The OSS SDK for Java V2 lets you integrate Alibaba Cloud Object Storage Service (OSS) into your Java applications. You can use the SDK to upload, download, and manage files. This SDK is ideal for developers, websites, and enterprises that require cloud-based file storage.
Quick integration
Follow these steps to integrate the OSS SDK for Java V2.
Prerequisites
Java 8 or later.
You can run the java -version command to check your Java version. If Java is not installed or if the version is earlier than Java 8, download and install Java.Install the SDK
You can use Maven to install the OSS SDK for Java V2.
Maven
Add the following dependency to your pom.xml file. Replace <version> with the latest version number from the Maven Repository.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>alibabacloud-oss-v2</artifactId>
<version><!-- Specify the latest version number --></version>
</dependency>Source code
Obtain the latest version of the OSS SDK for Java V2 from Github, and then build and install it using Maven:
mvn clean install -DskipTests -Dgpg.skip=trueConfigure access credentials
Set the AccessKey pair of a RAM user as environment variables to use them as credentials.
In the RAM console, create a RAM user and a Permanent AccessKey Pair for access. Save the AccessKey pair and grant the AliyunOSSFullAccess permission to the user.Linux
Run the following commands in the command-line interface to append the environment variable settings to the
~/.bashrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrcRun the following command to apply the changes.
source ~/.bashrcRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
macOS
Run the following command in the terminal to check the default shell type.
echo $SHELLFollow the steps for your default shell type.
Zsh
Run the following commands to append the environment variable settings to the
~/.zshrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrcRun the following command to apply the changes.
source ~/.zshrcRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
Run the following commands to append the environment variable settings to the
~/.bash_profilefile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profileRun the following command to apply the changes.
source ~/.bash_profileRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
CMD
Run the following commands in Command Prompt.
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID" setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"Run the following commands to verify that the environment variables are configured.
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
PowerShell
Run the following commands in PowerShell.
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)Run the following commands to verify that the environment variables are configured.
[Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
Initialize the client
Initialize the OSSClient by specifying a region.
OSSClient implements AutoCloseable. If you create an instance using a try-with-resources statement, resources are automatically released, and you do not need to manually call close().
Creating and destroying an OSSClient instance can be time-consuming. We recommend that you use the singleton pattern to reuse an OSSClient instance. If you use this pattern, you must manually call close() before the application terminates to prevent resource leaks.
Sync OSSClient
If you want to wait for an operation to complete before proceeding, use the synchronous OSSClient.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.OSSClientBuilder;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import com.aliyun.sdk.service.oss2.paginator.ListBucketsIterable;
public class Example {
public static void main(String[] args) {
String region = "cn-hangzhou";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
OSSClientBuilder clientBuilder = OSSClient.newBuilder()
.credentialsProvider(provider)
.region(region);
try (OSSClient client = clientBuilder.build()) {
ListBucketsIterable paginator = client.listBucketsPaginator(
ListBucketsRequest.newBuilder()
.build());
for (ListBucketsResult result : paginator) {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n", info.name(), info.region(), info.storageClass());
}
}
} catch (Exception e) {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("ServiceException: requestId:%s, errorCode:%s\n", se.requestId(), se.errorCode());
// }
System.out.printf("error:\n%s", e);
}
}
}Asynchronous OSSClient
If you want to process multiple OSS operations concurrently without waiting for the result of each operation, use the asynchronous OSSClient.
import com.aliyun.sdk.service.oss2.OSSAsyncClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import java.util.concurrent.CompletableFuture;
public class ExampleAsync {
public static void main(String[] args) {
String region = "cn-hangzhou";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
try (OSSAsyncClient client = OSSAsyncClient.newBuilder()
.region(region)
.credentialsProvider(provider)
.build()) {
CompletableFuture<ListBucketsResult> future = client.listBucketsAsync(
ListBucketsRequest.newBuilder().build()
);
future.thenAccept(result -> {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n",
info.name(), info.region(), info.storageClass());
}
})
.exceptionally(e -> {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("Async ServiceException: requestId:%s, errorCode:%s\n",
// se.requestId(), se.errorCode());
// }
System.out.printf("async error:\n%s\n", e);
return null;
});
future.join();
} catch (Exception e) {
System.out.printf("main error:\n%s\n", e);
}
}
}After you run the code, the buckets in all regions that are associated with your account are listed:
bucket: name: examplebucket01, region: cn-hangzhou, storageClass: Standard
bucket: name: examplebucket02, region: cn-hangzhou, storageClass: StandardClient configurations
Use a custom domain name
If you use the default OSS domain name for access, you may encounter issues, such as files being inaccessible or failing to be previewed. If you use a custom domain name to access OSS, you can preview files directly in a browser and use CDN for accelerated content delivery.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Specify your custom domain name. For example, www.example-***.com.
String endpoint = "https://www.example-***.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
// Note: Set useCName to true to enable the CNAME option. Otherwise, you cannot use a custom domain name.
.useCName(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Timeout control
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set the timeout for establishing a connection. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Set the timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Retry policy
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.retry.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
/*
* SDK retry policy configuration description:
*
* Default retry policy:
* When no retry policy is configured, the SDK uses StandardRetryer as the default client implementation.
* Its default configuration is as follows:
* - maxAttempts: Sets the maximum number of attempts. The default is 3.
* - maxBackoff: Sets the maximum backoff time in seconds. The default is 20 seconds.
* - baseDelay: Sets the base delay time in seconds. The default is 0.2 seconds.
* - backoffDelayer: Sets the backoff algorithm. The default is the FullJitter backoff algorithm.
* Formula: [0.0, 1.0) * min(2^attempts * baseDelay, maxBackoff)
* - errorRetryables: Retryable error types, including HTTP status codes, service error codes, and client errors.
*
* When a retryable error occurs, the provided configuration is used to delay and then retry the request.
* The overall latency of the request increases with the number of retries. If the default configuration
* does not meet your scenario requirements, you can configure retry parameters or modify the retry implementation.
*/
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Retry policy configuration example:
// 1. Customize the maximum number of retries (default is 3, here set to 5).
Retryer customRetryer = StandardRetryer.newBuilder()
.maxAttempts(5)
.build();
// 2. Customize the backoff delay time.
// Adjust the baseDelay to 0.5 seconds (default 0.2 seconds) and maxBackoff to 25 seconds (default 20 seconds).
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FullJitterBackoff(Duration.ofMillis(500), Duration.ofSeconds(25)))
// .build();
// 3. Customize the backoff algorithm.
// Use a fixed-delay backoff algorithm instead of the default FullJitter algorithm, with a 2-second delay each time.
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FixedDelayBackoff(Duration.ofSeconds(2)))
// .build();
// 4. Disable the retry policy.
// To disable all retry attempts, use the NopRetryer implementation.
// Retryer customRetryer = new NopRetryer();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.retryer(customRetryer)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}HTTP/HTTPS protocol
You can use disableSsl(true) to disable the HTTPS protocol.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set to not use HTTPS requests.
.disableSsl(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use an internal endpoint
You can use an internal endpoint to access OSS resources in the same region to reduce traffic costs and improve access speed.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useInternalEndpoint to true.
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// // Method 2: Directly specify the region and endpoint.
// // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
// String region = "cn-hangzhou";
// // Specify the internal endpoint for the bucket's region. For China (Hangzhou), the endpoint is 'oss-cn-hangzhou-internal.aliyuncs.com'.
// String endpoint = "oss-cn-hangzhou-internal.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useInternalEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a transfer acceleration endpoint
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useAccelerateEndpoint to true.
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// // Method 2: Directly specify the region and transfer acceleration endpoint.
// // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
// String region = "cn-hangzhou";
// // Specify the transfer acceleration endpoint for the bucket's region, for example, 'https://oss-accelerate.aliyuncs.com'.
// String endpoint = "https://oss-accelerate.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useAccelerateEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a private domain
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Specify your private domain. For example: https://service.corp.example.com
String endpoint = "https://service.corp.example.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a Gov Cloud domain name
The following sample code shows how to configure an OSSClient using an Alibaba Gov Cloud domain name.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region and endpoint.
// Specify the region where the bucket is located. For China (Beijing) Gov Cloud 1, set the region to cn-north-2-gov-1.
String region = "cn-north-2-gov-1";
// Specify the internal endpoint for the bucket's region. For China (Beijing) Gov Cloud 1, the endpoint is 'https://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
// To specify the HTTP protocol, set the domain to 'http://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
String endpoint = "https://oss-cn-north-2-gov-1-internal.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a custom HTTPClient
If the standard configuration parameters do not meet your needs, you can use a custom HTTP client.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.transport.HttpClient;
import com.aliyun.sdk.service.oss2.transport.HttpClientOptions;
import com.aliyun.sdk.service.oss2.transport.apache5client.Apache5HttpClientBuilder;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Set the parameters for the HTTP client.
HttpClientOptions httpClientOptions = HttpClientOptions.custom()
// Connection timeout. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
// Maximum number of connections. The default value is 1024.
.maxConnections(2048)
// Specifies whether to skip certificate verification. By default, this is false.
.insecureSkipVerify(false)
// Specifies whether to enable HTTP redirection. By default, this is disabled.
.redirectsEnabled(false)
// Set the proxy server.
// .proxyHost("http://user:passswd@proxy.example-***.com")
.build();
// Create an HTTP client and pass in the HTTP client parameters.
HttpClient httpClient = Apache5HttpClientBuilder.create()
.options(httpClientOptions)
.build();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.httpClient(httpClient)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Access credential configurations
The OSS SDK for Java V2 provides multiple ways to configure access credentials. You can choose the appropriate initialization method based on your authentication and authorization needs.
How to choose access credentials
Use the AccessKey pair of a RAM user
You can initialize the credential provider using the AccessKey pair (AccessKey ID and AccessKey secret) of an Alibaba Cloud account or a RAM user. This method is suitable if your application is deployed in a secure and stable environment, is not vulnerable to external attacks, requires long-term access to OSS, and does not allow for frequent credential rotation. However, this method requires you to manually maintain an AccessKey pair, which poses security risks and increases maintenance complexity.
An Alibaba Cloud account has full permissions over its resources. If the AccessKey pair is leaked, it poses a significant security risk to your system. We recommend that you do not use the AccessKey pair of an Alibaba Cloud account. Instead, use the AccessKey pair of a RAM user with the minimum required permissions.
For more information about how to create an AccessKey pair for a RAM user, see Create an AccessKey. The AccessKey pair of a RAM user is displayed only when it is created. You must save the AccessKey pair. If you forget the AccessKey pair, you must create a new one.
Configure environment variables
Linux/macOS
Configure the environment variables with the AccessKey pair of the RAM user:
export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'Run the following commands to verify that the environment variables are configured:
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
CMD
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID"
setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"PowerShell
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)Code sample
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Static credential configuration
The following code shows how to hard-code access credentials by explicitly setting the AccessKey pair.
Do not embed access credentials in your production applications. This method is for testing purposes only.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create a static credential provider and explicitly set the AccessKey pair.
// Replace with your RAM user's AccessKey ID and AccessKey secret.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
"YOUR_ACCESS_KEY_ID",
"YOUR_ACCESS_KEY_SECRET"
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use an STS token
If your application needs temporary access to OSS, you can use temporary identity credentials (AccessKey ID, AccessKey secret, and Security Token) that you obtain from the Security Token Service (STS) to initialize the credential provider. However, this method requires you to manually maintain an STS token, which poses security risks and increases maintenance complexity. Additionally, to temporarily access OSS multiple times, you must manually refresh the STS token.
To quickly obtain an STS token using OpenAPI, see AssumeRole - Obtain temporary identity credentials for a RAM role.
To obtain an STS token using an SDK, see Use an STS token to access OSS.
You must specify an expiration time when you generate an STS token. The token becomes invalid and cannot be used after it expires.
For a list of STS service endpoints, see Service endpoints.
Configure environment variables
This method uses temporary identity credentials (AccessKey ID, AccessKey secret, and Security Token) that you obtain from STS, not the AccessKey pair of a RAM user.
The AccessKey ID that you obtain from STS starts with "STS", for example, "STS.L4aBSCSJVMuKg5U1****".
Linux/macOS
export OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
export OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
export OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>Windows
set OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
set OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
set OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>Code sample
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load the authentication information required to access OSS from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Static credential configuration
The following code shows how to hard-code access credentials by explicitly setting the temporary AccessKey pair.
Do not embed access credentials in your production applications. This method is for testing purposes only.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Specify the obtained temporary AccessKey ID and AccessKey secret.
// Note that the AccessKey ID obtained from STS starts with "STS".
String stsAccessKeyId = "STS.****************";
String stsAccessKeySecret = "yourAccessKeySecret";
String stsSecurityToken = "yourSecurityToken";
// Create a static credential provider and explicitly set the temporary AccessKey pair and STS token.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
stsAccessKeyId,
stsAccessKeySecret,
stsSecurityToken
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use RAM role ARN credentials
If your application requires authorized access to OSS for scenarios such as cross-account access, you can use the ARN of a RAM role to initialize the credential provider. The underlying implementation uses a token from the Security Token Service (STS). When you specify the ARN of a RAM role, the credential tool obtains an STS token and then calls the AssumeRole API operation to request a new token before the current token expires. Additionally, you can set the policy parameter to limit the permissions of the RAM role.
An Alibaba Cloud account has full permissions over its resources. If the AccessKey pair is leaked, it poses a significant security risk to your system. We recommend that you do not use the AccessKey pair of an Alibaba Cloud account. Instead, use the AccessKey pair of a RAM user with the minimum required permissions.
For more information about how to create an AccessKey pair for a RAM user, see Create an AccessKey. The AccessKey ID and AccessKey secret of a RAM user are displayed only when they are created. You must save them. If you forget them, you must create a new AccessKey pair.
For more information about how to obtain a RAM role ARN, see CreateRole - Create a RAM role.
Add a dependency
Add the Alibaba Cloud credentials management dependency to your pom.xml file:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an AccessKey pair and RAM role ARN as access credentials
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure RAM role ARN credentials.
Config credentialConfig = new Config()
.setType("ram_role_arn")
// Obtain the RAM user's AccessKey pair (AccessKey ID and AccessKey secret) from environment variables.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
// The ARN of the RAM role to assume. Example value: acs:ram::123456789012****:role/adminrole
// You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn("acs:ram::123456789012****:role/adminrole")
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.Credentials cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use ECS RAM role credentials
If your application runs on an ECS instance, ECI instance, or a worker node of Container Service for Kubernetes, we recommend that you use an ECS RAM role to initialize the credential provider. The underlying implementation uses an STS token. An ECS RAM role lets you associate a role with an ECS instance, ECI instance, or a worker node of Container Service for Kubernetes. This association enables automatic STS token refresh within the instance. This method eliminates the need to provide an AccessKey pair or an STS token and mitigates the risks of manual maintenance. For more information about how to obtain an ECS RAM role, see CreateRole - Create a RAM role.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an ECS RAM role as an access credential
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure ECS RAM role credentials.
Config credentialConfig = new Config()
.setType("ecs_ram_role") // Access credential type. Fixed as ecs_ram_role.
.setRoleName("EcsRoleExample"); // The name of the RAM role granted to the ECS instance. Optional parameter. If not set, it will be automatically retrieved. We strongly recommend setting it to reduce requests.
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.Credentials cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use OIDC role ARN credentials
After you set a worker node RAM role in Container Service for Kubernetes, applications in pods on that node can obtain the STS token of the associated role through the global meta service, similar to applications deployed on ECS. However, if you deploy untrusted applications on the container cluster, such as applications submitted by your customers for which you do not have source code access, you may want to prevent them from obtaining the STS token of the worker node's associated instance RAM role through the global meta service. To protect your cloud resources while allowing these untrusted applications to securely obtain the necessary STS tokens and implement the principle of least privilege at the application level, you can use the RAM Roles for Service Account (RRSA) feature. The underlying implementation uses an STS token. The Alibaba Cloud container cluster creates and mounts the corresponding service account OIDC token file for different application pods and injects relevant configuration information into environment variables. The credential tool obtains the STS token of the bound role by calling the AssumeRoleWithOIDC API of the STS service and using the configuration information from the environment variables. This method eliminates the need to provide an AccessKey pair or an STS token and mitigates the risks of manual maintenance. For more information, see Configure the RAM permissions of a ServiceAccount through RRSA to achieve pod permission isolation.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an OIDC role ARN as an access credential
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure OIDC role ARN credentials.
Config credentialConfig = new Config()
// Specify the credential type. Fixed as oidc_role_arn.
.setType("oidc_role_arn")
// The RAM role ARN. You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn(System.getenv("ALIBABA_CLOUD_ROLE_ARN"))
// The OIDC provider ARN. You can set the OidcProviderArn via the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
.setOidcProviderArn(System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
// The OIDC token file path. You can set the OidcTokenFilePath via the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
.setOidcTokenFilePath(System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.Credentials cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use custom access credentials
If the preceding credential configuration methods do not meet your requirements, you can customize the way you obtain credentials. The Java SDK supports multiple implementation methods for this purpose.
Implement through the Supplier interface
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
});
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Implement the CredentialsProvider interface
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
public class CustomCredentialsProvider implements CredentialsProvider {
@Override
public Credentials getCredentials() {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// For temporary credentials, you need to refresh them based on their expiration time.
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
}
}
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CustomCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Anonymous access
If you only need to access public-read OSS resources, you can use anonymous access without providing any credentials.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.AnonymousCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create an anonymous credential provider.
CredentialsProvider credentialsProvider = new AnonymousCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
// Note: Anonymous access can only be used for resources with public-read permissions.
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Sample code
Feature classification | Example description | Sync version | Asynchronous version |
Bucket | Create a bucket | ||
List buckets | |||
Get bucket information | |||
Get bucket region | |||
Get bucket storage statistics | |||
Delete a bucket | |||
File upload | Simple upload | ||
Append upload | |||
Multipart upload | |||
List multipart upload tasks | |||
List uploaded parts | |||
Cancel a multipart upload | |||
File download | Simple download | ||
File management | Copy a file | ||
Check if a file exists | |||
List files | |||
List files V2 | |||
Delete a file | |||
Delete multiple files | |||
Get file metadata | |||
Archived object | Restore a file | ||
Clean up a restored file | |||
Symbolic link | Create a symbolic link | ||
Get a symbolic link | |||
Object tagging | Set object tags | ||
Get object tags | |||
Delete object tags | |||
Resource Access Management | Set bucket ACL | ||
Get bucket ACL | |||
Set object ACL | |||
Get object ACL | |||
Versioning | Set versioning | ||
Get versioning status | |||
List object versions | |||
Cross-domain access | Set CORS rules | ||
Get CORS rules | |||
Delete CORS rules | |||
Preflight request | |||
System features | Query endpoint information |