All Products
Search
Document Center

Object Storage Service:Configure access credentials

Last Updated:Jan 03, 2024

To use Object Storage Service (OSS) SDK for Java to initiate a request, you must configure access credentials. Alibaba Cloud services use access credentials to verify your identity information and access permissions. You can select different types of access credentials based on the requirements for authentication and authorization. This topic describes how to configure temporary access credentials and long-term access credentials.

Prerequisites

OSS SDK for Java is installed. For more information, see Installation.

Access credentials

You can choose from the following types of access credentials:

  • Temporary access credentials: For scenarios that require high security, such as temporary access authorization of applications to access OSS, we recommend that you use temporary access credentials. Temporary access credentials have a validity period for access. This helps prevent access credentials from being leaked. Temporary access credentials support fine-grained access control to prevent security risks caused by excessive permissions. For more information, see Use temporary access credentials.

  • Long-term access credentials: To ensure security, we recommend that you do not use long-term access credentials. For scenarios that require convenience, long-term access credentials eliminate the need for multiple refreshes within a long period of time. We recommend that you change your long-term access credentials every three months to ensure the security of your Alibaba Cloud account. When long-term access credentials are leaked or no longer used, you can delete or disable the long-term access credentials to reduce security risks. For more information, see Use long-term access credentials.

Use temporary access credentials

If you want to use OSS SDK for Java to temporarily access OSS resources, you can use one of the following methods to configure temporary access credentials:

  • Configure Security Token Service (STS) temporary access credentials: If you want to access OSS within a specific period of time, you can use STS to obtain temporary access credentials. The temporary access credentials provided by STS do not disclose the AccessKey pair of your RAM user. This ensures that your access to OSS resources is secure.

  • Configure a RAM role: If you want to grant a RAM user of your Alibaba Cloud account or a RAM user of another Alibaba Cloud account the permissions to access OSS resources, you can configure a RAM role for the RAM user.

  • Configure a RAM role for an Elastic Compute Service (ECS) instance: If you want to access OSS resources from an ECS instance, you can use a RAM role of the ECS instance to access OSS resources. You can attach a RAM role to an ECS instance to access OSS resources from the instance by using temporary access credentials that are obtained from STS. STS temporary access credentials are automatically generated and updated. Applications can obtain STS temporary access credentials by using the instance metadata URL.

Configure STS temporary access credentials

  1. Create a RAM user.

    For more information, see Create a RAM user.

  2. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.

    For more information, see Grant permissions to a RAM user.

  3. Use the RAM user to call the AssumeRole operation of STS to obtain temporary access credentials.

    For more information, see AssumeRole.

  4. Configure the temporary access credentials provided by STS.

    Environment variables

    1. Use the temporary access credentials provided by STS to configure environment variables.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the temporary access credentials (AccessKeyId, AccessKeySecret, and SecurityToken) obtained from STS to the end of the file.

        export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
        export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
      4. Press Ctrl + X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source ~/.bash_profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_SESSION_TOKEN

        Sample success response:

        STS.NV5ZCwphFSXqscqUHAKbH****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
        CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the temporary access credentials (AccessKeyId, AccessKeySecret, and SecurityToken) obtained from STS to the end of the file.

        export OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
        export OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_SESSION_TOKEN

        Sample success response:

        STS.NV5ZCwphFSXqscqUHAKbH****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
        CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****

      Windows

      1. Open the command-line interface (CLI).

      2. Run the following command to configure the temporary access credentials (AccessKeyId, AccessKeySecret, and SecurityToken) obtained from STS:

        set OSS_ACCESS_KEY_ID=STS.NV5ZCwphFSXqscqUHAKbH****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****
        set OSS_SESSION_TOKEN=CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
        setx OSS_SESSION_TOKEN "%OSS_SESSION_TOKEN%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%
        echo %OSS_SESSION_TOKEN%

        Sample success response:

        STS.NV5ZCwphFSXqscqUHAKbH****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
        CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****
    2. Obtain the temporary access credentials provided by STS from the environment variables.

      // Use the temporary AccessKey pair and security token obtained from the environment variables to configure the access credentials. 
      EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();

    Embed access credentials in code

    Warning

    Security issues may occur when you embed access credentials in code. If access credentials are leaked, attackers can use the access credentials to access your OSS resources, which may cause data loss. To ensure security, we recommend that you use more secure methods, such as obtaining access credentials from environment variables.

    // Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
    String accessKeyId = "yourAccessKeyId";
    String accessKeySecret = "yourAccessKeySecret";
    // Specify the security token obtained from STS. 
    String securityToken = "yourSecurityToken";
    // Configure the temporary access credentials by using the temporary AccessKey pair and security token obtained from STS in the code. 
    CredentialsProvider credentialsProvider = new DefaultCredentialProvider(accessKeyId, accessKeySecret, securityToken);

Configure a RAM role

  1. Obtain the AccessKey pair of a RAM user.

    For more information, see Create an AccessKey pair for a RAM user.

    Important

    To reduce the risk that the AccessKey pair of a RAM user is leaked, we recommend that you rotate an AccessKey pair that is used for more than three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time.

  2. Obtain RamRoleArn of the RAM role.

    Note

    RamRoleArn is the Alibaba Cloud Resource Name (ARN) of the RAM role, which is the ID of the RAM role to be assumed. Format: acs:ram::$accountID:role/$roleName. $accountID: the ID of the Alibaba Cloud account. $roleName: the name of the RAM role.

    For more information, see View the information about a RAM role.

  3. Configure the AccessKey pair of the RAM user and RamRoleArn of the RAM role as the temporary access credentials.

    Environment variables

    1. Configure environment variables by using the obtained AccessKey pair of the RAM user and RamRoleArn of the RAM role.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the AccessKey pair of the RAM user and RamRoleArn of the RAM role to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
        export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      4. Press Ctrl + X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_STS_ROLE_ARN

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn****  
        acs:ram::17464958********:role/ossststest

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the AccessKey pair of the RAM user and RamRoleArn of the RAM role to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
        export OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET
        echo $OSS_STS_ROLE_ARN

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn****  
        acs:ram::17464958********:role/ossststest

      Windows

      1. Open the CLI.

      2. Run the following command to configure the AccessKey pair of the RAM user and RamRoleArn of the RAM role:

        set OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn****  
        set OSS_STS_ROLE_ARN=acs:ram::17464958********:role/ossststest
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
        setx OSS_STS_ROLE_ARN "%OSS_STS_ROLE_ARN%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%
        echo %OSS_STS_ROLE_ARN%

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn****  
        acs:ram::17464958********:role/ossststest
    2. Obtain the AccessKey pair of the RAM user and RamRoleArn of the RAM role from the environment variables.

      // Specify the region that the STSAssumeRole role is authorized to access. In this example, the China (Hangzhou) region is used. Specify this parameter based on the actual region. 
      String region = "cn-hangzhou";
      // Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
      String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
      String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
      // Obtain RamRoleArn of the RAM role from the environment variables. 
      String roleArn = System.getenv("OSS_STS_ROLE_ARN");
      
      // Configure temporary access credentials by using the AccessKey pair of the RAM user and RamRoleArn of the RAM role obtained from environment variables. 
      STSAssumeRoleSessionCredentialsProvider credentialsProvider = CredentialsProviderFactory
              .newSTSAssumeRoleSessionCredentialsProvider(
                      region, 
                      accessKeyId, 
                      accessKeySecret, 
                      roleArn
              );

    Embed access credentials in code

    Warning

    Security issues may occur if you embed access credentials in code. If access credentials are leaked, attackers can use the access credentials to access your OSS resources, which may cause losses. To ensure security, we recommend that you use more secure methods, such as obtaining temporary access credentials from environment variables.

    // Specify the region that the STSAssumeRole role is authorized to access. In this example, the China (Hangzhou) region is used. Specify your actual region. 
    String region = "cn-hangzhou";
    // Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
    String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
    String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
    // Specify the ARN of the RAM role, which is the ID of the RAM role to be assumed. 
    String roleArn = "acs:ram::17464958********:role/ossststest";
    
    // Configure temporary access credentials by using the AccessKey pair of the RAM user and RamRoleArn of the RAM role embedded in code. 
    STSAssumeRoleSessionCredentialsProvider credentialsProvider = CredentialsProviderFactory
            .newSTSAssumeRoleSessionCredentialsProvider(
                    region, 
                    accessKeyId, 
                    accessKeySecret, 
                    roleArn
            );

Configure a RAM role for an ECS instance

  1. Attach a RAM role to an ECS instance.

    For more information, see Attach an instance RAM role to an ECS instance.

  2. Configure temporary access credentials by using the RAM role for the ECS instance.

    // Use the RAM role of the ECS instance to obtain temporary access credentials. The following code provides an example on how to obtain temporary access credentials by using a RAM role named ecs-ram-role. 
    InstanceProfileCredentialsProvider credentialsProvider = CredentialsProviderFactory.newInstanceProfileCredentialsProvider("ecs-ram-role");

Use long-term access credentials

If you want to use OSS SDK for Java to access OSS resources in an application or service for a long period of time, you can perform the following steps to configure long-term access credentials.

If you want to access OSS resources for a long period of time, you can use the AccessKey pair of a RAM user to access OSS resources.

Configure the AccessKey pair of a RAM user

  1. Obtain the AccessKey pair of a RAM user.

    For more information, see Create an AccessKey pair for a RAM user.

    Important

    We recommend that you rotate the AccessKey pair of a RAM user that is used for more than three months. We recommend that you disable and delete the AccessKey pair of a RAM user that is not used for a long period of time. This reduces the risk of AccessKey pair leaks.

  2. Configure the AccessKey pair of the RAM user.

    Environment variables

    1. Configure environment variables.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile
      3. Add the AccessKey pair of the RAM user to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
      4. Press Ctrl + X, press Y to save the file, and then press Enter to close the file.

      5. Run the following command for the changes to take effect:

        source ~/.bash_profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn**** 

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile
      3. Add the AccessKey pair of the RAM user to the end of the file.

        export OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        export OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
      4. Press Esc to exit the edit mode. Then, enter :wq and press Enter to save and close the file.

      5. Run the following command for the changes to take effect:

        source /etc/profile
      6. Run the following command to verify the configurations of the environment variables:

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn**** 

      Windows

      1. Open the CLI.

      2. Run the following command to configure the AccessKey pair of the RAM user:

        set OSS_ACCESS_KEY_ID=LTAI4GDty8ab9W4Y1D****
        set OSS_ACCESS_KEY_SECRET=IrVTNZNy5yQelTETg0cZML3TQn**** 
      3. Run the following command for the changes to take effect:

        setx OSS_ACCESS_KEY_ID "%OSS_ACCESS_KEY_ID%"
        setx OSS_ACCESS_KEY_SECRET "%OSS_ACCESS_KEY_SECRET%"
      4. Run the following command to verify the configurations of the environment variables:

        echo %OSS_ACCESS_KEY_ID%
        echo %OSS_ACCESS_KEY_SECRET%

        Sample success response:

        LTAI4GDty8ab9W4Y1D****
        IrVTNZNy5yQelTETg0cZML3TQn**** 
    2. Obtain the AccessKey pair of the RAM user from the environment variables.

      // Configure access credentials by using the AccessKey pair of the RAM user obtained from environment variables. 
      EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();

    Embed access credentials in code

    Warning

    Security issues may occur if you embed access credentials in code. If access credentials are leaked, attackers can use the access credentials to access your OSS resources, which may cause losses. To ensure security, we recommend that you use more secure methods, such as obtaining temporary access credentials from environment variables.

    // Obtain the AccessKey pair of the RAM user from the environment variables. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. 
    String accessKeyId = System.getenv("OSS_ACCESS_KEY_ID");
    String accessKeySecret = System.getenv("OSS_ACCESS_KEY_SECRET");
    // Configure access credentials by using the AccessKey pair of the RAM user embedded in code. 
    CredentialsProvider credentialsProvider = new DefaultCredentialProvider(accessKeyId, accessKeySecret);

What to do next

After you configure the access credentials, you must initialize an OSSClient instance. For more information, see Initialization.