c2 | |
x86_64 | c6ea0e1444aa1aea5e846d0153fc8cca8d46ef3f453dd6fa61442f360474885b | ||
amd64 | f5984cfc277cc004e9d310147feba652e30c7e0dd15cd3eb0c2651e2f1d3a1e3 |
Quick integration
To get started with the ossutil 2.0 command line interface, follow these steps:
Install ossutil
Linux
Install the unzip tool.
Alibaba Cloud Linux
sudo yum install -y unzipCentOS
sudo yum install -y unzipUbuntu
sudo apt install -y unzipSelect the installation package for your operating system and architecture (Linux x86 32-bit, Linux x86 64-bit, Linux ARM 32-bit, or Linux ARM 64-bit). You can also use curl to download the package. The following example shows how to use curl on a Linux x86_64 system:
curl -o ossutil-2.2.0-linux-amd64.zip https://gosspublic.alicdn.com/ossutil/v2/2.2.0/ossutil-2.2.0-linux-amd64.zipIn the directory where you downloaded the package, run the following command to unzip it.
unzip ossutil-2.2.0-linux-amd64.zipChange to the `ossutil-2.2.0-linux-amd64` directory.
cd ossutil-2.2.0-linux-amd64In the current directory, run the following command.
chmod 755 ossutilRun the following command to make ossutil globally available.
sudo mv ossutil /usr/local/bin/ && sudo ln -s /usr/local/bin/ossutil /usr/bin/ossutilTo verify the installation, run the
ossutilcommand.ossutilIf the help information for ossutil is displayed, the installation is successful.
Windows
Install ossutil.
Select the installation package for your operating system and architecture (Windows x86 32-bit, Windows x86 64-bit, or Windows 7, Windows 8, Windows Server 2008R2).
Unzip the downloaded .zip package to a destination folder and then navigate to the unzipped directory.
Copy the path of the unzipped ossutil folder to configure the system environment variable.
Click the path bar of the current directory and copy the folder path.
Open the Environment Variables dialog box. In the System Variables section, double-click the Path variable. Click New and paste the copied path to the ossutil folder into the new entry.
To verify the installation, run the `ossutil` command.
ossutilIf the help information for ossutil is displayed, the installation is successful.
macOS
Select the installation package for your operating system and architecture (macOS x86 64-bit or macOS ARM 64-bit). You can also use curl to download the package. The following example shows how to use curl on a macOS ARM64 system:
curl -o ossutil-2.2.0-mac-arm64.zip https://gosspublic.alicdn.com/ossutil/v2/2.2.0/ossutil-2.2.0-mac-arm64.zipIn the directory where you downloaded the package, run the following command to unzip it.
unzip ossutil-2.2.0-mac-arm64.zipChange to the `ossutil-2.2.0-mac-arm64` directory.
cd ossutil-2.2.0-mac-arm64In the current directory, run the following command.
chmod 755 ossutilRun the following command to make ossutil globally available.
sudo mv ossutil /usr/local/bin/ && sudo ln -s /usr/local/bin/ossutil /usr/bin/ossutilTo verify the installation, run the `ossutil` command.
ossutilIf the help information for ossutil is displayed, the installation is successful.
Configure ossutil
To prevent operation failures caused by missing configurations, you can use the `ossutil config` command wizard to quickly configure your AccessKey ID, AccessKey secret, and region ID. To manage advanced configurations, see the Configuration guide for information about how to manually configure access credentials.
The following example shows how to use the configuration wizard to quickly configure the AccessKey pair of a RAM user as your access credentials.
Linux
Run the configuration command.
ossutil configWhen prompted, set the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default /root/.ossutilconfig, carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses `/root/.ossutilconfig` as the configuration file.
Follow the prompts to set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where the OSS data center is located. If you do not enter a value, the default value `cn-hangzhou` is used.
Please enter Region [ap-southeast-1]:ap-southeast-1Enter the endpoint for the OSS data center. If you do not require a custom endpoint, press Enter to skip this parameter.
After you configure the region in the previous step, the public endpoint that corresponds to that region ID is used by default. For example, if you set
region-idtoap-southeast-1, the default public endpoint ishttps://oss-ap-southeast-1.aliyuncs.com.If you require a custom endpoint for the region where your OSS data center is located, enter the endpoint information. For example, if you want to access OSS from other Alibaba Cloud products in the same region, you can use an internal endpoint, such as
https://oss-ap-southeast-1-internal.aliyuncs.com.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-ap-southeast-1-internal.aliyuncs.com
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
The AccessKey pair for your account. For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation checkbox under Security Confirmation, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
The ID of the region where the bucket is located. This topic uses the Singapore region as an example. Set the value to
ap-southeast-1. For more information about region IDs, see Regions and endpoints.endpoint
No
The endpoint of the region where the bucket is located. If you do not manually set an endpoint, the public endpoint corresponding to the Region is automatically used. You must explicitly specify an internal endpoint. For example, this topic uses the public endpoint for Singapore. Set the value to
https://oss-ap-southeast-1.aliyuncs.com.If you want to access OSS from other Alibaba Cloud products in the same region, use an internal endpoint. Set the value to
https://oss-ap-southeast-1-internal.aliyuncs.com.For more information about the endpoints of different regions, see Regions and endpoints.
ImportantDue to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Windows
Run the configuration command.
ossutil configWhen prompted, set the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default "C:\Users\issuser\.ossutilconfig", carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses `C:\Users\issuser\.ossutilconfig` as the configuration file.
Follow the prompts to set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where the OSS data center is located. If you do not enter a value, the default value `cn-hangzhou` is used.
Please enter Region [ap-southeast-1]:ap-southeast-1Enter the endpoint for the OSS data center. If you do not require a custom endpoint, press Enter to skip this parameter.
After you configure the region in the previous step, the public endpoint that corresponds to that region ID is used by default. For example, if you set
region-idtoap-southeast-1, the default public endpoint ishttps://oss-ap-southeast-1.aliyuncs.com.If you require a custom endpoint for the region where your OSS data center is located, enter the endpoint information. For example, if you want to access OSS from other Alibaba Cloud products in the same region, you can use an internal endpoint, such as
https://oss-ap-southeast-1-internal.aliyuncs.com.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-ap-southeast-1-internal.aliyuncs.com
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
The AccessKey pair for your account. For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation checkbox under Security Confirmation, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
The ID of the region where the bucket is located. This topic uses the Singapore region as an example. Set the value to
ap-southeast-1. For more information about region IDs, see Regions and endpoints.endpoint
No
The endpoint of the region where the bucket is located. If you do not manually set an endpoint, the public endpoint corresponding to the Region is automatically used. You must explicitly specify an internal endpoint. For example, this topic uses the public endpoint for Singapore. Set the value to
https://oss-ap-southeast-1.aliyuncs.com.If you want to access OSS from other Alibaba Cloud products in the same region, use an internal endpoint. Set the value to
https://oss-ap-southeast-1-internal.aliyuncs.com.For more information about the endpoints of different regions, see Regions and endpoints.
ImportantDue to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
macOS
Run the configuration command.
ossutil configWhen prompted, set the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default "/Users/user/.ossutilconfig", carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses `/Users/user/.ossutilconfig` as the configuration file.
Follow the prompts to set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where the OSS data center is located. If you do not enter a value, the default value `cn-hangzhou` is used.
Please enter Region [ap-southeast-1]:ap-southeast-1Enter the endpoint for the OSS data center. If you do not require a custom endpoint, press Enter to skip this parameter.
After you configure the region in the previous step, the public endpoint that corresponds to that region ID is used by default. For example, if you set
region-idtoap-southeast-1, the default public endpoint ishttps://oss-ap-southeast-1.aliyuncs.com.If you require a custom endpoint for the region where your OSS data center is located, enter the endpoint information. For example, if you want to access OSS from other Alibaba Cloud products in the same region, you can use an internal endpoint, such as
https://oss-ap-southeast-1-internal.aliyuncs.com.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-ap-southeast-1-internal.aliyuncs.com
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
The AccessKey pair for your account. For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation checkbox under Security Confirmation, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
The ID of the region where the bucket is located. This topic uses the Singapore region as an example. Set the value to
ap-southeast-1. For more information about region IDs, see Regions and endpoints.endpoint
No
The endpoint of the region where the bucket is located. If you do not manually set an endpoint, the public endpoint corresponding to the Region is automatically used. You must explicitly specify an internal endpoint. For example, this topic uses the public endpoint for Singapore. Set the value to
https://oss-ap-southeast-1.aliyuncs.com.If you want to access OSS from other Alibaba Cloud products in the same region, use an internal endpoint. Set the value to
https://oss-ap-southeast-1-internal.aliyuncs.com.For more information about the endpoints of different regions, see Regions and endpoints.
ImportantDue to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Run commands
Create a bucket.
ossutil mb oss://examplebucketThe following output indicates that the `examplebucket` bucket is created.
0.668238(s) elapsedUpload a file to the bucket.
Create a local file named
uploadFile.txt.echo 'Hello, OSS!' > uploadFile.txtUpload the file to the
examplebucketbucket.ossutil cp uploadFile.txt oss://examplebucketThe following output indicates that the file is uploaded to the
examplebucketbucket.Success: Total 1 file, size 12 B, Upload done:(1 objects, 12 B), avg 44 B/s 0.271779(s) elapsed
Download the file.
Download the `uploadFile.txt` sample file from the `examplebucket` bucket to the local `localfolder` folder.
ossutil cp oss://examplebucket/uploadFile.txt localfolder/The following output indicates that the file is downloaded to the local `localfolder` folder.
Success: Total 1 object, size 12 B, Download done:(1 files, 12 B), avg 74 B/s 0.162447(s) elapsedList the files in the `examplebucket` bucket.
ossutil ls oss://examplebucketThe following output indicates that the files in the `examplebucket` bucket are listed.
LastModifiedTime Size(B) StorageClass ETAG ObjectName 2024-11-26 14:35:29 +0800 CST 12 Standard 1103F650EB2C292D179A032D2A97B0F5 oss://examplebucket/uploadFile.txt Object Number is: 1 0.124679(s) elapsedDelete `uploadFile.txt` from the `examplebucket` bucket.
ossutil rm oss://examplebucket/uploadFile.txtThe following output indicates that `uploadFile.txt` is deleted from the `examplebucket` bucket.
0.295530(s) elapsedDelete the `examplebucket` bucket.
ossutil rb oss://examplebucketThe following output indicates that the `examplebucket` bucket is deleted. 0.478659s elapsed
0.478659(s) elapsed
Configuration guide
ossutil supports configuration through configuration files, environment variables, and command-line options. This provides a high degree of flexibility.
Configuration precedence
ossutil reads configurations in the following order of precedence:
Command-line options (such as -i, -k, and -e) > Environment variables (such as OSS_ACCESS_KEY_ID) > Configuration file (~/.ossutilconfig)
Starting from version 2.2.0, you can use the `--ignore-env-var` command-line option to ignore environment variables that are prefixed with `OSS_`.
Configuration file
You can configure ossutil using a configuration file (the default path is ~/.ossutilconfig, or you can specify a custom path with the -c option). If you use the default configuration file, you do not need to specify the file path and can run ossutil commands directly. Example:
ossutil ls oss://examplebucketIf you use a custom configuration file path, such as /path/yourconfig, you must specify the path with the -c option. Example:
ossutil -c /path/yourconfig ls oss://examplebucketConfiguration file format
The configuration file uses an INI format that consists of sections and key-value pairs. Configuration parameters are saved in specified sections. These configurations are grouped into sections, and you can use the `--profile` option to select a specific section. By default, ossutil uses the settings in the `[default]` section. To use other settings, you can create and reference other configurations.
Sections and key-value pairs
Each section in the configuration file is identified by a name enclosed in square brackets ([]). Settings within a section use the key=value format. Example:
[default]
accessKeyID = "your-access-key-id"
accessKeySecret = "your-access-key-secret"Settings in a section use the
key=valueformat.Section names and keys are not case-sensitive.
Configuration parameter keys support multiple formats, such as all lowercase, camelCase, kebab-case (hyphen-separated), and snake_case (underscore-separated). For example, `accesskeyid`, `accessKeyId`, `access-key-id`, and `access_key_id` all refer to the same parameter name.
Lines that start with a number sign (`#`) are comments.
Supported section types
Section name | Description | Other information |
[default] | Stores the default settings. This section is used when the --profile option is not set. | A simplified form of [profile default]. |
[profile name] | Configures parameters that can be referenced using --profile name. | Supports referencing other configurations using source_profile. |
[buckets name] | Configures endpoints for specific buckets, including region, endpoint, and addressing style. | Supports inline notation. |
You can use the `config` command to view and set configuration content. For more information, see config (Manage configuration files).
Section type: profile
This section is used to configure access credentials and global parameters. The following parameter names are supported:
Access credential parameters
Parameter name
Alias
Description
mode
/
Authentication mode.
Valid values: AK, StsToken, RamRoleArn, EcsRamRole, and Anonymous.
access-key-id
accessKeyId
access_key_id
The AccessKey ID used to access OSS.
access-key-secret
accessKeySecret
access_key_secret
The AccessKey secret used to access OSS.
sts-token
stsToken
sts_token
The Security Token Service (STS) token used to access OSS.
role-arn
roleArn
role_arn
The ARN of the RAM role. This is mainly used in RamRoleArn mode.
role-session-name
roleSessionName
role_session_name
The session name. This is mainly used in RamRoleArn mode.
ecs-role-name
ecsRoleName
ecs_role_name
The role name. This is mainly used in EcsRamRole mode.
credential-process
credentialProcess
credential_process
Specifies an external command.
credential-uri
credentialUri
credential_uri
Specifies a URI from which to obtain access credentials.
oidc-provider-arn
oidcProviderArn
oidc_provider_arn
Specifies the Alibaba Cloud Resource Name (ARN) of the OIDC provider. The format is
acs:ram::account-id:oidc-provider/provider-name.oidc-token-file-path
oidcTokenFilePath
oidc_token_file_path
Specifies the file path for the OIDC token.
credential-process-timeout
credentialProcessTimeout
credential_process_timeout
Specifies the timeout period for external credential requests, in seconds. The default value is 15 (15 seconds). The maximum value is 600 (10 minutes). For example,
credential-process-timeout = 60sets a 60-second timeout. Supported since version 2.0.3.Global parameters
Parameter name
Alias
Description
region
/
The region ID. This parameter is required.
loglevel
/
The log level. Valid values:
off (default)
info
debug
read-timeout
readTimeout
read_timeout
The timeout period for client read and write requests. Unit: seconds. Default value: 20.
connect-timeout
connectTimeout
connect_timeout
The timeout period for client connections. Unit: seconds. Default value: 10.
retry-times
retryTimes
retry_times
The number of retries when an error occurs. Default value: 10.
skip-verify-cert
skipVerifyCert
skip_verify_cert
Skips server-side digital certificate verification.
sign-version
signVersion
sign_version
The signature algorithm version used for requests. Valid values:
v1
v4 (default)
output-format
outputFormat
output_format
The output format. Valid values:
raw (default)
json
xml
yaml
addressing-style
addressingStyle
addressing_style
The format of the request address. Valid values:
virtual (default)
path
cname
language
/
The display language.
endpoint
/
The public endpoint. This parameter is optional.
Other parameters
Parameter name
Alias
Description
source-profile
sourceProfile
source_profile
References parameters from a specified profile. Example:
[profile cred] access-key-id=ak access-key-secret=sk [profile dev] region=cn-hangzhou source-profile=credbuckets
/
References parameters from a specified buckets section.
[profile dev] region=cn-hangzhou access-key-id=ak access-key-secret=sk buckets=dev-bucket [buckets dev-bucket] bucket-name-hz = endpoint=oss-cn-hangzhou-internal.aliyuncs.com bucket-name-bj = region=cn-beijingendpoint-suffix-list-path-style
/
Specifies a list of endpoint suffixes for which the path-style request mode is automatically used. Separate multiple suffixes with commas (
,). Supported since version 2.2.0.Example 1:
endpoint-suffix-list-path-style=DEFAULTExample 2:
endpoint-suffix-list-path-style=DEFAULT,.path-style.comDEFAULT: Indicates the built-in default list, which is currently .privatelink.aliyuncs.com
Section type: buckets
This section is used to configure mappings between specific buckets and endpoints. It supports a nested structure where the `buckets` section is divided into subsections by `bucket-name =`. The format is as follows:
[buckets name]
bucket-name =
key=valueIn this format, `name` is the name of the `buckets` section, `bucket-name` is the name of a specific bucket, and `key=value` are the configuration parameters. The following parameters are supported:
Parameter name | Alias | Description |
region | / | The region where the data center is located. If not set, the region value from the profile that references this parameter is used. |
endpoint | / | The public endpoint. This parameter is optional. |
addressing-style | addressingStyle addressing_style | The format of the request address. Valid values: virtual (default): Uses the virtual-hosted-style request address format. path: Uses the path-style request address format. cname: Uses the CNAME request address format. |
The following is an example of a `buckets` section:
[buckets dev-bucket]
bucket-hz-01 =
region=cn-hangzhou
bucket-hz-02 =
region=cn-hangzhou
endpoint=test.com
addressing-style=cname
bucket-bj-01 =
region=cn-beijingConfigure environment variables
You can configure environment variables by following these steps.
Linux
In the command-line interface, run the following commands to append the environment variable settings to the
~/.bashrcfile:echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.bashrcRun the following command to apply the changes:
source ~/.bashrcRun the following commands to check whether the environment variables are effective:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
macOS
In the terminal, run the following command to view the default shell type.
echo $SHELLPerform the following operations based on your default shell type.
Zsh
Run the following commands to append the environment variable settings to the
~/.zshrcfile:echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.zshrcRun the following command to apply the changes:
source ~/.zshrcRun the following commands to check whether the environment variables are effective:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
Run the following commands to append the environment variable settings to the
~/.bash_profilefile:echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.bash_profileRun the following command to apply the changes:
source ~/.bash_profileRun the following commands to check whether the environment variables are effective:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
Run the following commands in the Command Prompt (CMD):
setx OSS_ACCESS_KEY_ID "your-access-key-id" setx OSS_ACCESS_KEY_SECRET "your-access-key-secret"Open a new CMD window.
In the new CMD window, run the following commands to check whether the environment variables are effective:
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
The following environment variables can be configured:
Environment variable name | Corresponding parameter name |
OSS_ACCESS_KEY_ID | access-key-id |
OSS_ACCESS_KEY_SECRET | access-key-secret |
OSS_SESSION_TOKEN | sts-token |
OSS_ROLE_ARN | ram-role-arn |
OSS_ROLE_SESSION_NAME | role-session-name |
OSS_REGION | region |
OSS_ENDPOINT | endpoint |
OSSUTIL_CONFIG_FILE | config-file |
OSSUTIL_PROFILE | profile |
Configure command-line options
ossutil provides multiple command-line options, including support for global command-line options. Command-line options have the highest priority and override parameters set in configuration files or environment variables.
Passing an AccessKey pair through command-line options can expose the key in log systems, which creates a security risk. Use this method with caution.
ossutil ls oss://examplebucket -i "your-access-key-id" -k "your-access-key-secret"Access credential configuration
Use the AccessKey pair of a RAM user
If your application runs in a secure and stable environment that is not susceptible to external attacks, requires long-term access to OSS, and cannot rotate credentials frequently, you can initialize the credential provider with the AccessKey pair (AccessKey ID and AccessKey secret) of an Alibaba Cloud account or a RAM user. This method requires you to manually maintain an AccessKey pair, which increases security risks and maintenance complexity.
Configuration file
Create the following configuration file and save it as ~/.ossutilconfig.
[default]
accessKeyID = yourAccessKeyID
accessKeySecret = yourAccessKeySecret
region=ap-southeast-1Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -c ~/.ossutilconfigEnvironment variables
export OSS_ACCESS_KEY_ID=yourAccessKeyID
export OSS_ACCESS_KEY_SECRET=yourAccessKeySecret
ossutil ls oss://examplebucketCommand-line options
Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -i yourAccessKeyID -k yourAccessKeySecretUse an STS token
If your application requires temporary access to OSS, you can initialize the credential provider with temporary identity credentials (AccessKey ID, AccessKey secret, and Security Token) obtained from the STS service. This method requires you to manually maintain an STS token, which increases security risks and maintenance complexity. Additionally, to access OSS temporarily multiple times, you must manually refresh the STS token.
Configuration file
Create the following configuration file and save it as ~/.ossutilconfig.
[default]
accessKeyID = yourSTSAccessKeyID
accessKeySecret = yourSTSAccessKeySecret
stsToken = yourSecurityToken
region=ap-southeast-1Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -c ~/.ossutilconfigEnvironment variables
export OSS_ACCESS_KEY_ID=yourSTSAccessKeyID
export OSS_ACCESS_KEY_SECRET=yourSTSAccessKeySecret
export OSS_SESSION_TOKEN=yourSecurityToken
ossutil ls oss://examplebucketCommand-line options
Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -i yourSTSAccessKeyID -k yourSTSAccessKeySecret -t yourSecurityTokenUse a RAMRoleARN
If your application requires authorized access to OSS, such as cross-account access, you can initialize the credential provider with a RAMRoleARN. This method is based on STS tokens. By specifying the Alibaba Cloud Resource Name (ARN) of a RAM role, the credentials tool requests an STS token from the STS service and calls the AssumeRole operation to apply for a new STS token before the current session expires. You can also assign a value to the policy parameter to restrict the RAM role to a smaller set of permissions.
An Alibaba Cloud account has full permissions on its resources. If the AccessKey pair of an Alibaba Cloud account is leaked, it poses a significant security risk to your system. We do not recommend using the AccessKey pair of an Alibaba Cloud account. Instead, use the AccessKey pair of a RAM user with the minimum required permissions.
For more information about how to create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and AccessKey secret of a RAM user are displayed only when they are created. You must save them immediately. If you forget them, you must create a new AccessKey pair for rotation.
For more information about how to obtain a RAMRoleARN, see CreateRole.
Create the following configuration file and save it as ~/.ossutilconfig. This method is not supported through environment variables or command-line options.
[default]
accessKeyID = yourAccessKeyID
accessKeySecret = yourAccessKeySecret
mode = RamRoleArn
roleArn = acs:ram::137918634953****:role/Alice
roleSessionName = session_name_example
region=ap-southeast-1Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -c ~/.ossutilconfigUse an EcsRamRole
If your application runs on an ECS instance, an ECI instance, or a worker node of Container Service for Kubernetes, we recommend that you initialize the credential provider with an EcsRamRole. This method is based on STS tokens. EcsRamRole lets you associate a role with an ECS instance, an ECI instance, or a worker node of Container Service for Kubernetes to automatically refresh the STS token within the instance. This method does not require you to provide an AccessKey pair or an STS token, which eliminates the risks of manual maintenance. For more information about how to obtain an EcsRamRole, see CreateRole.
This method is not supported through environment variables.
Configuration file
Create the following configuration file and save it as ~/.ossutilconfig.
[default]
mode = EcsRamRole
# ecsRoleName is optional. If not set, it is automatically obtained.
ecsRoleName = EcsRamRoleOss
region=ap-southeast-1Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -c ~/.ossutilconfigCommand line interface
Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket --mode EcsRamRoleUse an OIDCRoleARN
After you configure a RAM role for worker nodes in Container Service for Kubernetes, applications in pods on those nodes can obtain the STS token for the associated role through the Metadata Server, similar to applications deployed on ECS instances. However, if you deploy untrusted applications on the cluster, such as applications submitted by customers with unvetted code, you may not want them to access the STS token of the instance RAM role that is associated with the worker node. To protect your cloud resources while allowing these untrusted applications to securely obtain the necessary STS tokens and achieve application-level permission minimization, you can use the RAM Roles for Service Accounts (RRSA) feature. This method is based on STS tokens. The Alibaba Cloud container cluster creates and mounts a corresponding service account OIDC token file for different application pods and injects the relevant configuration information into environment variables. The credentials tool retrieves this configuration from the environment variables and calls the `AssumeRoleWithOIDC` operation of STS to exchange the OIDC token for an STS token for the bound role. This method eliminates the risk of manually maintaining an AccessKey pair or an STS token. For more information, see Pod permission isolation based on RRSA.
Create the following configuration file and save it as ~/.ossutilconfig. This method is not supported through environment variables or command-line options.
[default]
mode = oidcRoleArn
# Specifies the Alibaba Cloud Resource Name (ARN) of the OIDC provider. The format is acs:ram::account-id:oidc-provider/provider-name.
OIDCProviderArn=acs:ram::113511544585****:oidc-provider/TestOidcProvider
# Specifies the file path for the OIDC token.
OIDCTokenFilePath=OIDCTokenFilePath
# Enter the ARN of the role to assume. The format is acs:ram::113511544585****:oidc-provider/TestOidcProvider.
roleArn=acs:ram::113511544585****:role/testoidc
# A custom role session name to distinguish different tokens.
roleSessionName= TestOidcAssumedRoleSession
region=ap-southeast-1Run the following command to query objects in the `examplebucket` bucket.
ossutil ls oss://examplebucket -c ~/.ossutilconfigObtain credentials from an external process
ossutil can start an independent external process using an external command. The external process runs and returns its result to ossutil through standard output. You can use an external process to obtain credentials.
The command that generates credentials must not be accessible by unapproved processes or users to avoid security risks.
The command that generates credentials must not write any secret information to `stderr` or `stdout` because this information could be captured or logged, which can expose it to unauthorized users.
The external command can return long-term or temporary credentials in the following formats.
Long-term credentials
{
"AccessKeyId" : "ak",
"AccessKeySecret" : "sk",
}Temporary credentials
{
"AccessKeyId" : "ak",
"AccessKeySecret" : "sk",
"Expiration" : "2023-12-29T07:45:02Z",
"SecurityToken" : "token",
}Generate the following configuration file and save it to ~/.ossutilconfig. You cannot configure these settings using environment variables or command-line options.
[default]
mode = Process
credentialProcess = user-cmd
region=ap-southeast-1Run the following command to query the objects in the `examplebucket` bucket:
ossutil ls oss://examplebucket -c ~/.ossutilconfigAnonymous Access
If you only need to access OSS resources that have public-read permission, you can use anonymous access without providing any credentials.
ossutil cat oss://bucket/public-object --mode AnonymousCommand reference
ossutil provides three types of commands: high-level commands, API-level commands, and helper commands.
Command structure
The common format for ossutil commands is as follows:
ossutil command [argument] [flags]
ossutil command subcommond [argument] [flags]
ossutil topicargument: A string parameter.
flags: Options that support a short-name style (
-o[=value]or `-o [value]`) and a long-name style (--options[=value]or `--options [value]`). If you specify an exclusive parameter multiple times, only the last value takes effect.
The following are examples of commands:
Command:
ossutil cat oss://bucket/objectMulti-level command:
ossutil api get-bucket-cors --bucket bucketexampleHelp topic:
ossutil filter
Command list
ossutil provides three types of commands:
High-level commands
These are used for common bucket or object operations, such as creating and deleting buckets, copying data, and modifying object properties.
Command name
Description
Creates a bucket
Deletes a bucket
Gets the storage size of a bucket or a specified prefix
Displays the description of a bucket or object
Creates an object whose name ends with a forward slash (
/)Appends content to the end of an appendable object
Concatenates object content to standard output
Lists buckets or objects
Uploads, downloads, or copies objects
Deletes objects in a bucket
Sets the properties of an object
Generates a signed URL for an object
Restores a frozen object to a readable state
Restores an object to a specified version
Synchronizes a local file directory or objects from a source to a destination
Calculates the hash value of a file or object
API-level commands provide direct access to API operations and support the configuration parameters of those operations.
NoteOnly a subset of commands are listed. You can run
ossutil api -hto view all commands.Command name
Description
Sets or modifies the access permissions of a bucket
Gets access permissions
....
Sets cross-origin resource sharing rules
Gets cross-origin resource sharing rules
Deletes cross-origin resource sharing rules
Helper commands, such as commands for configuring files and accessing additional help topics.
Command name
Description
Gets help information
Creates a configuration file to store configuration items and access credentials
Updates the version
Displays version information
Probes commands
Command option types
Option type | Option | Description |
String | --option string |
Example: --acl private. |
Boolean | --option | Enables or disables an option. Example: --dry-run. |
Integer | --option Int | An unsigned integer. Example: --read-timeout 10. |
Timestamp | --option Time | ISO 8601 format, which is DateTime or Date. Example: --max-mtime 2006-01-02T15:04:05. |
Byte unit suffix | --option SizeSuffix | The default unit is bytes (B). You can also use unit suffixes. Supported suffixes are K (KiB) = 1024 bytes, M (MiB), G (GiB), T (TiB), P (PiB), and E (EiB). Example: Minimum size is 1024 bytes. --min-size 1024 --min-size 1K |
Time unit suffix | --option Duration | A time unit. The default unit is seconds. Supported suffixes are ms (milliseconds), s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months), and y (years). Decimals are supported. Example: 1.5 days. --min-age 1.5d |
String list | --option strings | Supports single or multiple options with the same name. Supports multiple values separated by commas (,). Supports single values for multiple options. Example: --metadata user=jack,email=ja**@test.com --metadata address=china |
String array | --option stringArray | Supports single or multiple options with the same name. Only supports single values for multiple options. Example: --include *.jpg --include *.txt. |
Load data from sources other than the command line
Typically, parameter values are provided on the command line. However, for complex parameter values, you may need to load them from a file. When you chain multiple command operations, you may need to load parameter values from standard input. For parameters that must support multiple loading methods, the following conventions apply:
A value that starts with
file://indicates that the value is loaded from a file path.A parameter value of
-indicates that the value is loaded from standard input.
For example, to set the cross-origin resource sharing (CORS) settings for a bucket in JSON format, you can load the parameters from a file. The `cors-configuration.json` file is as follows:
{
"CORSRule": {
"AllowedOrigin": ["www.aliyun.com"],
"AllowedMethod": ["PUT","GET"],
"MaxAgeSeconds": 10000
}
}ossutil api put-bucket-cors --bucket examplebucket --cors-configuration file://cors-configuration.jsonTo load the CORS parameters as an option value, use the compact form of `cors-configuration.json`:
{"CORSRule":{"AllowedOrigin":["www.aliyun.com"],"AllowedMethod":["PUT","GET"],"MaxAgeSeconds":10000}}ossutil api put-bucket-cors --bucket examplebucket --cors-configuration "{\"CORSRule\":{\"AllowedOrigin\":[\"www.aliyun.com\"],\"AllowedMethod\":[\"PUT\",\"GET\"],\"MaxAgeSeconds\":10000}}"The following is an example of how to load parameters from standard input:
cat cors-configuration.json | ossutil api put-bucket-cors --bucket examplebucket --cors-configuration -Control command output
Output format
For subcommands under `ossutil api`, and for the `du` and `stat` commands, you can use the --output-format parameter to adjust the output format. The following formats are supported:
Format name | Description |
raw | Outputs the content in its original format, as returned by the server. |
json | Outputs in JSON string format. |
yaml | Outputs in YAML string format. |
xml | Outputs in XML string format. |
For example, for get-bucket-cors, the original content is as follows:
ossutil api get-bucket-cors --bucket bucketexample
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration>
<CORSRule>
<AllowedOrigin>www.aliyun.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<MaxAgeSeconds>10000</MaxAgeSeconds>
</CORSRule>
<ResponseVary>false</ResponseVary>
</CORSConfiguration>The JSON output is as follows:
ossutil api get-bucket-cors --bucket bucketexample --output-format json
{
"CORSRule": {
"AllowedMethod": [
"PUT",
"GET"
],
"AllowedOrigin": "www.aliyun.com",
"MaxAgeSeconds": "10000"
},
"ResponseVary": "false"
}Filter output
ossutil provides a built-in, JSON-based client-side filtering feature that you can use with the --output-query value option.
This option is supported only for subcommands under `ossutil api`.
This feature is based on JMESPath syntax. When you use this feature, the returned content is converted to JSON, filtered using JMESPath, and then displayed in the specified format. For more information about JMESPath syntax, see JMESPath Specification.
For example, to display only the `AllowedMethod` content for `get-bucket-cors`, run the following command:
ossutil api get-bucket-cors --bucket bucketexample --output-query CORSRule.AllowedMethod --output-format json
[
"PUT",
"GET"
]Human-readable display
For high-level commands such as `du` and `stat`, the --human-readable option is available to display byte and count data in a human-readable format. Byte data is converted to a format with Ki, Mi, Gi, or Ti suffixes (base 1024). Count data is converted to a format with k, m, g, t, or p suffixes (base 1000).
Example: Raw mode
ossutil stat oss://bucketexample
ACL : private
AccessMonitor : Disabled
ArchiveObjectCount : 2
ArchiveRealStorage : 10
ArchiveStorage : 131072
...
StandardObjectCount : 119212
StandardStorage : 66756852803
Storage : 66756852813
StorageClass : Standard
TransferAcceleration : DisabledFriendly Mode
ossutil stat oss://bucketexample --human-readable
ACL : private
AccessMonitor : Disabled
ArchiveObjectCount : 2
ArchiveRealStorage : 10
ArchiveStorage : 131.072k
...
StandardObjectCount : 119.212k
StandardStorage : 66.757G
Storage : 66.757G
StorageClass : Standard
TransferAcceleration : DisabledCommand return codes
When you call ossutil through a process, you cannot view the output in real time. After a process is complete, ossutil generates different return codes based on the result. You can retrieve the return code of the last run to analyze and handle issues. The following table describes the return codes and their meanings.
Linux
Run the following command to retrieve the return code: echo $?.
Windows
Run the following command to retrieve the return code: echo %errorlevel%.
macOS
Run the following command to retrieve the return code: echo $?.
Return code | Description |
0 | The command was successful. The request sent to the server was executed normally, and the server returned a 200 response. |
1 | Parameter error. For example, a required subcommand or parameter is missing, or an unknown command or parameter was used. |
2 | The command was parsed successfully and a request was sent to the specified service, but the service returned an error (a non-2xx response). |
3 | A non-server error was encountered when calling the OSS Go SDK. |
4 | An error occurred in some requests during a batch operation, such as `cp` or `rm`. |
5 | Interruption error. A command was canceled by pressing Ctrl+C during execution. |
Command-line options
In command-line operations, some commands require additional parameters to specify the target of the operation or to set options, whereas other commands do not. For commands that take parameters, you can provide appropriate parameter values to achieve the desired functionality. For example:
ossutil ls --profile devThe command ossutil ls --profile dev allows the user to specify a particular configuration profile using the parameter value dev. Options that take parameters usually require a space or an equal sign (`=`) to separate the option name from the parameter value, such as --profile dev or --profile=dev. If a parameter value contains spaces, you must enclose the entire value in double quotation marks to ensure that the command is parsed correctly, such as --description "OSS bucket list".
Global command-line options
Parameter | Type | Description |
-i, --access-key-id | string | The AccessKey ID used to access OSS. |
-k, --access-key-secret | string | The AccessKey secret used to access OSS. |
--addressing-style | string | The format of the request address. Valid values:
|
-c, --config-file | string | The path to the configuration file. The default value is |
--connect-timeout | int | The timeout period for client connections. Unit: seconds. Default value: 10. |
-n, --dry-run | / | Performs a dry run without making any changes. |
-e, --endpoint | string | The public endpoint. |
-h, --help | / | Displays help information. |
--language | string | The display language. |
--loglevel | string | The log level. Valid values:
|
--mode | string | The authentication mode. Valid values:
|
--output-format | string | The output format. Default value: raw. |
--output-query | string | The JMESPath query condition. |
--profile | string | Specifies the profile in the configuration file. |
-q, --quiet | / | Quiet mode, which prints as little information as possible. |
--read-timeout | int | The timeout period for client read and write requests. Unit: seconds. Default value: 20. |
--region | string | The region where the data center is located. You can set this to cn-hangzhou. |
--retry-times | int | The number of retries when an error occurs. Default value: 10. |
--sign-version | string | The signature algorithm version used for requests. Valid values:
|
--skip-verify-cert | / | Skips server-side digital certificate verification. |
-t, --sts-token | string | The STS token used to access OSS. |
--proxy | string | Specifies a proxy server. Supported since version 2.0.1. The value can be one of the following:
|
--log-file | string | Specifies the log output file. Supported since version 2.0.1. The value can be:
If no log output file is specified, logs are output to the default configuration file. |
--cloudbox-id | string | The CloudBox ID, used in CloudBox scenarios. Supported since version 2.1.0. |
--ignore-env-var | / | Ignores all environment variable configurations prefixed with |
--bind-address | string | Specifies the local IP address (IPv4 or IPv6) to which outbound connections are bound. Supported since version 2.2.0. |
--account-id | string | The account ID, used for identity identification and resource ownership judgment in vector bucket scenarios. Supported since version 2.2.0. |
Common command-line options
Command scope | Supported options |
All high-level commands |
|
Commands that support batch operations |
|
Commands that support destination filtering rules |
|
Commands that support single objects | --version-id string: The version ID of the object. |
Commands that support list mode | --list-format: The format of the list file. Valid values: plain, inventory. --list-manifest-from: Reads the description information of the list file format from a file. This parameter must be set when the list file format is inventory. |
FAQ
When I run an ossutil command, the error "region must be set in sign version 4" is reported
Cause: The region ID was not configured when you configured ossutil 2.0.
Solution: To prevent operation failures caused by missing configuration items when you use ossutil, make sure that you configure the necessary basic items: AccessKey ID, AccessKey secret, and region ID. The region ID is especially important because the signature has been upgraded to V4, which makes it a required item. For more information about how to obtain a region ID, see Regions and endpoints.