GitHub | OSS SDK for Python 2.0 Developer Guide | OSS SDK for Python 2.0 Docs
Quick start
Prerequisites
You need Python 3.8 or later.
To check your Python version, run the python --version command. If Python is not installed or your version is lower than 3.8, download and install Python.
Install the SDK
-
Install the latest version to ensure the code examples run correctly.
pip install alibabacloud-oss-v2 -
Import the SDK package:
import alibabacloud_oss_v2 as oss
Configure access credentials
Configure credentials with a RAM user's AccessKey pair.
-
In the RAM console, create a RAM user and select Using permanent AccessKey to access. Save the AccessKey pair, and then grant the
AliyunOSSFullAccesspermission to the user. -
Use the RAM user's AccessKey pair to configure environment variables.
Linux
-
Append the environment variables to the
~/.bashrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrc-
Apply the changes.
source ~/.bashrc -
Verify the environment variables.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
macOS
-
Check the default shell type.
echo $SHELL-
Follow the steps for your shell type.
Zsh
-
Append the environment variables to the
~/.zshrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrc -
Apply the changes.
source ~/.zshrc -
Verify the environment variables.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
-
Append the environment variables to the
~/.bash_profilefile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profile -
Apply the changes.
source ~/.bash_profile -
Verify the environment variables.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
-
Windows
CMD
-
Set the environment variables in CMD.
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID" setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"-
Verify the environment variables.
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
-
PowerShell
-
Set the environment variables in PowerShell.
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)-
Verify the environment variables.
[Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
-
-
Initialize client
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
Before you run the sample code, replace placeholders such as<region-id>with the actual region and endpoint, such asap-southeast-1.
Sync OSSClient
import alibabacloud_oss_v2 as oss
def main():
"""
Configuration details for initializing the Python SDK V2 client:
1. Signature version: The SDK uses Signature V4 by default for enhanced security.
2. Region configuration: When you initialize the client, you must specify an Alibaba Cloud region ID.
3. Endpoint configuration:
- You can use the endpoint parameter to specify a custom endpoint for service requests.
- If you do not specify an endpoint, the SDK automatically constructs a public endpoint based on the specified region.
4. Protocol configuration:
- The SDK uses HTTPS to construct the endpoint by default.
- To use HTTP, you must explicitly specify the protocol in the endpoint.
"""
# Load credentials from environment variables for authentication.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Method 1: Specify only the region (Recommended).
# You must specify a region ID. The SDK automatically constructs an HTTPS endpoint based on the region.
cfg.region = '<region-id>'
# # Method 2: Specify both the region and the endpoint.
# # You must specify a region ID.
# cfg.region = '<region-id>'
# # Specify the public endpoint of the region where the bucket is located.
# cfg.endpoint = '<endpoint>'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Define the string to upload.
text_string = "Hello, OSS!"
data = text_string.encode('utf-8') # Encode the string as a UTF-8 byte string.
# Send a request to upload the object. Specify the bucket name, object key, and data.
result = client.put_object(oss.PutObjectRequest(
bucket="Your Bucket Name",
key="Your Object Key",
body=data,
))
# Print the status code, request ID, and ETag to verify that the request was successful.
print(f'status code: {result.status_code}\n'
f'request id: {result.request_id}\n'
f'etag: {result.etag}'
)
# When this script is run directly, call the main function.
if __name__ == "__main__":
main()Async OSSClient
Async OSSClient requirements:
-
alibabacloud-oss-v2: >= 1.2.0
-
Install aiohttp:
pip install aiohttp
import asyncio
import alibabacloud_oss_v2 as oss
import alibabacloud_oss_v2.aio as oss_aio
async def main():
"""
Configuration details for initializing the Python SDK V2 async client:
1. Signature version: The SDK uses Signature V4 by default for enhanced security.
2. Region configuration: When you initialize the AsyncClient, you must specify an Alibaba Cloud region ID.
3. Endpoint configuration:
- You can use the endpoint parameter to specify a custom endpoint for service requests.
- If you do not specify an endpoint, the SDK automatically constructs a public endpoint based on the specified region.
4. Protocol configuration:
- The SDK uses HTTPS to construct the endpoint by default.
- To use HTTP, you must explicitly specify the protocol in the endpoint.
5. Asynchronous features:
- Import the async module: import alibabacloud_oss_v2.aio as oss_aio
- Create an async client: oss_aio.AsyncClient(cfg)
- All operations require the await keyword.
- You must call await client.close() in a finally block to close the connection.
- You must install the aiohttp dependency: pip install aiohttp
"""
# Load credentials from environment variables for authentication.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Method 1: Specify only the region (Recommended).
# You must specify a region ID. The SDK automatically constructs an HTTPS endpoint based on the region.
cfg.region = '<region-id>'
# # Method 2: Specify both the region and the endpoint.
# # You must specify a region ID.
# cfg.region = '<region-id>'
# # Specify the public endpoint of the region where the bucket is located.
# cfg.endpoint = '<endpoint>'
# Create an OSS async client with the specified configurations.
client = oss_aio.AsyncClient(cfg)
try:
# Define the string to upload.
text_string = "Hello, OSS!"
data = text_string.encode('utf-8') # Encode the string as a UTF-8 byte string.
# Send an async request to upload the object. Specify the bucket name, object key, and data.
# Note: Use the await keyword to wait for the async operation to complete.
result = await client.put_object(
oss.PutObjectRequest(
bucket="Your Bucket Name",
key="Your Object Key",
body=data,
)
)
# Print the status code, request ID, and ETag to verify that the request was successful.
print(f'status code: {result.status_code}\n'
f'request id: {result.request_id}\n'
f'etag: {result.etag}'
)
except Exception as e:
print(f'Upload failed: {e}')
finally:
# Close the async client connection to prevent resource leaks.
await client.close()
# When this script is run directly, call the main function.
if __name__ == "__main__":
# Use asyncio.run() to run the async main function.
asyncio.run(main())Successful upload output:
status code: 200
request id: 6875F95738B0ED3030F086A0
etag: "56AAD346F0899BFE8BDD02C06BBE511E"Client configuration
Custom domain name
Custom domain names enable object previews in a browser and CDN-accelerated delivery.
Before running the sample code, replace the<region-id>placeholder with the region and endpoint, for example,ap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the bucket's region.
cfg.region = '<region-id>'
# Specify your custom domain name. For example, www.example-***.com.
cfg.endpoint = 'https://www.example-***.com'
# Set use_cname to True to use a custom domain name.
cfg.use_cname = True
# Create an OSS client.
client = oss.Client(cfg)
# Use the client for subsequent operations.
# Script entry point.
if __name__ == "__main__":
main()Timeout control
Before you run the sample code, replace the<region-id>placeholder with a region and endpoint, such asap-southeast-1.
import alibabacloud_oss_v2 as oss
from typing import Dict, Any
def main():
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default configuration.
cfg = oss.config.load_default()
# Override the default connection timeout (10 seconds).
cfg.connect_timeout = 30
# Override the default read/write timeout (20 seconds).
cfg.readwrite_timeout = 30
# Set the credentials provider.
cfg.credentials_provider = credentials_provider
# Specify the region.
cfg.region = '<region-id>'
# Create an OSS client with the specified configuration.
client = oss.Client(cfg)
# Run the main function when the script is executed directly.
if __name__ == "__main__":
main()Retry policy
Before running the sample code, replace the<region-id>placeholder with the region and endpoint, for example,ap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
"""
SDK retry policy configuration:
Default retry policy:
If you do not configure a retry policy, the SDK uses StandardRetryer() by default. The default configuration is as follows:
- max_attempts: The maximum number of retry attempts. Default: 3.
- max_backoff: The maximum backoff time in seconds. Default: 20.
- base_delay: The base delay time in seconds. Default: 0.2.
- backoff_delayer: The backoff algorithm. The SDK uses exponential backoff with jitter (FullJitter) by default.
Formula: random.uniform(0, 1) * min(2 ** attempts * base_delay, max_backoff)
- error_retryables: The types of retryable errors. For more information, see https://gosspublic.alicdn.com/sdk-doc/alibabacloud-oss-python-sdk-v2/latest/_modules/alibabacloud_oss_v2/retry/error_retryable.html
When a retryable error occurs, the client delays and retries the request according to this configuration.
The overall request latency increases with each retry. If the default configuration does not meet your requirements,
you can customize the retry parameters or modify the retry implementation.
"""
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default configurations.
cfg = oss.config.load_default()
# Retry policy configuration examples:
# 1. Customize the maximum number of retries (default: 3, set to 5 here).
cfg.retryer = oss.retry.StandardRetryer(max_attempts=5)
# 2. Customize the backoff delay time.
# Adjust base_delay to 0.5 seconds (default: 0.2) and max_backoff to 25 seconds (default: 20).
# cfg.retryer = oss.retry.StandardRetryer(max_backoff=25, base_delay=0.5)
# 3. Customize the backoff algorithm.
# Replace the default FullJitter algorithm with a fixed-delay backoff of 2 seconds.
# cfg.retryer = oss.retry.StandardRetryer(backoff_delayer=oss.retry.FixedDelayBackoff(2))
# 4. Disable the retry policy.
# Use retry.NopRetryer() to disable all retry attempts.
# cfg.retryer = oss.retry.NopRetryer()
# Set the credentials provider.
cfg.credentials_provider = credentials_provider
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Use the created client for subsequent operations...
# When this script is run directly, call the main function.
if __name__ == "__main__":
main()Set the connection pool size
For the http_client, use the max_connections parameter to set the connection pool size.
Before you run the sample code, replace the<region-id>placeholder with an actual region, for example,ap-southeast-1.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# OSS Python SDK V2 connection pool configuration example
import alibabacloud_oss_v2 as oss
def main():
# Load access credentials from environment variables (OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET must be set).
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configuration and set the credentials provider.
config = oss.config.load_default()
config.credentials_provider = credentials_provider
# Set the OSS service region.
config.region = "<region-id>"
# ============ Custom HTTP client configuration ============
# Create a dictionary for the HTTP client configuration.
http_client_config = {}
# Set the connection pool size to 100. The default is 20.
http_client_config["max_connections"] = 100
# Create an HTTP client with the custom configuration.
http_client = oss.transport.RequestsHttpClient(**http_client_config)
# Set the custom HTTP client in the configuration object.
config.http_client = http_client
# ============================================
# Initialize the OSS client instance.
client = oss.Client(config)
# Configure bucket and object information.
bucket = "example-bucket" # bucket name
key = "dest.jpg" # object key in OSS
file_path = "dest.jpg" # Local save path
# Download the object from OSS to the specified local path.
client.get_object_to_file(oss.GetObjectRequest(bucket, key), file_path)
print(f"Object download complete: {key} -> {file_path}")
print(f"Connection pool size set to: {http_client_config['max_connections']}")
if __name__ == "__main__":
# Program entry point
try:
main()
except Exception as e:
print(f"An error occurred during execution: {e}")
raise
HTTP/HTTPS
Use cfg.disable_ssl = True to disable HTTPS requests.
Before running the sample code, replace the<region-id>placeholder with a region and endpoint, such as orap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configuration and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the client region.
cfg.region = '<region-id>'
# Disable HTTPS requests.
cfg.disable_ssl = True
# Create an OSS client using the specified configuration.
client = oss.Client(cfg)
# Use the created client to perform subsequent operations...
# The following entry point calls the main function when the script is run directly.
if __name__ == "__main__":
main()Proxy server
Configure a proxy server when corporate policies restrict direct internet access.
Before running the sample code, replace the<region-id>placeholder with a valid region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables for authentication.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
# Set the user agent.
cfg.user_agent = 'aliyun-sdk-python'
# Set the proxy server.
cfg.proxy_host = 'http://user:passswd@proxy.example-***.com'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Use the created client to perform subsequent operations...
# When this script is run directly, call the main function.
if __name__ == "__main__":
main()Use an internal endpoint
Access OSS resources in the same region through an internal endpoint to reduce costs and latency.
Before you run the sample code, replace placeholders such as<region-id>with your actual region and endpoint values, such asap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables for authentication.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configuration and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Method 1: Specify the region and set use_internal_endpoint to true.
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
cfg.use_internal_endpoint = True
# # Method 2: Specify the region and endpoint directly.
# # Specify the region where the bucket is located.
# cfg.region = '<region-id>'
# # Specify the internal endpoint for the bucket's region.
# cfg.endpoint = '<endpoint>'
# Create the OSS client.
client = oss.Client(cfg)
# Use the client for subsequent operations...
# Call the main function if the script is executed directly.
if __name__ == "__main__":
main()Transfer acceleration
Before you run the sample code, replace the<region-id>placeholder with a region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Method 1: Specify the region and set use_accelerate_endpoint to true.
# Specify the bucket's region.
cfg.region = '<region-id>'
cfg.use_accelerate_endpoint = True
# # Method 2: Directly specify the region and the acceleration endpoint.
# # Specify the bucket's region.
# cfg.region = '<region-id>'
# # Specify the acceleration endpoint.
# cfg.endpoint = 'https://oss-accelerate.aliyuncs.com'
# Create an OSS client with the configuration.
client = oss.Client(cfg)
# Use this client for subsequent operations...
# Run the main function if the script is executed directly.
if __name__ == "__main__":
main()Use a dedicated domain
Before running the sample code, replace the<region-id>placeholder with your region and endpoint, such asap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Load credentials from environment variables.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default SDK configurations and set the credentials provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
# Specify your dedicated domain. For example, https://service.corp.example.com.
cfg.endpoint = 'https://service.corp.example.com'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Use the created client to perform subsequent operations...
# When this script is run directly, call the main function.
if __name__ == "__main__":
main()Custom HTTP client
Replace the default HTTP client with cfg.http_client when standard configuration parameters are insufficient.
Before running the sample code, replace the<region-id>placeholder with a valid region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
from typing import Dict, Any
def main():
# Load credentials from environment variables for authentication.
credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()
# Load the default configuration.
cfg = oss.config.load_default()
# Set the parameters for the HTTP client.
kwargs: Dict[str, Any] = {}
# Set the session.
# kwargs["session"] = requests.Session()
# Set the adapter.
# kwargs["adapter"] = HTTPAdapter()
# Specifies whether to skip certificate verification. Default: false.
# kwargs["insecure_skip_verify"] = False
# Specifies whether to enable HTTP redirection. Default: false.
# kwargs["enabled_redirect"] = False
# Set the proxy server.
# kwargs["proxy_host"] = config.proxy_host
# Set the block size.
# kwargs["block_size"] = 16 * 1024
# Connection timeout in seconds. Default: 10.
kwargs["connect_timeout"] = 30
# Read-write timeout in seconds. Default: 20.
kwargs["readwrite_timeout"] = 30
# Maximum connections. Default: 20.
kwargs["max_connections"] = 1024
# Create an HTTP client with the specified parameters.
cfg.http_client = oss.transport.RequestsHttpClient(**kwargs)
# Set the credentials provider.
cfg.credentials_provider = credentials_provider
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
# Create an OSS client with the specified configuration.
client = oss.Client(cfg)
# Use the client for subsequent OSS operations...
# Calls the main function when the script is executed directly.
if __name__ == "__main__":
main()Access credential configuration
Choose a credential method for your use case.
Use a RAM user's AccessKey
Initialize the credential provider with an AccessKey pair (AccessKey ID and AccessKey Secret) of your Alibaba Cloud account or a RAM user. This method requires manual key management and carries higher security risk.
-
An Alibaba Cloud account has full permissions over its resources. A leaked AccessKey pair poses a significant security threat to your system. We strongly recommend that you do not use the AccessKey pair of an Alibaba Cloud account. Instead, use the AccessKey pair of a RAM user with the minimum required permissions.
-
To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and AccessKey secret are displayed only when you create the pair. Save them in a secure location immediately. If you lose them, you cannot retrieve them and must create a new AccessKey pair.
Environment variables
-
Use the AccessKey pair of a RAM user to configure environment variables.
Linux
-
Run the following commands on the CLI to add the configurations of the environment variables to the
~/.bashrcfile:echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrc-
Apply the changes.
source ~/.bashrc -
Check whether the environment variables have taken effect:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
macOS
-
Run the following command in the terminal to view the default shell type:
echo $SHELL-
Configure environment variables based on the default shell type.
Zsh
-
Run the following commands to add the configurations of the environment variables to the
~/.zshrcfile:echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrc -
Apply the changes.
source ~/.zshrc -
Check whether the environment variables have taken effect:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
-
Run the following commands to add the configurations of the environment variables to the
~/.bash_profilefile:echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profile -
Apply the changes.
source ~/.bash_profile -
Check whether the environment variables have taken effect:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
-
Windows
CMD
-
Run the following commands in CMD:
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID" setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"-
Check whether the environment variables take effect:
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
-
PowerShell
-
Run the following commands in PowerShell:
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)-
Check whether the environment variable takes effect:
[Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
-
-
-
After you update the system environment variables, restart or refresh your build and runtime environment, including your IDE, command-line interface, other desktop applications, and background services, to load the latest system environment variables.
-
Use environment variables to pass credentials.
Before you run the sample code, replace the
<region-id>placeholder with a region and endpoint, for example, orap-southeast-1.import alibabacloud_oss_v2 as oss def main(): # Load credentials from environment variables for authentication. credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider() # Load the default SDK configurations and set the credential provider. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = '<region-id>' # Create an OSS client with the specified configurations. client = oss.Client(cfg) # Use the created client to perform subsequent operations... # When this script is run directly, call the main function. if __name__ == "__main__": main() # Script entry point. Calls the main function when the file is run directly.
Static credentials
Hard-code an AccessKey pair for testing (not for production):
Do not embed credentials directly in your application in production environments. This method is for testing purposes only.
Before you run the sample code, replace the<region-id>placeholder with a region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Create a static credential provider and explicitly set the AccessKey ID and AccessKey secret.
# Replace the placeholders with the AccessKey ID and AccessKey secret of your RAM user.
credentials_provider = oss.credentials.StaticCredentialsProvider(
access_key_id="RAM AccessKey ID",
access_key_secret="RAM AccessKey Secret"
)
# Load the default SDK configurations and set the credential provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the region where the bucket is located.
cfg.region = '<region-id>'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Use the created client to perform subsequent operations...
# When this script is run directly, call the main function.
if __name__ == "__main__":
main() # Script entry point. Calls the main function when the file is run directly.Use temporary credentials from STS
Initialize the credential provider with temporary STS credentials (AccessKey ID, AccessKey Secret, and Security Token). Tokens must be refreshed manually before expiration.
-
To obtain temporary identity credentials by calling the
AssumeRoleAPI, see AssumeRole - Obtain a temporary identity credential for a RAM role. -
To obtain temporary identity credentials by using an SDK, see Use an STS token to access OSS.
-
When you generate an STS token, you must specify an expiration time. The token becomes invalid after this time.
-
For a list of STS endpoints, see Service endpoints.
Environment variables
-
Use temporary identity credentials to set environment variables.
macOS/Linux/Unix
Warning-
These environment variables require the temporary identity credentials (AccessKey ID, AccessKey Secret, and Security Token) from STS, not the AccessKey ID and AccessKey Secret of a RAM user.
-
The AccessKey ID obtained from STS starts with
STS., for example,STS.L4aBSCSJVMuKg5U1****.
export OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID> export OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET> export OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>Windows
Warning-
These environment variables require the temporary identity credentials (AccessKey ID, AccessKey Secret, and Security Token) from STS, not the AccessKey ID and AccessKey Secret of a RAM user.
-
The AccessKey ID obtained from STS starts with
STS., for example,STS.L4aBSCSJVMuKg5U1****.
set OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID> set OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET> set OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN> -
-
Configure the SDK to read credentials from the environment variables.
Before you run the sample code, replace the
<region-id>placeholder with an actual region and endpoint, for example, orap-southeast-1.import alibabacloud_oss_v2 as oss def main(): # Load credentials from environment variables. credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider() # Load the default SDK configurations and set the credential provider. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the Bucket is located. cfg.region = '<region-id>' # Create an OSS client with the specified configurations. client = oss.Client(cfg) # Use the created client to perform subsequent operations... # Script entry point if __name__ == "__main__": main() # Calls the main function.
Static credentials
Hard-code temporary credentials directly (testing only):
Do not embed access credentials in your application in a production environment. This method is for testing purposes only.
Before you run the sample code, replace the<region-id>placeholder with an actual region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
def main():
# Use the temporary AccessKey ID and AccessKey Secret from STS, not the credentials of your Alibaba Cloud account.
# Note that the AccessKey ID from STS starts with "STS.".
sts_access_key_id = 'STS.****************'
sts_access_key_secret = 'yourAccessKeySecret'
# Provide the Security Token obtained from STS.
sts_security_token = 'yourSecurityToken'
# Create a static credential provider and explicitly set the temporary AccessKey ID, AccessKey Secret, and Security Token.
credentials_provider = oss.credentials.StaticCredentialsProvider(
access_key_id=sts_access_key_id,
access_key_secret=sts_access_key_secret,
security_token=sts_security_token,
)
# Load the default SDK configurations and set the credential provider.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the region where the Bucket is located.
cfg.region = '<region-id>'
# Create an OSS client with the specified configurations.
client = oss.Client(cfg)
# Use the created client to perform subsequent operations...
# Script entry point
if __name__ == "__main__":
main() # Calls the main function.Use a RAM role ARN
Initialize the credential provider with a RAM role ARN for delegated access (such as cross-account). The SDK automatically refreshes the STS token via AssumeRole. Use the policy parameter to restrict permissions.
-
An Alibaba Cloud account has full permissions over its resources. A leaked AccessKey pair poses a significant security risk to your account. Do not use the AccessKey pair of an Alibaba Cloud account. Use an AccessKey pair from a RAM user with only the minimum required permissions.
-
To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and AccessKey secret are shown only once, during creation. You must save them immediately. If the AccessKey pair is lost, you must create a new one to replace it.
-
To obtain a RAM role ARN, see CreateRole - Create a RAM role.
-
Add the alibabacloud_credentials dependency.
pip install alibabacloud_credentials -
Configure the AccessKey pair and RAM role ARN as access credentials.
Before you run the sample code, replace the
<region-id>placeholder with the actual region and endpoint, for example, orap-southeast-1.# -*- coding: utf-8 -*- import os from alibabacloud_credentials.client import Client from alibabacloud_credentials.models import Config import alibabacloud_oss_v2 as oss def main(): config = Config( # The RAM user's AccessKey ID and AccessKey secret, retrieved from environment variables. access_key_id=os.getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), access_key_secret=os.getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), type='ram_role_arn', # The ARN of the RAM role to assume. Example: acs:ram::123456789012****:role/adminrole. You can set this using the ALIBABA_CLOUD_ROLE_ARN environment variable. role_arn='<RoleArn>', # The role session name. You can set this using the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable. role_session_name='<RoleSessionName>', # Optional. A more restrictive permission policy. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} policy='<Policy>', # Optional. The session duration in seconds. Default: 3600 (1 hour). role_session_expiration=3600 ) cred_client = Client(config) def get_credentials_wrapper(): cred = cred_client.get_credential() return oss.credentials.Credentials(access_key_id=cred.access_key_id, access_key_secret=cred.access_key_secret, security_token=cred.security_token) # Create a credential provider to dynamically load credentials. credentials_provider = oss.credentials.CredentialsProviderFunc(func=get_credentials_wrapper) # Load the default OSS SDK configurations. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = '<region-id>' # Create an OSS client instance. client = oss.Client(cfg) # Use the client for subsequent operations... if __name__ == "__main__": main() # Script entry point. Calls the main function when the file is run directly.
Use an ECS instance RAM role
For applications on ECS instances, ECI instances, or Container Service for Kubernetes worker nodes, use an ECS instance RAM role. The SDK automatically refreshes the STS token without hardcoded credentials. Create a RAM role.
-
Add the alibabacloud_credentials dependency.
pip install alibabacloud_credentials -
Configure the ECS instance RAM role as the access credential.
Before you run the sample code, replace the
<region-id>placeholder with an actual region ID, for example, orap-southeast-1.from alibabacloud_credentials.client import Client from alibabacloud_credentials.models import Config import alibabacloud_oss_v2 as oss def main(): config = Config( type='ecs_ram_role', # Specifies the access credential type. Must be 'ecs_ram_role'. role_name='EcsRoleExample' # Optional: The name of the RAM role granted to the ECS instance. If omitted, the role name is automatically retrieved. We recommend that you set this parameter to reduce requests. ) cred_client = Client(config) def get_credentials_wrapper(): cred = cred_client.get_credential() return oss.credentials.Credentials(access_key_id=cred.access_key_id, access_key_secret=cred.access_key_secret, security_token=cred.security_token) # Create a credentials provider to dynamically load credentials. credentials_provider = oss.credentials.CredentialsProviderFunc(func=get_credentials_wrapper) # Load the default OSS SDK configurations. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = '<region-id>' # Create an OSS client instance. client = oss.Client(cfg) # Use the client for subsequent operations... if __name__ == "__main__": main()
OIDC role ARN
For untrusted applications on Container Service for Kubernetes worker nodes, use RRSA (RAM Roles for Service Accounts) to enforce least-privilege at the pod level. RRSA mounts an OIDC token file per pod and calls AssumeRoleWithOIDC to exchange it for a scoped STS token. Isolate pod permissions based on RRSA.
-
Add the alibabacloud_credentials dependency.
pip install alibabacloud_credentials
-
Configure the OIDC role ARN as the access credential.
Before you run the sample code, replace the
<region-id>placeholder with a region and endpoint, for example, orap-southeast-1.# -*- coding: utf-8 -*- import os from alibabacloud_credentials.client import Client from alibabacloud_credentials.models import Config import alibabacloud_oss_v2 as oss def main(): config = Config( # Specify the credential type. The value is fixed to 'oidc_role_arn'. type='oidc_role_arn', # The ARN of the RAM role. You can set this value by using the ALIBABA_CLOUD_ROLE_ARN environment variable. role_arn=os.environ.get('<RoleArn>'), # The OIDC provider ARN. You can set this value by using the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable. oidc_provider_arn=os.environ.get('<OidcProviderArn>'), # The OIDC token file path. You can set this value by using the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable. oidc_token_file_path=os.environ.get('<OidcTokenFilePath>'), # The role session name. You can set this value by using the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable. role_session_name='<RoleSessionName>', # A more restrictive permission policy. This parameter is optional. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} policy='<Policy>', # The validity period of the role session in seconds. The default is 3600 seconds (1 hour). This parameter is optional. role_session_expiration=3600 ) cred_client = Client(config) def get_credentials_wrapper(): cred = cred_client.get_credential() return oss.credentials.Credentials(access_key_id=cred.access_key_id, access_key_secret=cred.access_key_secret, security_token=cred.security_token) # Create a credentials provider to dynamically load credentials. credentials_provider = oss.credentials.CredentialsProviderFunc(func=get_credentials_wrapper) # Load the default OSS SDK configurations. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = '<region-id>' # Create an OSS client instance. client = oss.Client(cfg) # Use the client for subsequent operations... # Call the main function when this script is run directly. if __name__ == "__main__": main() # Script entry point. Calls the main function when the file is run directly.
Custom access credentials
Customize credential retrieval with one of these approaches:
-
Using the
credentials.CredentialsProviderFuncinterfaceBefore you run the sample code, replace the
<region-id>placeholder with the actual region and endpoint, for example, orap-southeast-1.import argparse import alibabacloud_oss_v2 as oss import os def main(): def get_credentials_wrapper(): # Return long-term credentials. return oss.credentials.Credentials(access_key_id='access_key_id', access_key_secret='access_key_security') # Return temporary STS credentials. # return oss.credentials.Credentials(access_key_id='access_key_id', access_key_secret='access_key_security', security_token='security_token') credentials_provider = oss.credentials.CredentialsProviderFunc(func=get_credentials_wrapper) # Load the default SDK configurations and set the credentials provider. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = "<region-id>" # Create an OSS client with the specified configurations. client = oss.Client(cfg) # Use the client to perform subsequent operations... if __name__ == "__main__": main() # Script entry point. Calls the main function when the file is run directly. -
Implementing the
credentials.CredentialsProviderinterfaceBefore you run the sample code, replace the
<region-id>placeholder with the actual region and endpoint, for example, orap-southeast-1.# -*- coding: utf-8 -*- import alibabacloud_oss_v2 as oss class CredentialProviderWrapper(oss.credentials.CredentialsProvider): def get_credentials(self): # TODO # Customize the logic for obtaining access credentials. # Return long-term credentials: access_key_id, access_key_secret. return oss.credentials.Credentials('<access_key_id>', '<access_key_secret>') # Return temporary STS credentials: access_key_id, access_key_secret, token. # Temporary credentials must be refreshed before they expire. # return oss.credentials.Credentials('<access_key_id>', '<access_key_secret>', '<token>'); def main(): # Instantiate a custom credentials provider. credentials_provider = CredentialProviderWrapper() # Load the default OSS SDK configurations. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Specify the region where the bucket is located. cfg.region = '<region-id>' client = oss.Client(cfg) # Use the client to perform subsequent operations... if __name__ == "__main__": main() # Script entry point. Calls the main function when the file is run directly.
Anonymous access
Access public-read OSS resources without credentials.
Before you run the sample code, replace the<region-id>placeholder with an actual region and endpoint, for example, orap-southeast-1.
import alibabacloud_oss_v2 as oss
# Create an anonymous credentials provider.
credentials_provider = oss.credentials.AnonymousCredentialsProvider()
# Configure the client.
cfg = oss.config.load_default()
cfg.credentials_provider = credentials_provider
# Specify the bucket's region.
cfg.region = '<region-id>'
# Create an OSS client.
client = oss.Client(cfg)
Troubleshoot errors
When a request fails, the response includes an HTTP status code, message, request ID, and error code (EC). Use the EC to diagnose the root cause.
-
For example, the following code triggers an error by attempting to download an object that does not exist.
Before you run the sample code, replace placeholders such as
<region-id>with an actual region and endpoint, for example, orap-southeast-1.import alibabacloud_oss_v2 as oss def main(): # Load credentials from environment variables for authentication. credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider() # Load the default SDK configurations and set the credentials provider. cfg = oss.config.load_default() cfg.credentials_provider = credentials_provider # Set the region in the configuration. cfg.region = '<region-id>' # Create an OSS client with the specified configurations. client = oss.Client(cfg) # Send a request to get the object, specifying the bucket name and object key. result = client.get_object(oss.GetObjectRequest( bucket="Your Bucket Name", # Specify the bucket name. key="Your Object Key", # Specify the object key. )) # Print the status code and request ID from the response. print(f'status code: {result.status_code},' f' request id: {result.request_id},' ) # Use a context manager to ensure the resource is released. with result.body as body_stream: data = body_stream.read() print(f"Object read complete. Data length: {len(data)} bytes") path = "./get-object-sample.txt" with open(path, 'wb') as f: f.write(data) print(f"Object downloaded and saved to: {path}") if __name__ == "__main__": main() # Script entry point. -
Running the script returns the following error. The response includes the line 'EC': '0026-00000001', which provides a unique identifier for the cause of the error.
alibabacloud_oss_v2.exceptions.OperationError: operation error GetObject: Error returned by Service. Http Status Code: 404. Error Code: NoSuchKey. Request Id: 67CA9AD3ECB4DB3034E5A92D. Message: The specified key does not exist.. EC: 0026-00000001. Timestamp: 2025-03-07 07:05:55+00:00. Request Endpoint: GET https://xxx.oss-cn-hangzhou.aliyuncs.com/asghdjfjdas. -
To diagnose the error, use the EC from the error output and follow these steps.
-
Open the OpenAPI Self-service Diagnostic Platform.
-
In the search box, enter the EC, for example, 0026-00000001, and then click Diagnose.
-
Review the search results for the error's cause and solution. The diagnostics page details the Problem Description (the target object does not exist) and lists Possible Causes (for example, the object failed to upload or was deleted by a user, a lifecycle rule, or cross-region replication), a Problem Example, and a Solution. The solution might suggest using the
HeadObjectinterface to verify the object exists, using theListObjectVersionsinterface to check the VersionID, or reviewing configurations for naming conventions, lifecycle rules, user permissions, and cross-region replication. The References section at the bottom links to documentation forNoSuchKeyandNoSuchVersion.
-
Code examples
Common operation code examples:
|
Description |
Sample file |
|
- |