ossbrowser 2.0 supports four logon methods. Choose one based on who needs access and how long they need it.
Prerequisites
Before you begin, make sure the account you use has the required permissions:
Alibaba Cloud account: Full permissions on all resources by default. No additional configuration needed.
RAM user: At least
oss:ListBuckets,oss:ListObjects, andoss:GetBucketInfopermissions for all buckets.Security Token Service (STS) temporary access credential: At least
oss:ListObjectsandoss:GetBucketInfopermissions for the target bucket.Authorization code: Permissions configured by the Alibaba Cloud account owner or a Resource Access Management (RAM) administrator using the File Authorization operation.
Choose a logon method
| Logon method | Best for | Credential required | Limitations |
|---|---|---|---|
| Log On With AK | Resource owners or team members who need long-term, persistent access | AccessKey ID + AccessKey secret | — |
| Log On With Account | Resource owners or team members who prefer daily security verification (QR code scan or verification code) | Alibaba Cloud account / RAM user account / mobile phone | Does not support File Authorization |
| Log on with STS | Team members who need temporary access to your OSS resources | STS temporary access credential | — |
| Log On With Authorization Code | Team members who need temporary or permanent access to specific OSS resources you have authorized | Authorization code | — |
Log on with AK
Use the AccessKey information of an Alibaba Cloud account or a RAM user. For improved security, log on using a RAM user's AccessKey.
Get your AccessKey pair.
Already have one: Use the
AccessKey IDandAccessKey secretsaved when you created the pair.Need to create one: Go to the Create AccessKey page. Click Create AccessKey and follow the instructions. After creation, click Download CSV File to save the credentials locally.
Click Log On With AK. Enter the
AccessKey IDandAccessKey secret.
To create a RAM user, use an account with RAM management permissions, such as an Alibaba Cloud account.
Create a RAM user.
Go to the Create User page and follow the console instructions to create a RAM user. > Note: For detailed steps, see Create a RAM user.
Click Download CSV File to save the AccessKey information. Keep this file secure.
Grant permissions to the RAM user.
On the Users page, find the user and click Permission Management > Add Permissions.
Search for and add the required ossbrowser 2.0 operation permissions, along with
AliyunRAMFullAccessandAliyunSTSAssumeRoleAccess. > Note: For more information, see Grant permissions to a RAM user and Create custom policies.
Click Log On With AK. Enter the
AccessKey IDandAccessKey secretfrom the CSV file.
Get the RAM user's AccessKey pair.
Already have one: Use the
AccessKey IDandAccessKey secretsaved locally.Need to create one: Log on to the Alibaba Cloud console as the target RAM user. Go to the Users page, click the user, and click Create AccessKey. After creation, click Download CSV File to save the credentials.
Confirm OSS permissions.
On the Users page, select the user and click Permission Management to check OSS access.
If OSS permissions are missing, click Add Permissions and add
AliyunOSSFullAccess,AliyunRAMFullAccess, andAliyunSTSAssumeRoleAccess. > Note: For more information, see Grant permissions to a RAM user and Create custom policies.
Click Log On With AK. Enter the RAM user's
AccessKey IDandAccessKey secret.
Log on with Account
Click Log On With Account.
On the Alibaba Cloud Logon Page, switch to full screen mode. In the upper-right corner, select alibabacloud.com (international site), then choose your preferred logon method: scan a QR code using the Alibaba Cloud app, Alipay, or DingTalk, or log in with an Alibaba Cloud account, RAM user account, or mobile phone verification code.
Log on with STS
The STS Token field appears only when the AccessKeyID value matches the STS.***** format.
Get an STS temporary access credential. For details, see Use an STS temporary access credential to access OSS.
Click Log On With AK. Enter the
AccessKey ID,AccessKey secret, andSecurityTokenfrom the temporary access credential.
Log on with Authorization Code
Get an authorization code from the resource owner. For details, see File Authorization.
Click Log On With Authorization Code and enter the authorization code.
Configure the endpoint
Accelerated domain names are not supported for logging on to ossbrowser 2.0.
Select the endpoint type that matches your environment.
| Endpoint | Use case | Limitations | Screenshot |
|---|---|---|---|
| Public Endpoint | Local machine access | — |  |
| Internal Same-region Endpoint | Alibaba Cloud internal network (e.g., ECS). The ECS instance and target bucket must be in the same region. See Create an ECS instance. | — |  |
| Specified Domain Name | Access via a specific domain name, such as a Transfer Acceleration Endpoint. See Enable transfer acceleration. | Cannot switch to other buckets after logon. |  |
| Custom Domain Name | Access OSS resources through a custom domain name attached to OSS. See Attach a custom domain name. | — |  |
| PrivateLink | Secure private connection from an ECS instance. The ECS instance and endpoint must be in the same virtual private cloud (VPC), and the ECS instance and target bucket must be in the same region. Enter the Endpoint Service Domain Name. See Create an endpoint. | Cannot switch to other buckets after logon — specify the preset OSS path before logging on. |  |
| CloudBox | CloudBox environment. Enter the data endpoint of your CloudBox. | File Authorization is not supported. |  |
Configure the preset OSS path
If you have permissions on only some resources in a bucket, specify the OSS resource path.
| Access scope | Path format | Example |
|---|---|---|
| Entire bucket | bucketname |  |
| Specific folder | bucketname/folder |  |
| Specific file | bucketname/folder/file |  |
Configure the bucket region
Configure the preset OSS path before setting the bucket region when accessing a specific bucket.
| Endpoint type | How to set the region |
|---|---|
| Public Endpoint / Internal Same-region Endpoint | Click Advanced Settings in the upper-right corner of the logon page, then select the region under Default Region. See   |
| Specified Domain Name / Custom Domain Name / PrivateLink | Select the region from the Default Region drop-down list. See  |
Other settings
| Setting | Description |
|---|---|
| Pay-by-requester Mode | Enable this if the bucket has pay-by-requester mode enabled and you are not the bucket owner. Go to Advanced Settings to turn it on. Without this setting, accessing the preset OSS path returns an AccessDenied error. When enabled, you (the requester) are charged for traffic, requests, and other access fees. For details, see Pay by requester. |
| Keep Me Logged In | ossbrowser 2.0 keeps you logged in automatically on next launch. |
| Save Session | Saves the AccessKey pair. On next logon, click AK History to select a saved key. Warning Do not use this on a shared or temporary computer. |
Verify the result
After a successful logon, you'll see the ossbrowser 2.0 main interface.
To get started with common tasks, see Common operations.
Required permissions by operation
After logging on with a RAM user or STS credential, configure the appropriate access policies for each operation. For help creating policies, see Create custom policies and Grant permissions to a RAM user.
| Operation | Permission | Notes |
|---|---|---|
| Log on — list all buckets | oss:ListBuckets | Not required if accessing only a specific bucket, but the bucket list won't be visible. |
| Log on — view file list | oss:ListObjects | Required to see files in a bucket. |
| Log on — access via preset path | oss:GetBucketInfo | Required for preset path access. Without it, manually specify the bucket region instead. |
| Manage buckets — view list | oss:ListBuckets | — |
| Manage buckets — create | oss:PutBucket | — |
| Manage buckets — view details | oss:GetBucketInfo | — |
| Manage buckets — delete | oss:DeleteBucket | Configure with caution. |
| File list | oss:ListObjects | — |
| Upload | oss:PutObject | — |
| Download files | oss:GetObject | — |
| Download folders | oss:ListObjects | — |
| Copy / move across buckets | oss:ListBuckets | Required when copying and moving objects across buckets. |
| Copy / move / rename folders | oss:ListObjects | Required when copying, moving, and renaming folders. |
| Copy / move — read source | oss:GetObject | Required for the source bucket. |
| Copy / move — write destination | oss:PutObject | Required for the destination bucket. |
| Move / rename — delete source | oss:DeleteObject | Required for the source bucket; without it, source files cannot be deleted. |
| Copy / move — versioning check | oss:GetBucketInfo | ossbrowser 2.0 calls GetBucketInfo to check versioning status. Without this permission, an error appears — close the dialog to continue. If versioning is enabled, Skip and Ask policies have no effect; files are always overwritten. |
| Delete files | oss:DeleteObject | Configure with caution. |
| Delete folders | oss:ListObjects + oss:DeleteObject | ListObjects is required to enumerate folder contents before deletion. |
| Fragmentation management — view | oss:ListParts | — |
| Fragmentation management — delete | oss:ListMultipartUploads | — |
| File restoration | oss:RestoreObject | For Archive Storage, Cold Archive, or Deep Cold Archive storage classes. |