All Products
Search
Document Center

Object Storage Service:Configure access credentials for OSS SDK for Go

Last Updated:Jun 12, 2024

To use Object Storage Service (OSS) SDK for Go to initiate a request, you must configure access credentials. Alibaba Cloud services use access credentials to verify identity information and access permissions. You can select different types of access credentials based on authentication and authorization requirements. This topic describes how to configure temporary and long-term access credentials.

Prerequisites

OSS SDK for Go is installed. For more information, see Installation.

Types of access credentials

The following types of access credentials are supported:

  • Temporary access credentials: For scenarios that require high security, such as temporary access authorization for applications to access OSS, we recommend that you use temporary access credentials. Temporary access credentials are valid only within a specific period of time to prevent credential leaks. Temporary access credentials support fine-grained access control to prevent security risks caused by excessive permissions. For more information, see Use temporary access credentials.

  • Long-term access credentials: To ensure data security, we recommend that you do not use long-term access credentials. For scenarios that require convenience, long-term access credentials eliminate the need for multiple refreshes within an extended period of time. We recommend that you change your long-term access credentials every three months to ensure the security of your Alibaba Cloud account. When long-term access credentials are leaked or no longer used, you can delete or disable the long-term access credentials to reduce security risks. For more information, see Use long-term access credentials.

  • OIDC access credentials: If you need to deploy untrusted applications to a container cluster, you may want to prevent the applications from accessing the Security Token Service (STS) token of the RAM role of the instance associated with the worker node by using a metadata service. In this case, you can use OpenID Connect (OIDC) access credentials. OIDC is an authentication protocol based on OAuth 2.0. OIDC can be used to grant untrusted applications the minimum access permissions. OIDC access credentials allow untrusted applications to access STS tokens safely without compromising the security of cloud resources. RAM roles support OIDC-based single sign-on (SSO). For more information, see OIDC access credentials.

Usage notes

This topic describes how to run shell commands to configure environment variables in different operating systems, such as macOS, Linux, and Windows. If you properly configure environment variables, programs started by command lines can correctly recognize the necessary configurations. If you start the programs in an integrated development environment (IDE), you may need to refer to this topic to separately configure environment variables in the IDE. This way, the programs can run as expected.

Use temporary access credentials

If you want to use OSS SDK for Go to temporarily access OSS resources, you can use one of the following methods to configure temporary access credentials:

  • Use STS: If you want to access OSS within a specific period of time, you can obtain temporary access credentials from STS. The temporary access credentials obtained from STS do not disclose the AccessKey pair of your RAM user. This ensures that your access to OSS resources is secure.

  • Configure a RAM role: If you want to grant a RAM user of your Alibaba Cloud account or a RAM user of another Alibaba Cloud account the permissions to access OSS resources, you can configure a RAM role for the RAM user.

  • Configure a RAM role for an Elastic Compute Service (ECS) instance: If you want to access OSS resources from an ECS instance, you can use a RAM role of the ECS instance to access OSS resources. You can attach a RAM role to an ECS instance to access OSS resources from the instance by using temporary access credentials that are obtained from STS. STS temporary access credentials are automatically generated and updated. Applications can obtain STS temporary access credentials by using the instance metadata URL.

Use STS

  1. Create a RAM user.

    For more information, see Create a RAM user.

  2. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.

    For more information, see Grant permissions to a RAM user.

  3. Use the RAM user to call the AssumeRole operation of STS to obtain temporary access credentials.

    For more information, see AssumeRole.

  4. Configure the temporary access credentials obtained from STS.

    Specify environment variables

    1. Use the temporary access credentials obtained from STS to configure environment variables.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the temporary access credentials (AccessKeyId, AccessKeySecret, and SecurityToken) obtained from STS to the end of the file.

        export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
        export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
      4. Press Ctrl+X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source ~/.bash_profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_SESSION_TOKEN

        Sample success response:

        STS.NV5ZCwphFSXqscqUHAKbH****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
        CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the temporary access credentials (AccessKeyId, AccessKeySecret, and SecurityToken) obtained from STS to the end of the file.

        export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
        export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_SESSION_TOKEN

        Sample success response:

        STS.NV5ZCwphFSXqscqUHAKbH****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
        CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

      Windows

      Use the GUI

      In this example, Windows 10 is used. You can perform the following steps to configure STS temporary access credentials by using environment variables on the GUI:

      1. On the Windows desktop, right-click This PC and select Properties. On the page that appears, click Advanced system settings. In the System Properties dialog box, click Environment Variables on the Advanced tab. In the Environment Variables dialog box, click New in the User variables or System variables section.

      2. Specify the environment variables. The following table describes the environment variables.

        Variable

        Example

        OSS_ACCESS_KEY_ID

        STS.NV5ZCw****

        OSS_ACCESS_KEY_SECRET

        IrVTNZNy****

        OSS_SESSION_TOKEN

        CAES+wMI****

      3. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%
        echo %OSS_SESSION_TOKEN%

        Sample success response:

        STS.NV5ZCw****
        IrVTNZNy**** 
        CAES+wMI****

      Use CMD

      1. Open the command-line interface (CLI).

      2. Run the following command to configure environment variables by using the temporary access credentials (AccessKey ID, AccessKey secret, and security token):

        set OSS_ACCESS_KEY_ID=STS.NV5ZCw****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy****
        set OSS_SESSION_TOKEN=CAES+wMI****
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
        setx OSS_SESSION_TOKEN "%OSS_SESSION_TOKEN%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%
        echo %OSS_SESSION_TOKEN%

        Sample success response:

        STS.NV5ZCw****
        IrVTNZNy**** 
        CAES+wMI****

      Use Windows PowerShell

      1. Press Win+X.

      2. Specify STS temporary access credentials.

        Valid for the current session
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for the current session:

          $env:OSS_ACCESS_KEY_ID = "STS.NV5ZCw****"
          $env:OSS_ACCESS_KEY_SECRET = "IrVTNZNy****"
          $env:OSS_SESSION_TOKEN = "CAES+wMI****"
        Valid for all new sessions
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for all new sessions:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'STS.NV5ZCw****', [System.EnvironmentVariableTarget]::User)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::User)
          [System.Environment]::SetEnvironmentVariable('OSS_SESSION_TOKEN', 'CAES+wMI****', [System.EnvironmentVariableTarget]::User)
        Valid for all users
        1. In the message that appears, select Windows PowerShell (Administrator).

        2. Specify the following environment variables for all users:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'STS.NV5ZCw****', [System.EnvironmentVariableTarget]::Machine)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::Machine)
          [System.Environment]::SetEnvironmentVariable('OSS_SESSION_TOKEN', 'CAES+wMI****', [System.EnvironmentVariableTarget]::Machine)
      3. Run the following command to verify the configurations of the environment variables:

        Get-ChildItem env:OSS_ACCESS_KEY_ID
        Get-ChildItem env:OSS_ACCESS_KEY_SECRET
        Get-ChildItem env:OSS_SESSION_TOKEN

        Sample success response:

        STS.NV5ZCw****
        IrVTNZNy**** 
        CAES+wMI****
    2. Obtain the temporary access credentials obtained from STS from the environment variables.

      package main
      
      import (
      	"fmt"
      	"github.com/aliyun/aliyun-oss-go-sdk/oss"
      	"os"
      )
      
      func main() {
      	// Use the temporary AccessKey pair and security token that are obtained from the environment variables. 
      	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
      	if err != nil {
      		fmt.Println("Error:", err)
      		os.Exit(-1)
      	}
          
      	// Create an OSSClient instance. 
      	// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
      	client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
      	if err != nil {
      		fmt.Println("Error:", err)
      		os.Exit(-1)
      	}
      }

    Embed access credentials in code

    Warning

    Security issues may occur if you embed access credentials in code. Leaked access credentials can be used by attackers to access your resources, which causes data breaches. To ensure security, we recommend that you use more secure methods, such as obtaining access credentials from environment variables.

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
        "os"
    )
    func main(){
        // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
        // Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
        // Specify the security token obtained from STS. 
        client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret", oss.SecurityToken("yourSecurityToken"))
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
    } 

Configure a RAM role

  1. Run the following command to install alibabacloud_credentials:

    pip install alibabacloud_credentials
  2. Obtain the AccessKey pair of a RAM user.

    For more information, see Create an AccessKey pair for a RAM user.

    Important

    To reduce the leakage risk of the AccessKey pair of a RAM user, we recommend that you rotate the AccessKey pair every three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time.

  3. Obtain the RamRoleArn of the RAM role.

    Note

    RamRoleArn is the Alibaba Cloud Resource Name (ARN) of the RAM role, which is the ID of the role to be assumed. Format: acs:ram::$accountID:role/$roleName. $accountID: the ID of the Alibaba Cloud account. $roleName: the name of the RAM role.

    For more information, see View the information about a RAM role.

  4. Specify the AccessKey pair of the RAM user and the ARN of the RAM role as the temporary access credentials.

    Specify environment variables

    1. Configure environment variables by using the AccessKey pair of the RAM user and the ARN of the RAM role.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the AccessKey pair of the RAM user and the ARN of the RAM role to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
        export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      4. Press Ctrl+X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_STS_ROLE_ARN

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn****  
        acs:ram::17464958********:role/ossststest

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the AccessKey pair of the RAM user and the ARN of the RAM role to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
        export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_STS_ROLE_ARN

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn****  
        acs:ram::17464958********:role/ossststest

      Windows

      Use the GUI

      In this example, Windows 10 is used. You can perform the following steps to configure the AccessKey pair of the RAM user and the ARN of the RAM role by using environment variables on the GUI:

      1. On the Windows desktop, right-click This PC and select Properties. On the page that appears, click Advanced system settings. In the System Properties dialog box, click Environment Variables on the Advanced tab. In the Environment Variables dialog box, click New in the User variables or System variables section.

      2. Specify the environment variables. The following table describes the environment variables.

        Variable

        Example

        OSS_ACCESS_KEY_ID

        LTAI****

        OSS_ACCESS_KEY_SECRET

        IrVTNZNy****

        OSS_STS_ROLE_ARN

        acs:ram::17464958********:role/ossststest

      3. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_STS_ROLE_ARN

        Sample success response:

        LTAI****
        IrVTNZNy**** 
        acs:ram::17464958********:role/ossststest

      Use CMD

      1. Open the CLI.

      2. Run the following command to configure environment variables by using the AccessKey pair of the RAM user and the ARN of the RAM role:

        set OSS_ACCESS_KEY_ID=LTAI****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy****  
        set OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
        setx OSS_STS_ROLE_ARN "%OSS_STS_ROLE_ARN%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%
        echo %OSS_STS_ROLE_ARN%

        Sample success response:

        LTAI****
        IrVTNZNy****  
        acs:ram::17464958********:role/ossststest

      Use Windows PowerShell

      1. Press Win+X.

      2. Specify the AccessKey pair of the RAM user and the ARN of the RAM role.

        Valid for the current session
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for the current session:

          $env:OSS_ACCESS_KEY_ID = "LTAI****"
          $env:OSS_ACCESS_KEY_SECRET = "IrVTNZNy****"
          $env:OSS_STS_ROLE_ARN = "acs:ram::17464958********:role/ossststest"
        Valid for all new sessions
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for all new sessions:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::User)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::User)
          [System.Environment]::SetEnvironmentVariable('OSS_STS_ROLE_ARN', 'acs:ram::17464958********:role/ossststest', [System.EnvironmentVariableTarget]::User)
        Valid for all users
        1. In the message that appears, select Windows PowerShell (Administrator).

        2. Specify the following environment variables for all users:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::Machine)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::Machine)
          [System.Environment]::SetEnvironmentVariable('OSS_STS_ROLE_ARN', 'acs:ram::17464958********:role/ossststest', [System.EnvironmentVariableTarget]::Machine)
      3. Run the following command to verify the configurations of the environment variables:

        Get-ChildItem env:OSS_ACCESS_KEY_ID
        Get-ChildItem env:OSS_ACCESS_KEY_SECRET
        Get-ChildItem env:OSS_STS_ROLE_ARN

        Sample success response:

        LTAI****
        IrVTNZNy**** 
        acs:ram::17464958********:role/ossststest
    2. Obtain the AccessKey pair of the RAM user and the ARN of the RAM role from the environment variables.

      package main
      
      import (
          "fmt"
          "github.com/aliyun/aliyun-oss-go-sdk/oss"
          "github.com/aliyun/credentials-go/credentials"
          "os"
      )
      type Credentials struct {
          AccessKeyId     string
          AccessKeySecret string
          SecurityToken string
      }
      
      type defaultCredentialsProvider struct {
          cred credentials.Credential
      }
      
      func (credentials *Credentials) GetAccessKeyID() string {
          return credentials.AccessKeyId
      }
      
      func (credentials *Credentials) GetAccessKeySecret() string {
          return credentials.AccessKeySecret
      }
      
      func (credentials *Credentials) GetSecurityToken() string {
          return credentials.SecurityToken
      }
      
      func (defBuild *defaultCredentialsProvider) GetCredentials() oss.Credentials {
          id,_ := defBuild.cred.GetAccessKeyId()
          secret,_ := defBuild.cred.GetAccessKeySecret()
          token,_ := defBuild.cred.GetSecurityToken()
      
          return &Credentials{
              AccessKeyId: *id,
              AccessKeySecret: *secret,
              SecurityToken: *token,
          }
      }
      
      func NewCredentialsProvider(credential credentials.Credential) defaultCredentialsProvider {
          return defaultCredentialsProvider{
              cred: credential,
          }
      }
      
      func main(){
          config := new(credentials.Config).
              // Set the type of the temporary access credentials to ram_role_arn. 
              SetType("ram_role_arn").
              // Obtain the AccessKey ID and AccessKey secret of the RAM user from the environment variables. 
              SetAccessKeyId(os.Getenv("OSS_ACCESS_KEY_ID")).        
              SetAccessKeySecret(os.Getenv("OSS_ACCESS_KEY_SECRET")).
      		// Obtain the ARN of the RAM role from the environment variable, which is the ID of the RAM role to be assumed. Format: acs:ram::$accountID:role/$roleName. 
              SetRoleArn(os.Getenv("OSS_STS_ROLE_ARN")).
              // Specify a custom session name for the role to distinguish different tokens. 
              SetRoleSessionName("Role_Session_Name").
              // (Optional) Specify the permissions of the STS token. 
              SetPolicy("").
              // (Optional) Specify the validity period of the STS token. 
              SetRoleSessionExpiration(3600)
      
      
          arnCredential, err := credentials.NewCredential(config)
          if err != nil {
              fmt.Println("Error:", err)
              os.Exit(-1)
          }
      
          provider := NewCredentialsProvider(arnCredential)
          client, err := oss.New("oss-cn-hangzhou.aliyuncs.com", "", "", oss.SetCredentialsProvider(&provider))
          if err != nil {
              fmt.Println("Error:", err)
              os.Exit(-1)
          }
      }

    Embed access credentials in code

    Warning

    Security issues may occur if you embed access credentials in code. Leaked access credentials can be used by attackers to access your resources, which causes data breaches. To ensure security, we recommend that you use more secure methods, such as obtaining access credentials from environment variables.

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
        "github.com/aliyun/credentials-go/credentials"
        "os"
    )
    type Credentials struct {
        AccessKeyId     string
        AccessKeySecret string
        SecurityToken string
    }
    
    type defaultCredentialsProvider struct {
        cred credentials.Credential
    }
    
    func (credentials *Credentials) GetAccessKeyID() string {
        return credentials.AccessKeyId
    }
    
    func (credentials *Credentials) GetAccessKeySecret() string {
        return credentials.AccessKeySecret
    }
    
    func (credentials *Credentials) GetSecurityToken() string {
        return credentials.SecurityToken
    }
    
    func (defBuild *defaultCredentialsProvider) GetCredentials() oss.Credentials {
        id,_ := defBuild.cred.GetAccessKeyId()
        secret,_ := defBuild.cred.GetAccessKeySecret()
        token,_ := defBuild.cred.GetSecurityToken()
    
        return &Credentials{
            AccessKeyId: *id,
            AccessKeySecret: *secret,
            SecurityToken: *token,
        }
    }
    
    func NewCredentialsProvider(credential credentials.Credential) defaultCredentialsProvider {
        return defaultCredentialsProvider{
            cred: credential,
        }
    }
    
    func main(){
        config := new(credentials.Config).
            // Set the type of the temporary access credentials to ram_role_arn. 
            SetType("ram_role_arn").
            // Specify the AccessKey pair of the RAM user. 
            SetAccessKeyId("AccessKeyId").        
            SetAccessKeySecret("AccessKeySecret").
            // Specify the ARN of the RAM role, which is the ID of the RAM role to be assumed. Format: acs:ram::$accountID:role/$roleName. 
            SetRoleArn("acs:ram::15069***********:role/ram-oss-test").
            // Specify a custom session name for the role to distinguish different tokens. 
            SetRoleSessionName("Role_Session_Name").
            // (Optional) Specify the permissions of the STS token. 
            SetPolicy("").
            // (Optional) Specify the validity period of the STS token. 
            SetRoleSessionExpiration(3600)
    
    
        arnCredential, err := credentials.NewCredential(config)
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
    
        provider := NewCredentialsProvider(arnCredential)
        client, err := oss.New("oss-cn-hangzhou.aliyuncs.com", "", "", oss.SetCredentialsProvider(&provider))
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
    }

Configure a RAM role for an ECS instance

  1. Run the following command to install alibabacloud_credentials:

    go get github.com/aliyun/credentials-go/credentials
  2. Attach a RAM role to an ECS instance.

    For more information, see Grant permissions to the instance RAM role.

  3. Configure temporary access credentials by using the RAM role of the ECS instance.

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
        "github.com/aliyun/credentials-go/credentials"
        "os"
    )
    type Credentials struct {
        AccessKeyId     string
        AccessKeySecret string
        SecurityToken string
    }
    
    type CredentialsProvider struct {
        cred credentials.Credential
    }
    
    func (credentials *Credentials) GetAccessKeyID() string {
        return credentials.AccessKeyId
    }
    
    func (credentials *Credentials) GetAccessKeySecret() string {
        return credentials.AccessKeySecret
    }
    
    func (credentials *Credentials) GetSecurityToken() string {
        return credentials.SecurityToken
    }
    
    func (defBuild CredentialsProvider) GetCredentials() oss.Credentials {
        id,_ := defBuild.cred.GetAccessKeyId()
        secret,_ := defBuild.cred.GetAccessKeySecret()
        token,_ := defBuild.cred.GetSecurityToken()
    
        return &Credentials{
            AccessKeyId: *id,
            AccessKeySecret: *secret,
            SecurityToken: *token,
        }
    }
    
    func NewStaticCredentialsProvider(credential credentials.Credential) CredentialsProvider {
        return CredentialsProvider{
            cred: credential,
        }
    }
    
    func main(){
        config := new(credentials.Config).
            // Set the credential type to ecs_ram_role. 
            SetType("ecs_ram_role").
            // (Optional) Specify the role name. If you do not specify the role name, OSS automatically generates a role name. We recommend that you specify a role name to reduce the number of requests. 
            SetRoleName("RoleName")
    
        ecsCredential, err := credentials.NewCredential(config)
        if err != nil {
            return
        }
        provider := NewStaticCredentialsProvider(ecsCredential)
        client, err := oss.New("oss-cn-hangzhou.aliyuncs.com", "", "", oss.SetCredentialsProvider(&provider))
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
        fmt.Printf("client:%#v\n", client)
    
    }

Use long-term access credentials

If you want to use OSS SDK for Go to access OSS resources in an application or service for a long period of time, you can configure long-term access credentials by using the AccessKey pair of a RAM user.

Configure the AccessKey pair of a RAM user

  1. Obtain the AccessKey pair of a RAM user.

    For more information, see Create an AccessKey pair for a RAM user.

    Important

    We recommend that you rotate the AccessKey pair of a RAM user that is used for more than three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time. This reduces the risk of AccessKey pair leaks.

  2. Configure the AccessKey pair of the RAM user as access credentials.

    Specify environment variables

    1. Configure environment variables.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the AccessKey pair of the RAM user to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
      4. Press Ctrl+X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source ~/.bash_profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn**** 

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the AccessKey pair of the RAM user to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn**** 

      Windows

      Use the GUI

      In this example, Windows 10 is used. You can perform the following steps to configure the AccessKey pair of the RAM user by using environment variables on the GUI:

      1. On the Windows desktop, right-click This PC and select Properties. On the page that appears, click Advanced system settings. In the System Properties dialog box, click Environment Variables on the Advanced tab. In the Environment Variables dialog box, click New in the User variables or System variables section.

      2. Specify the environment variables. The following table describes the environment variables.

        Variable

        Example

        OSS_ACCESS_KEY_ID

        LTAI****

        OSS_ACCESS_KEY_SECRET

        IrVTNZNy****

      3. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI****
        IrVTNZNy**** 

      Use CMD

      1. Open the CLI.

      2. Run the following command to configure the environment variables by using the AccessKey pair:

        set OSS_ACCESS_KEY_ID=LTAI****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy****  
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%

        Sample success response:

        LTAI****
        IrVTNZNy****  

      Use Windows PowerShell

      1. Press Win+X.

      2. Specify the AccessKey pair of the RAM user.

        Valid for the current session
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for the current session:

          $env:OSS_ACCESS_KEY_ID = "LTAI****"
          $env:OSS_ACCESS_KEY_SECRET = "IrVTNZNy****"
        Valid for all new sessions
        1. In the message that appears, select Windows PowerShell.

        2. Specify the following environment variables for all new sessions:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::User)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::User)
        Valid for all users
        1. In the message that appears, select Windows PowerShell (Administrator).

        2. Specify the following environment variables for all users:

          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::Machine)
          [System.Environment]::SetEnvironmentVariable('OSS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::Machine)
      3. Run the following command to verify the configurations of the environment variables:

        Get-ChildItem env:OSS_ACCESS_KEY_ID
        Get-ChildItem env:OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI****
        IrVTNZNy**** 
    2. Obtain the AccessKey pair of the RAM user from the environment variables.

      package main
      
      import (
      	"fmt"
      	"github.com/aliyun/aliyun-oss-go-sdk/oss"
      	"os"
      )
      
      func main() {
      	// Obtain access credentials from the environment variables. 
      	provider, err := oss.NewEnvironmentVariableCredentialsProvider()
      	if err != nil {
      		fmt.Println("Error:", err)
      		os.Exit(-1)
      	}
      
      	// Create an OSSClient instance. 
      	// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
      	client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
      	if err != nil {
      		fmt.Println("Error:", err)
      		os.Exit(-1)
      	}
      }

    Embed access credentials in code

    Warning

    Security issues may occur if you embed access credentials in code. Leaked access credentials can be used by attackers to access your resources, which causes data breaches. To ensure security, we recommend that you use more secure methods, such as obtaining access credentials from environment variables.

    package main
    
    import (
    	"fmt"
    	"github.com/aliyun/aliyun-oss-go-sdk/oss"
    	"os"
    )
    
    func main() {
        // Create an OSSClient instance. 
        // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
        // Specify the AccessKey ID and AccessKey secret of the RAM user. 
        client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret")
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
    }

OIDC access credentials

For more information about OIDC role-based SSO, see Overview of OIDC-based SSO.

If you want to use OIDC access credentials for your application or service to access OSS, perform the following steps to configure OIDC access credentials.

  1. Run the following command to install alibabacloud_credentials: Add the AccessKey pair of the RAM user to the end of the file.

    go get github.com/aliyun/credentials-go/credentials
  1. Create an OIDC IdP and a RAM role for the OIDC IdP. For more information, see Create a RAM role for an OIDC IdP and Grant permissions to a RAM role.

  2. Use the RAM role to provide access credentials. The following sample code provides an example on how to create an OSSClient instance that can be used to access OSS by using OIDC access credentials:

    package main
    
    import (
        "fmt"
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
        "github.com/aliyun/credentials-go/credentials"
        "os"
    )
    
    type Credentials struct {
        AccessKeyId     string
        AccessKeySecret string
        SecurityToken   string
    }
    
    type CredentialsProvider struct {
        cred credentials.Credential
    }
    
    func (credentials *Credentials) GetAccessKeyID() string {
        return credentials.AccessKeyId
    }
    
    func (credentials *Credentials) GetAccessKeySecret() string {
        return credentials.AccessKeySecret
    }
    
    func (credentials *Credentials) GetSecurityToken() string {
        return credentials.SecurityToken
    }
    
    func (defBuild CredentialsProvider) GetCredentials() oss.Credentials {
        id, _ := defBuild.cred.GetAccessKeyId()
        secret, _ := defBuild.cred.GetAccessKeySecret()
        token, _ := defBuild.cred.GetSecurityToken()
    
        return &Credentials{
            AccessKeyId:     *id,
            AccessKeySecret: *secret,
            SecurityToken:   *token,
        }
    }
    
    func NewStaticCredentialsProvider(credential credentials.Credential) CredentialsProvider {
        return CredentialsProvider{
            cred: credential,
        }
    }
    
    func main() {
        config := new(credentials.Config).
        // Set the credential type to oidc_role_arn. 
        SetType("oidc_role_arn").
        // Specify the ARN of the OIDC IdP. The ARN is in the acs:ram::account-id:oidc-provider/provider-name format. 
        SetOIDCProviderArn("acs:ram::113511544585****:oidc-provider/TestOidcProvider").
        // Specify the path of the file that contains the OIDC token. 
        SetOIDCTokenFilePath("OIDCTokenFilePath").
        // Specify a custom session name for the role to distinguish different tokens. 
        SetRoleSessionName("TestOidcAssumedRoleSession").
        // (Optional) Specify the policy for the RAM role. 
        SetPolicy("").
        // Specify the ARN of the RAM role, which is the ID of the RAM role to be assumed. Format: acs:ram::113511544585****:oidc-provider/TestOidcProvider.
        SetRoleArn("acs:ram::113511544585****:role/testoidc").
        SetSessionExpiration(3600)
        oidcCredential, err := credentials.NewCredential(config)
        if err != nil {
            return
        }
        provider := NewStaticCredentialsProvider(oidcCredential)
        // Create an OSSClient instance. 
        // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. Specify your actual endpoint. 
        client, err := oss.New("yourEndpoint", "", "", oss.SetCredentialsProvider(&provider))
        if err != nil {
            fmt.Println("Error:", err)
            os.Exit(-1)
        }
        fmt.Printf("client:%#v\n", client)
    }
    

What to do next

After you configure the access credentials, you can initialize an OSSClient instance. For more information, see Initialization.