The OSS SDK for Java 2.0 lets you integrate Alibaba Cloud Object Storage Service (OSS) into your Java applications. You can use the SDK to upload, download, and manage files. This SDK is ideal for developers and enterprises that require cloud-based file storage.
Quick integration
Follow these steps to integrate the OSS SDK for Java 2.0.
Prerequisites
Java 8 or later.
You can run the java -version command to check your Java version. If Java is not installed, or if the version is earlier than Java 8, you can download and install Java.Install the SDK
You can use Maven to install the OSS SDK for Java 2.0.
Maven
Add the following dependency to your pom.xml file. Replace <version> with the latest version number from the Maven Repository.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>alibabacloud-oss-v2</artifactId>
<version><!-- Specify the latest version number--></version>
</dependency>Source code
You can obtain the latest version of the OSS SDK for Java 2.0 from Github, and then build and install it using Maven.
mvn clean install -DskipTests -Dgpg.skip=trueConfigure access credentials
You can configure access credentials by setting environment variables with the AccessKey pair of a RAM user.
In the RAM console, create a RAM user with Permanent AccessKey Pair access. Save the AccessKey pair, and grant the AliyunOSSFullAccess permission to the user.Linux
Run the following commands in the command-line interface to append the environment variable settings to the
~/.bashrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrcRun the following command to apply the changes.
source ~/.bashrcRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
macOS
Run the following command in the terminal to check the default shell type.
echo $SHELLFollow the steps for your default shell type.
Zsh
Run the following commands to append the environment variable settings to the
~/.zshrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrcRun the following command to apply the changes.
source ~/.zshrcRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
Run the following commands to append the environment variable settings to the
~/.bash_profilefile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profileRun the following command to apply the changes.
source ~/.bash_profileRun the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
CMD
Run the following commands in Command Prompt.
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID" setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"Run the following commands to verify that the environment variables are configured.
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
PowerShell
Run the following commands in PowerShell.
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)Run the following commands to verify that the environment variables are configured.
[Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
Initialize the client
Due to a policy change to improve compliance and security, starting March 20, 2025, new OSS users must use a custom domain name (CNAME) to perform data API operations on OSS buckets located in Chinese mainland regions. Default public endpoints are restricted for these operations. Refer to the official announcement for a complete list of the affected operations. If you access your data via HTTPS, you must bind a valid SSL Certificate to your custom domain. This is mandatory for OSS Console access, as the console enforces HTTPS.
OSSClient implements AutoCloseable. If you create an instance using a try-with-resources statement, resources are automatically released. You do not need to call close() manually.
Creating and destroying an OSSClient instance is a time-consuming operation. We recommend that you use the singleton pattern to reuse an OSSClient instance. If you use this pattern, you must call close() manually before the application terminates to prevent resource leaks.
Sync OSSClient
If you want to wait for an operation to complete before you proceed, use the synchronous OSSClient.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.OSSClientBuilder;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import com.aliyun.sdk.service.oss2.paginator.ListBucketsIterable;
public class Example {
public static void main(String[] args) {
String region = "<region-id>";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
OSSClientBuilder clientBuilder = OSSClient.newBuilder()
.credentialsProvider(provider)
.region(region);
try (OSSClient client = clientBuilder.build()) {
ListBucketsIterable paginator = client.listBucketsPaginator(
ListBucketsRequest.newBuilder()
.build());
for (ListBucketsResult result : paginator) {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n", info.name(), info.region(), info.storageClass());
}
}
} catch (Exception e) {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("ServiceException: requestId:%s, errorCode:%s\n", se.requestId(), se.errorCode());
// }
System.out.printf("error:\n%s", e);
}
}
}Asynchronous OSSClient
If you want to process multiple OSS operations concurrently without waiting for the result of each operation, use the asynchronous OSSClient.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSAsyncClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import java.util.concurrent.CompletableFuture;
public class ExampleAsync {
public static void main(String[] args) {
String region = "<region-id>";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
try (OSSAsyncClient client = OSSAsyncClient.newBuilder()
.region(region)
.credentialsProvider(provider)
.build()) {
CompletableFuture<ListBucketsResult> future = client.listBucketsAsync(
ListBucketsRequest.newBuilder().build()
);
future.thenAccept(result -> {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n",
info.name(), info.region(), info.storageClass());
}
})
.exceptionally(e -> {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("Async ServiceException: requestId:%s, errorCode:%s\n",
// se.requestId(), se.errorCode());
// }
System.out.printf("async error:\n%s\n", e);
return null;
});
future.join();
} catch (Exception e) {
System.out.printf("main error:\n%s\n", e);
}
}
}After you run the code, the buckets in all regions that are associated with your account are listed.
Client configurations
Use a custom domain name
If you use the default OSS domain name for access, you may encounter issues such as files being inaccessible or failing to be previewed. If you use a custom domain name to access OSS, you can preview files directly in a browser and use a CDN for accelerated content delivery.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Specify your custom domain name. For example, www.example-***.com.
String endpoint = "https://www.example-***.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
// Note: Set useCName to true to enable the CNAME option. Otherwise, you cannot use a custom domain name.
.useCName(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Timeout control
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set the timeout for establishing a connection. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Set the timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Retry policy
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.retry.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
/*
* SDK retry policy configuration description:
*
* Default retry policy:
* When no retry policy is configured, the SDK uses StandardRetryer as the default client implementation.
* Its default configuration is as follows:
* - maxAttempts: Sets the maximum number of attempts. The default is 3.
* - maxBackoff: Sets the maximum backoff time in seconds. The default is 20 seconds.
* - baseDelay: Sets the base delay time in seconds. The default is 0.2 seconds.
* - backoffDelayer: Sets the backoff algorithm. The default is the FullJitter backoff algorithm.
* Formula: [0.0, 1.0) * min(2^attempts * baseDelay, maxBackoff)
* - errorRetryables: Retryable error types, including HTTP status codes, service error codes, and client errors.
*
* When a retryable error occurs, the provided configuration is used to delay and then retry the request.
* The overall latency of the request increases with the number of retries. If the default configuration
* does not meet your scenario requirements, you can configure retry parameters or modify the retry implementation.
*/
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Retry policy configuration example:
// 1. Customize the maximum number of retries (default is 3, here set to 5).
Retryer customRetryer = StandardRetryer.newBuilder()
.maxAttempts(5)
.build();
// 2. Customize the backoff delay time.
// Adjust the baseDelay to 0.5 seconds (default 0.2 seconds) and maxBackoff to 25 seconds (default 20 seconds).
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FullJitterBackoff(Duration.ofMillis(500), Duration.ofSeconds(25)))
// .build();
// 3. Customize the backoff algorithm.
// Use a fixed-delay backoff algorithm instead of the default FullJitter algorithm, with a 2-second delay each time.
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FixedDelayBackoff(Duration.ofSeconds(2)))
// .build();
// 4. Disable the retry policy.
// To disable all retry attempts, use the NopRetryer implementation.
// Retryer customRetryer = new NopRetryer();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.retryer(customRetryer)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}HTTP/HTTPS protocol
You can use disableSsl(true) to disable HTTPS.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set to not use HTTPS requests.
.disableSsl(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use an internal endpoint
You can use an internal endpoint to access OSS resources in the same region. This reduces traffic costs and improves access speed.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useInternalEndpoint to true.
// Specify the region where the bucket is located.
String region = "<region-id>";
// // Method 2: Directly specify the region and endpoint.
// // Specify the region where the bucket is located.
// String region = "<region-id>";
// // Specify the internal endpoint for the bucket's region.
// String endpoint = "<endpoint>";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useInternalEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a transfer acceleration endpoint
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useAccelerateEndpoint to true.
// Specify the region where the bucket is located.
String region = "<region-id>";
// // Method 2: Directly specify the region and transfer acceleration endpoint.
// // Specify the region where the bucket is located.
// String region = "<region-id>";
// // Specify the transfer acceleration endpoint for the bucket's region, for example, 'https://oss-accelerate.aliyuncs.com'.
// String endpoint = "https://oss-accelerate.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useAccelerateEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a private domain
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Specify your private domain. For example: https://service.corp.example.com
String endpoint = "https://service.corp.example.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Use a custom HTTPClient
If the standard configuration parameters do not meet your needs, you can use a custom HTTP client.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.transport.HttpClient;
import com.aliyun.sdk.service.oss2.transport.HttpClientOptions;
import com.aliyun.sdk.service.oss2.transport.apache5client.Apache5HttpClientBuilder;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located.
String region = "<region-id>";
// Set the parameters for the HTTP client.
HttpClientOptions httpClientOptions = HttpClientOptions.custom()
// Connection timeout. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
// Maximum number of connections. The default value is 1024.
.maxConnections(2048)
// Specifies whether to skip certificate verification. By default, this is false.
.insecureSkipVerify(false)
// Specifies whether to enable HTTP redirection. By default, this is disabled.
.redirectsEnabled(false)
// Set the proxy server.
// .proxyHost("http://user:passswd@proxy.example-***.com")
.build();
// Create an HTTP client and pass in the HTTP client parameters.
HttpClient httpClient = Apache5HttpClientBuilder.create()
.options(httpClientOptions)
.build();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.httpClient(httpClient)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}Access credential configurations
The OSS SDK for Java 2.0 provides multiple ways to configure access credentials. You can choose the appropriate initialization method based on your authentication and authorization needs.
How to choose access credentials
Use the AccessKey pair of a RAM user
You can initialize the credential provider with the AccessKey pair (AccessKey ID and AccessKey secret) of an Alibaba Cloud account or a RAM user. This method is suitable for applications that run in a secure environment and require long-term access to OSS without frequent credential rotation. However, this method requires you to manually maintain the AccessKey pair, which increases security risks and maintenance complexity.
An Alibaba Cloud account has full permissions over its resources. Leaking the AccessKey pair of an Alibaba Cloud account poses a significant security risk. We recommend that you use the AccessKey pair of a RAM user with the minimum required permissions instead of the AccessKey pair of an Alibaba Cloud account.
For more information about how to create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and AccessKey secret of a RAM user are displayed only when they are created. You must save them. If you forget the AccessKey pair, you must create a new one.
Configure environment variables
Linux/macOS
Set the environment variables using the AccessKey pair of the RAM user.
export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'Run the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
CMD
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID"
setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"PowerShell
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)Code sample
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Static credential configuration
The following code shows how to hard-code access credentials by explicitly setting the AccessKey pair.
Do not embed access credentials in your production applications. This method is for testing purposes only.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create a static credential provider and explicitly set the AccessKey pair.
// Replace with your RAM user's AccessKey ID and AccessKey secret.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
"YOUR_ACCESS_KEY_ID",
"YOUR_ACCESS_KEY_SECRET"
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use an STS token
If your application requires temporary access to OSS, you can use temporary identity credentials from the Security Token Service (STS). These credentials consist of an AccessKey ID, an AccessKey secret, and a security token. This method requires you to manually maintain and refresh the STS token, which can increase security risks and maintenance complexity.
To quickly obtain an STS token using OpenAPI, see AssumeRole - Obtain temporary identity credentials for a RAM role.
To obtain an STS token using an SDK, see Use an STS token to access OSS.
You must specify an expiration time when you generate an STS token. The token becomes invalid after it expires.
For a list of STS service endpoints, see Service endpoints.
Configure environment variables
This method uses temporary identity credentials (AccessKey ID, AccessKey secret, and a Security Token Service (STS) token) that you obtain from STS, not the AccessKey pair of a RAM user.
The AccessKey ID that you obtain from STS starts with "STS", for example, "STS.L4aBSCSJVMuKg5U1****".
Linux/macOS
export OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
export OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
export OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>Windows
set OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
set OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
set OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>Code sample
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load the authentication information required to access OSS from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Static credential configuration
The following code shows how to hard-code access credentials by explicitly setting the temporary AccessKey pair.
Do not embed access credentials in your production applications. This method is for testing purposes only.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Specify the obtained temporary AccessKey ID and AccessKey secret.
// Note that the AccessKey ID obtained from STS starts with "STS".
String stsAccessKeyId = "STS.****************";
String stsAccessKeySecret = "yourAccessKeySecret";
String stsSecurityToken = "yourSecurityToken";
// Create a static credential provider and explicitly set the temporary AccessKey pair and STS security token.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
stsAccessKeyId,
stsAccessKeySecret,
stsSecurityToken
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use RAM role ARN credentials
For authorized access to OSS, such as for cross-account access, you can initialize a credential provider using the Alibaba Cloud Resource Name (ARN) of a RAM role. This method uses a Security Token Service (STS) token. When you specify the RAM role ARN, the credential tool automatically calls the AssumeRole API operation to request an STS token and refreshes it before it expires. You can also set the policy parameter to further restrict the permissions of the RAM role.
An Alibaba Cloud account has full permissions over its resources. Leaking the AccessKey pair of an Alibaba Cloud account poses a significant security risk. We recommend that you use the AccessKey pair of a RAM user with the minimum required permissions instead of the AccessKey pair of an Alibaba Cloud account.
For more information about how to create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and AccessKey secret of a RAM user are displayed only when they are created. You must save them. If you forget the AccessKey pair, you must create a new one.
For more information about how to obtain a RAM role ARN, see Create a RAM role.
Add a dependency
Add the Alibaba Cloud credentials management dependency to your pom.xml file.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an AccessKey pair and RAM role ARN as access credentials
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure RAM role ARN credentials.
Config credentialConfig = new Config()
.setType("ram_role_arn")
// Obtain the RAM user's AccessKey pair (AccessKey ID and AccessKey secret) from environment variables.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
// The ARN of the RAM role to assume. Example value: acs:ram::123456789012****:role/adminrole
// You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn("acs:ram::123456789012****:role/adminrole")
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use ECS RAM role credentials
If your application runs on an ECS instance, an ECI instance, or a Container Service for Kubernetes worker node, you can use an ECS RAM role to initialize the credential provider. The SDK automatically retrieves and refreshes temporary STS tokens for the role that is attached to the instance. This method eliminates the need to manually manage AccessKey pairs or STS tokens. For more information about how to create an ECS RAM role, see Create a RAM role.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an ECS RAM role as an access credential
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure ECS RAM role credentials.
Config credentialConfig = new Config()
.setType("ecs_ram_role") // Access credential type. Fixed as ecs_ram_role.
.setRoleName("EcsRoleExample"); // The name of the RAM role granted to the ECS instance. Optional parameter. If not set, it will be automatically retrieved. We strongly recommend setting it to reduce requests.
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use OIDC role ARN credentials
In Container Service for Kubernetes, you can use RAM Roles for Service Accounts (RRSA) for fine-grained permission control at the pod level. This is useful for multi-tenant clusters where you do not want all pods to inherit the permissions of the worker node's RAM role. With RRSA, the SDK uses an OpenID Connect (OIDC) token that is mounted into the pod to assume a specific RAM role and obtain a temporary STS token. This process is automatic and eliminates the need to manually manage credentials. For more information, see Use RRSA to grant RAM permissions to a ServiceAccount.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>Configure an OIDC role ARN as an access credential
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure OIDC role ARN credentials.
Config credentialConfig = new Config()
// Specify the credential type. Fixed as oidc_role_arn.
.setType("oidc_role_arn")
// The RAM role ARN. You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn(System.getenv("ALIBABA_CLOUD_ROLE_ARN"))
// The OIDC provider ARN. You can set the OidcProviderArn via the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
.setOidcProviderArn(System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
// The OIDC token file path. You can set the OidcTokenFilePath via the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
.setOidcTokenFilePath(System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Use custom access credentials
If the preceding credential configuration methods do not meet your needs, you can implement a custom method for obtaining credentials. The Java SDK provides multiple ways to do this.
Implement through the Supplier interface
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
});
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Implement the CredentialsProvider interface
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
public class CustomCredentialsProvider implements CredentialsProvider {
@Override
public Credentials getCredentials() {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// For temporary credentials, you need to refresh them based on their expiration time.
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
}
}
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CustomCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Anonymous access
If you only need to access public-read OSS resources, you can use anonymous access without providing credentials.
Before you run the sample code, replace<region-id>with the actual region and endpoint, such asap-southeast-1.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.AnonymousCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create an anonymous credential provider.
CredentialsProvider credentialsProvider = new AnonymousCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("<region-id>") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
// Note: Anonymous access can only be used for resources with public-read permissions.
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}Sample code
Feature classification | Example description | Sync version | Asynchronous version |
Bucket | Create a bucket | ||
List buckets | |||
Obtain bucket information | |||
Get bucket region | |||
Obtain storage capacity statistics | |||
Delete a bucket | |||
File upload | Simple upload | ||
Append upload | |||
Multipart upload | |||
List multipart upload tasks | |||
List uploaded parts | |||
Cancel a multipart upload | |||
File download | Simple download | ||
File management | Copy a file | ||
Check if a file exists | |||
List files | |||
List files V2 | |||
Delete a file | |||
Delete multiple files | |||
Get file metadata | |||
Archived object | Restore a file | ||
Clean up a restored file | |||
Symbolic link | Create a symbolic link | ||
Get a symbolic link | |||
Object tagging | Set object tags | ||
Get object tags | |||
Delete object tags | |||
Access control | Set bucket ACL | ||
Get bucket ACL | |||
Setting a file ACL | |||
Get object ACL | |||
Versioning | Set versioning | ||
Get versioning status | |||
List object versions | |||
Cross-domain access | Set CORS rules | ||
Get CORS rules | |||
Delete CORS rules | |||
Preflight request | |||
System features | Query endpoint information |