How to configure access credentials for OSS Harmony SDK - Object Storage Service

To use Object Storage Service (OSS) SDK for Harmony to initiate a request, you must configure access credentials, which are used to verify your identity and access permissions. You can select different types of access credentials based on the requirements for authentication and authorization.

Notes

For a list of OSS regions and endpoints, see OSS regions and endpoints.
For information about how to create an AccessKey pair for a RAM user, see Create an AccessKey.
For more information about how to obtain temporary access credentials from Security Token Service (STS), see Use STS temporary access credentials to access OSS.

Examples of commonly used configurations

Use temporary access credentials provided by STS (recommended)

If temporary access is required for your application, you can use temporary access credentials provided by STS, which consist of an AccessKey pair and an STS token.

Important

You can obtain temporary access credentials by calling the AssumeRole API operation. For details, see AssumeRole - Obtain temporary identity credentials for role assumption.
You can also obtain temporary access credentials using OSS SDKs. For more information, see Use STS temporary access credentials to access OSS.
You must specify a validity period for the STS token when you generate the token. An expired token cannot be used.
For a list of STS endpoints, see Service endpoints.

Below is the sample code for hardcoding access credentials to explicitly specify the AccessKey pair for accessing OSS.

import Client from '@aliyun/oss';

// Create an OSS client instance.
const client = new Client({
  // Specify the AccessKey ID obtained from STS. Do not use the AccessKey ID of the Alibaba Cloud account.
  // Note that an AccessKey ID provided by STS starts with STS.
  accessKeyId: 'STS.****************',
  // Specify the AccessKey secret obtained from STS.
  accessKeySecret: 'yourAccessKeySecret',
  // Specify the security token obtained from STS.
  securityToken: 'yourSecurityToken',
  // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
  region: 'oss-cn-hangzhou',
});

// Use the created OSS client instance to initiate requests.

Use the AccessKey pair of a RAM user

Assume that your application requires long-term access to OSS without frequently rotating access credentials and runs in a secure and stable environment that is not vulnerable to external attacks. In this case, you can use an AccessKey pair (an AccessKey ID and an AccessKey secret) of your Alibaba Cloud account or a RAM user to initialize a credential provider.

Important

For information about how to create an AccessKey pair for a RAM user, see Create an AccessKey. The AccessKey pair of a RAM user is displayed only when the RAM user is created. Save the AccessKey pair in a timely manner. If you forget the AccessKey pair, create a new AccessKey pair for rotation.
An Alibaba Cloud account has full permissions on its resources, and leaks of its AccessKey pair pose significant security risks. Therefore, we recommend that you use the AccessKey pair of a RAM user that is granted the minimum required permissions.

Below is the sample code for hardcoding access credentials to explicitly specify the AccessKey pair for accessing OSS.

Warning

Do not embed access credentials in application code deployed in a production environment. This method is intended only for testing.

import Client from '@aliyun/oss';

// Create an OSS client instance.
const client = new Client({
  // Specify the AccessKey ID of the RAM user.
  accessKeyId: 'yourAccessKeyID',
  // Specify the AccessKey secret of the RAM user.
  accessKeySecret: 'yourAccessKeySecret',
  // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou.
  region: 'oss-cn-hangzhou',
});

// Use the created OSS client instance to initiate requests.

FAQ

How can I distinguish between temporary access credentials provided by STS and the AccessKey pair of a RAM user when I initialize a credential provider?

When you use temporary access credentials (AccessKey ID, AccessKey secret, and STS token) obtained from STS to initialize a credential provider, do not confuse the AccessKey ID returned by STS with the AccessKey ID of the RAM user. The AccessKey ID obtained from STS starts with STS. Example:

How do I view the AccessKey ID of a RAM user? Can I view the AccessKey secret of an AccessKey pair?

You can view the AccessKey pair of a RAM user by following steps described in View the information about AccessKey pairs of a RAM user.
The AccessKey secret of a RAM user is displayed only when the AccessKey pair is created. You cannot view the AccessKey pair at a later time. If you forget the AccessKey secret, you cannot retrieve the AccessKey secret. In this case, you can directly create a new AccessKey pair for rotation in the RAM console. For more information, see Create an AccessKey pair.

How do I fix an AccessDenied error that occurs when I use the AccessKey pair of a RAM user to upload files?

The AccessDenied error occurs typically for two reasons: wrong AccessKey pair or a lack of upload permissions. You can perform the following steps to troubleshoot the AccessDenied error:

Check whether the provided AccessKey pair is correct by following the instructions described in View the information about AccessKey pairs of a RAM user.
The AccessKey secret of a RAM user is displayed only when the AccessKey pair is created. You cannot view the AccessKey pair at a later time. If you forget the AccessKey secret, you cannot retrieve the AccessKey secret. In this case, you can directly create a new AccessKey pair for rotation in the RAM console. For more information, see Create an AccessKey pair.
In the RAM console, check whether the RAM user has the permission to upload files to OSS. If not, grant the required permissions.

How do I fix a connection error when I access OSS by using a public OSS endpoint?

If you encounter a connection error when accessing OSS over the public endpoint, it may be due to an incorrect endpoint. To fix the error, perform the following checks:

Check the region of the bucket in the OSS console.
Check whether the specified endpoint is the correct one for the region. For example, if the bucket is located in the China(Hangzhou) region, use the oss-cn-hangzhou.aliyuncs.com endpoint to enable public network access. For a list of OSS endpoints, see Regions and endpoints.
Check whether your environment can connect to the Internet.

If an error is reported, how do I determine the type of the error?

OSS provides error codes to help you determine the specific type of an error. For example, you can see 02-AUTH for common authentication errors.