How do I configure access credentials for OSS SDK for Java? - Object Storage Service

To use Object Storage Service (OSS) SDK for Java to initiate a request, you must configure access credentials, which are used to verify your identity and access permissions. You can select different types of access credentials based on your authentication and authorization requirements. This topic describes how to configure temporary access credentials, long-term access credentials, and OpenID Connect (OIDC) access credentials.

Prerequisites

OSS SDK for Java is installed. For more information, see Installation.

Access credentials

You can choose from the following types of access credentials:

Temporary access credentials: We recommend that you use temporary access credentials in scenarios that require enhanced security. For example, you can use temporary access credentials to grant applications temporary access to OSS. Temporary access credentials are valid within the specified period of time, which helps prevent credential leaks. Temporary access credentials support fine-grained access control to prevent security risks caused by excessive permissions. For more information, see Use temporary access credentials.
Long-term access credentials: To ensure security, we recommend that you do not use long-term access credentials. For scenarios that require convenience, long-term access credentials eliminate the need for multiple refreshes within a long period of time. We recommend that you change your long-term access credentials every three months to ensure the security of your Alibaba Cloud account. If long-term access credentials are leaked or no longer used, we recommend that you delete or disable the long-term access credentials to reduce security risks. For more information, see Use long-term access credentials.
OIDC access credentials: If you need to deploy untrusted applications to a container cluster, you may want to prevent the applications from accessing the Security Token Service (STS) token of the RAM role for the instance associated with the worker by using a metadata service. In this case, you can use OIDC access credentials. OIDC is an authentication protocol based on OAuth 2.0. OIDC can be used to grant untrusted applications the minimal level of access. OIDC access credentials allow untrusted applications to access STS tokens safely without affecting the security of cloud resources. RAM roles support OIDC-based single sign-on (SSO). For more information, see OIDC access credentials.

Usage notes

This topic describes how to run shell commands to configure environment variables on macOS, Linux, and Windows. If you properly configure environment variables, programs started by command lines can recognize the required configurations. If you start the programs in an integrated development environment (IDE), you may need to refer to this topic to separately configure environment variables in the IDE.

Use temporary access credentials

You can use the following methods to allow temporary access to OSS resources by using OSS SDK for Java:

Configure Security Token Service (STS) temporary access credentials: If you want to grant time-limited access to your OSS resource, you need to use temporary access credentials obtained from STS. The temporary access credentials avoid exposing the AccessKey pair of your RAM user, which enhances access security.
Configure a RAM role for a RAM user: If you want to grant a RAM user of your Alibaba Cloud account or a RAM user of another Alibaba Cloud account the permissions to access your OSS resources, you can configure a RAM role for the RAM user to assume.
Configure a RAM role for an Elastic Compute Service (ECS) instance: If you want to access OSS resources from an ECS instance, you can use a RAM role of the ECS instance to access OSS resources. You can attach a RAM role to an ECS instance to access OSS resources from the instance by using temporary access credentials that are obtained from STS. STS temporary access credentials are automatically generated and updated. Applications can obtain STS temporary access credentials by using the instance metadata URL.

Configure STS temporary access credentials

Create a RAM user.
For more information, see Create a RAM user.
Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.
For more information, see Grant permissions to a RAM user.
Use the RAM user to call the AssumeRole operation of STS to obtain temporary access credentials.
For more information, see AssumeRole.

Configure the temporary access credentials provided by STS.

Environment variables

Configure environment variables to store the access credentials.

macOS

Open the terminal.
Run the following command:
```
nano ~/.bash_profile
```

Add the temporary access credentials (AccessKey ID, AccessKey secret, and security token) to the end of the file.

export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Press Ctrl+X, press Y to save the file, and then press Enter to close the file.
Run the following command to apply the changes:
```
source ~/.bash_profile
```

Run the following command to verify environment variable configurations:

echo $OSS_ACCESS_KEY_ID
echo $OSS_ACCESS_KEY_SECRET
echo $OSS_SESSION_TOKEN

Sample success response:

STS.NV5ZCwphFSXqscqUHAKbH****
IrVTNZNy5yQelTETg0cZML3TQn**** 
CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Linux

Open the terminal.
Run the following command:
```
sudo vim /etc/profile
```

Add the temporary access credentials (AccessKey ID, AccessKey secret, and security token) to the end of the file.

export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.
Run the following command to apply the changes:
```
source /etc/profile
```

Run the following command to verify environment variable configurations:

echo $OSS_ACCESS_KEY_ID
echo $OSS_ACCESS_KEY_SECRET
echo $OSS_SESSION_TOKEN

Sample success response:

STS.NV5ZCwphFSXqscqUHAKbH****
IrVTNZNy5yQelTETg0cZML3TQn**** 
CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Windows

Open the CLI.

Run the following command to configure environment variables for the temporary access credentials (AccessKey ID, AccessKey secret, and security token):

set OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
set OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Run the following command to apply the changes:

setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
setx OSS_SESSION_TOKEN "%OSS_SESSION_TOKEN%"

Run the following command to verify environment variable configurations:

echo %OSS_ACCESS_KEY_ID%
echo %OSS_ACCESS_KEY_SECRET%
echo %OSS_SESSION_TOKEN%

Sample success response:

STS.NV5ZCwphFSXqscqUHAKbH****
IrVTNZNy5yQelTETg0cZML3TQn**** 
CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

Obtain the temporary access credentials from the environment variables.

// Obtain the temporary AccessKey pair and security token from the environment variables. 
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();

Embedded access credentials

Warning

Security issues may occur if you embed access credentials in code. Leaked access credentials can be used by attackers to access your resources, which causes data breaches. To ensure security, we recommend that you use more secure methods, such as obtaining temporary access credentials from environment variables.

// Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
String accessKeyId = "yourAccessKeyId";
String accessKeySecret = "yourAccessKeySecret";
// Specify the security token obtained from STS. 
String securityToken = "yourSecurityToken";
// Use the specified temporary AccessKey pair and security token to create a credential provider. 
CredentialsProvider credentialsProvider = new DefaultCredentialProvider(accessKeyId, accessKeySecret, securityToken);

Configure a RAM role for a RAM user

Obtain the AccessKey pair of a RAM user.
For more information, see Create an AccessKey pair for a RAM user.
Important
To reduce the risk that the AccessKey pair of a RAM user is leaked, we recommend that you rotate an AccessKey pair that is used for more than three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time.
Obtain RamRoleArn of the RAM role.
Note
RamRoleArn is the Alibaba Cloud Resource Name (ARN) of the RAM role. The ARN is in the format of acs:ram::$accountID:role/$roleName, where $accountID is the ID of the Alibaba Cloud account and $roleName is the name of the RAM role.
For more information, see View the information about a RAM role.

Configure the AccessKey pair of the RAM user and the ARN of the RAM role as the temporary access credentials.

Environment variables

Configure environment variables for the AccessKey pair of the RAM user and the ARN of the RAM role.

macOS

Open the terminal.
Run the following command:
```
nano ~/.bash_profile
```

Add the AccessKey pair of the RAM user and the ARN of the RAM role to the end of the file.

export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest

Press Ctrl+X, press Y to save the file, and then press Enter to close the file.
Run the following command to apply the changes:
```
source /etc/profile
```

Run the following command to verify environment variable configurations:

echo $OSS_ACCESS_KEY_ID
echo $OSS_ACCESS_KEY_SECRET
echo $OSS_STS_ROLE_ARN

Sample success response:

LTAI4GDty8ab9W4Y1D****
IrVTNZNy5yQelTETg0cZML3TQn****  
acs:ram::17464958********:role/ossststest

Linux

Open the terminal.
Run the following command:
```
sudo vim /etc/profile
```

Add the AccessKey pair of the RAM user and the ARN of the RAM role to the end of the file.

export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest

Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.
Run the following command to apply the changes:
```
source /etc/profile
```

Run the following command to verify environment variable configurations:

echo $OSS_ACCESS_KEY_ID
echo $OSS_ACCESS_KEY_SECRET
echo $OSS_STS_ROLE_ARN

Sample success response:

LTAI4GDty8ab9W4Y1D****
IrVTNZNy5yQelTETg0cZML3TQn****  
acs:ram::17464958********:role/ossststest

Windows

Open the CLI.

Run the following command to configure environment variables for the AccessKey pair of the RAM user and the ARN of the RAM role:

set OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
set OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest

Run the following command to apply the changes:

setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
setx OSS_STS_ROLE_ARN "%OSS_STS_ROLE_ARN%"

Run the following command to verify environment variable configurations:

echo %OSS_ACCESS_KEY_ID%
echo %OSS_ACCESS_KEY_SECRET%
echo %OSS_STS_ROLE_ARN%

Sample success response:

LTAI4GDty8ab9W4Y1D****
IrVTNZNy5yQelTETg0cZML3TQn****  
acs:ram::17464958********:role/ossststest

Obtain the AccessKey pair of the RAM user and the ARN of the RAM role from the environment variables.

// Specify the region that you want to authorize STSAssumeRole to access. In this example, the China (Hangzhou) region is specified. 
String region = "cn-hangzhou";
// Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
// Obtain the ARN of the RAM role from the environment variable. 
String roleArn = System.getenv("OSS_STS_ROLE_ARN");

// Use the AccessKey pair and RAM role ARN to create a credential provider. 
STSAssumeRoleSessionCredentialsProvider credentialsProvider = CredentialsProviderFactory
        .newSTSAssumeRoleSessionCredentialsProvider(
                region, 
                accessKeyId, 
                accessKeySecret, 
                roleArn
        );

Embedded access credentials

Warning

// Specify the region that you want to authorize STSAssumeRole to access. In this example, the China (Hangzhou) region is specified. 
String region = "cn-hangzhou";
// Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
// Specify the ARN of the RAM role. 
String roleArn = "acs:ram::17464958********:role/ossststest";

// Use the specified AccessKey pair and RAM role ARN to create a credential provider. 
STSAssumeRoleSessionCredentialsProvider credentialsProvider = CredentialsProviderFactory
        .newSTSAssumeRoleSessionCredentialsProvider(
                region, 
                accessKeyId, 
                accessKeySecret, 
                roleArn
        );

Configure a RAM role for an ECS instance

Attach a RAM role to an ECS instance.
For more information, see Use instance RAM roles to control access to resources.

Configure temporary access credentials by using the RAM role for the ECS instance.

// Obtain access credentials by using the RAM role of an ECS instance. In this example, the ecs-ram-role role is used. 
InstanceProfileCredentialsProvider credentialsProvider = CredentialsProviderFactory.newInstanceProfileCredentialsProvider("ecs-ram-role");

Use long-term access credentials

If you want to steadily use OSS SDK for Java to access OSS resources for an application or service, you can provide long-term access credentials

that consist of the AccessKey ID and AccessKey secret of a RAM user.

Configure access credentials by using the AccessKey pair of a RAM user

Obtain the AccessKey pair of the RAM user.
For more information, see Create an AccessKey pair for a RAM user.
Important
We recommend that you rotate the AccessKey pair of a RAM user that is used for more than three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time. This reduces the risk of AccessKey pair leaks.
Configure the AccessKey pair of the RAM user as access credentials.
Environment variables
1. Run the following command to configure environment variables:
  macOS
  Open the terminal.
  Run the following command:
  nano ~/.bash_profile
  Add the AccessKey pair of the RAM user to the end of the file.
  export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D**** export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
  Press Ctrl+X, press Y to save the file, and then press Enter to close the file.
  Run the following command to apply the changes:
  source ~/.bash_profile
  Run the following command to verify environment variable configurations:
  echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
  Sample success response:
  LTAI4GDty8ab9W4Y1D**** IrVTNZNy5yQelTETg0cZML3TQn****
  Linux
  Open the terminal.
  Run the following command:
  sudo vim /etc/profile
  Add the AccessKey pair of the RAM user to the end of the file.
  export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D**** export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
  Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.
  Run the following command to apply the changes:
  source /etc/profile
  Run the following command to verify environment variable configurations:
  echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
  Sample success response:
  LTAI4GDty8ab9W4Y1D**** IrVTNZNy5yQelTETg0cZML3TQn****
  Windows
  Open the CLI.
  Run the following command to configure the environment variables for the AccessKey pair:
  set OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D**** set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
  Run the following command to apply the changes:
  setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%" setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
  Run the following command to verify environment variable configurations:
  echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
  Sample success response:
  LTAI4GDty8ab9W4Y1D**** IrVTNZNy5yQelTETg0cZML3TQn****
2. Obtain the AccessKey pair of the RAM user from the environment variables.
```
// Obtain the access credentials from the environment variables. 
EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
```
Embedded access credentials
Warning
Security issues may occur if you embed access credentials in code. Leaked access credentials can be used by attackers to access your resources, which causes data breaches. To ensure security, we recommend that you use more secure methods, such as obtaining temporary access credentials from environment variables.
```
// Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
// Use the AccessKey pair of the RAM user to create a credential provider. 
CredentialsProvider credentialsProvider = new DefaultCredentialProvider(accessKeyId, accessKeySecret);
```

OIDC access credentials

For more information about OIDC role-based SSO, see Overview.

If you want to use OIDC access credentials for your application or service to access OSS, use the following steps to configure OIDC access credentials first.

Add the alibabacloud_credentials dependency.

<dependency>
   <groupId>com.aliyun</groupId>
   <artifactId>credentials-java</artifactId>
   <version>LATEST</version>
</dependency>

Create an OIDC IdP and a RAM role for the OIDC IdP. For more information, see Create a RAM role for a trusted IdP and Grant permissions to a RAM role.

Use the RAM role to provide access credentials. The following sample code creates an OSSClient instance that can be used to access OSS by using OIDC access credentials:

import com.aliyun.oss.OSS;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.common.auth.Credentials;
import com.aliyun.oss.common.auth.CredentialsProvider;
import com.aliyun.oss.common.auth.DefaultCredentials;
import com.aliyun.oss.model.AccessControlList;

public class OIDCRoleArnCredentialDemo {
    public static void main(String[] args) throws Exception {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";

        com.aliyun.credentials.models.Config config = new com.aliyun.credentials.models.Config();
        // Specify the type of the credential. Set the type to oidc_role_arn. 
        config.setType("oidc_role_arn");
        // Specify the ARN of the RAM role. 
        config.setRoleArn(System.getenv("ALIBABA_CLOUD_ROLE_ARN"));
        // Specify the ARN of the OIDC IdP. 
        config.setOidcProviderArn(System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"));
        // Specify the file path of the OIDC token.   
        config.setOidcTokenFilePath(System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"));
        // Specify the name of the role session.
        config.setRoleSessionName("<RoleSessionName>");
        // (Optional) Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}.
        config.setPolicy("<Policy>");
        // (Optional) Specify the external ID of the RAM role. 
        // The external ID is provided by provider to avoid proxy confusion. 
        config.setExternalId("<ExternalId>");
        // Specify the validity period of the session.
        config.setRoleSessionExpiration(3600);

        com.aliyun.credentials.Client credentialsClient = new com.aliyun.credentials.Client(config);

        CredentialsProvider credsProvider = new OIDCRoleArnCredentialDemo.CredentialProviderWrapper(credentialsClient);

        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credsProvider);

    }

    private static class CredentialProviderWrapper implements CredentialsProvider {
        private com.aliyun.credentials.Client client;

        public CredentialProviderWrapper(com.aliyun.credentials.Client client) {
            this.client = client;
        }

        @Override
        public void setCredentials(Credentials credentials) {
        }

        public Credentials getCredentials() {
            String ak = client.getAccessKeyId();
            String sk = client.getAccessKeySecret();
            String token = client.getSecurityToken();
            return new DefaultCredentials(ak, sk, token);
        }
    }
}

What to do next

After you configure the access credentials, you can initialize an OSSClient instance. For more information, see Initialization.