All Products
Search
Document Center

Object Storage Service:OSS SDK for Java 2.0 (preview)

Last Updated:May 27, 2026

Integrate Alibaba Cloud Object Storage Service (OSS) into Java applications to upload, download, and manage files in the cloud.

Github | OSS SDK for Java API | mvnrepository | deepwiki

Quick integration

Complete the following steps to start using the SDK.

image

Prerequisites

Java 8 or later.

Run the java -version command to check your Java version. If Java is not installed, or if the version is earlier than Java 8, download and install Java.

Install the SDK

Add the SDK dependency via Maven or build from source.

Maven

Add the following dependency to pom.xml. Replace <version> with the latest version from the Maven Repository.

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>alibabacloud-oss-v2</artifactId>
    <version><!-- Specify the latest version number--></version>
</dependency>

Source code

Clone the repository from Github and build with Maven.

mvn clean install -DskipTests -Dgpg.skip=true

Configure access credentials

Set environment variables with a RAM user's AccessKey pair.

In the RAM console, create a RAM user with Permanent AccessKey Pair access. Save the AccessKey pair, and grant the AliyunOSSFullAccess permission to the user.

Linux

  1. Run the following commands in the command-line interface to append the environment variable settings to the ~/.bashrc file.

    echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc
    echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrc
    1. Run the following command to apply the changes.

      source ~/.bashrc
    2. Run the following commands to verify that the environment variables are configured.

      echo $OSS_ACCESS_KEY_ID
      echo $OSS_ACCESS_KEY_SECRET

macOS

  1. Run the following command in the terminal to check the default shell type.

    echo $SHELL
    1. Follow the steps for your default shell type.

      Zsh

      1. Run the following commands to append the environment variable settings to the ~/.zshrc file.

        echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc
        echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrc
      2. Run the following command to apply the changes.

        source ~/.zshrc
      3. Run the following commands to verify that the environment variables are configured.

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

      Bash

      1. Run the following commands to append the environment variable settings to the ~/.bash_profile file.

        echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile
        echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profile
      2. Run the following command to apply the changes.

        source ~/.bash_profile
      3. Run the following commands to verify that the environment variables are configured.

        echo $OSS_ACCESS_KEY_ID
        echo $OSS_ACCESS_KEY_SECRET

Windows

CMD

  1. Run the following commands in Command Prompt.

    setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID"
    setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"
    1. Run the following commands to verify that the environment variables are configured.

      echo %OSS_ACCESS_KEY_ID%
      echo %OSS_ACCESS_KEY_SECRET%

PowerShell

  1. Run the following commands in PowerShell.

    [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
    [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
    1. Run the following commands to verify that the environment variables are configured.

      [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
      [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)

Initialize the client

Initialize the OSSClient by specifying a region.

  • OSSClient implements AutoCloseable. With try-with-resources, resources are released automatically without calling close().

  • Creating and destroying OSSClient is expensive. Use the singleton pattern to reuse a single instance, and call close() explicitly before the application exits.

    Singleton pattern

    public class OssClientSingleton {
        private OssClientSingleton() {}
    
        private static class Holder {
            private static final OSSClient INSTANCE = OSSClient.newBuilder()
                .credentialsProvider(new EnvironmentVariableCredentialsProvider())
                .region("cn-hangzhou")
                .build();
        }
    
        public static OSSClient getInstance() {
            return Holder.INSTANCE;
        }
    
        // Close the OSSClient instance. This must be explicitly called.
        public static void shutdown() {
            try {
                getInstance().close();
            } catch (Exception e) {
                // Handle the close exception.
            }
        }
    }
    

Sync OSSClient

Use the synchronous client when you need to wait for each operation to complete before proceeding.

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.OSSClientBuilder;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import com.aliyun.sdk.service.oss2.paginator.ListBucketsIterable;

public class Example {
    public static void main(String[] args) {
        String region = "cn-hangzhou";

        CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
        OSSClientBuilder clientBuilder = OSSClient.newBuilder()
                .credentialsProvider(provider)
                .region(region);

        try (OSSClient client = clientBuilder.build()) {

            ListBucketsIterable paginator = client.listBucketsPaginator(
                    ListBucketsRequest.newBuilder()
                            .build());

            for (ListBucketsResult result : paginator) {
                for (BucketSummary info : result.buckets()) {
                    System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n", info.name(), info.region(), info.storageClass());
                }
            }

        } catch (Exception e) {
//            ServiceException se = ServiceException.asCause(e);
//            if (se != null) {
//                System.out.printf("ServiceException: requestId:%s, errorCode:%s\n", se.requestId(), se.errorCode());
//            }
            System.out.printf("error:\n%s", e);
        }
    }
}

Asynchronous OSSClient

Use the asynchronous client to run multiple OSS operations concurrently without blocking.

import com.aliyun.sdk.service.oss2.OSSAsyncClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;

import java.util.concurrent.CompletableFuture;

public class ExampleAsync {
    public static void main(String[] args) {
        String region = "cn-hangzhou";
        CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();

        try (OSSAsyncClient client = OSSAsyncClient.newBuilder()
                .region(region)
                .credentialsProvider(provider)
                .build()) {

            CompletableFuture<ListBucketsResult> future = client.listBucketsAsync(
                    ListBucketsRequest.newBuilder().build()
            );

            future.thenAccept(result -> {
                        for (BucketSummary info : result.buckets()) {
                            System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n",
                                    info.name(), info.region(), info.storageClass());
                        }
                    })
                    .exceptionally(e -> {
//                ServiceException se = ServiceException.asCause(e);
//                if (se != null) {
//                    System.out.printf("Async ServiceException: requestId:%s, errorCode:%s\n",
//                            se.requestId(), se.errorCode());
//                }
                        System.out.printf("async error:\n%s\n", e);
                        return null;
                    });

            future.join();

        } catch (Exception e) {
            System.out.printf("main error:\n%s\n", e);
        }
    }
}

Sample output listing all buckets in your account:

bucket: name: examplebucket01, region: cn-hangzhou, storageClass: Standard
bucket: name: examplebucket02, region: cn-hangzhou, storageClass: Standard

Client configurations

Supported client configurations

Parameter name

Description

region

(Required) The region where requests are sent.

credentialsProvider

Set the access credential (Required)

endpoint

The access endpoint.

httpClient

The HTTP client.

retryMaxAttempts

The maximum number of retry attempts for an HTTP request. The default value is 3.

retryer

The retry implementation for an HTTP request.

connectTimeout

The timeout for establishing a connection. The default value is 5 seconds.

readWriteTimeout

The timeout for reading and writing data. The default value is 20 seconds.

insecureSkipVerify

Skips SSL certificate verification. By default, SSL certificates are verified.

enabledRedirect

Enables HTTP redirection. By default, this feature is disabled.

signatureVersion

The signature version. The default value is v4.

disableSsl

By default, requests are sent over HTTPS.

usePathStyle

Path-style requests, also known as the second-level domain request style, are used by default with the bucket-hosted domain name.

useCName

Uses a custom domain name for access. By default, this is false.

useDualStackEndpoint

Uses a dual-stack endpoint for access. By default, this is false.

useAccelerateEndpoint

Uses a transfer acceleration endpoint for access. By default, this is false.

useInternalEndpoint

Uses an internal same-region endpoint for access. By default, this is false.

additionalHeaders

Additional request headers to sign. This is valid for V4 signatures.

userAgent

Additional User-Agent information.

Use a custom domain name

Using the default OSS domain name may cause files to be inaccessible or fail to preview. Bind a custom domain name to enable browser preview and CDN acceleration.

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Specify your custom domain name. For example, www.example-***.com.
        String endpoint = "https://www.example-***.com";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .endpoint(endpoint)
                // Note: Set useCName to true to enable the CNAME option. Otherwise, you cannot use a custom domain name.
                .useCName(true)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Timeout control

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import java.time.Duration;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                // Set the timeout for establishing a connection. The default value is 5 seconds.
                .connectTimeout(Duration.ofSeconds(30))
                // Set the timeout for reading and writing data. The default value is 20 seconds.
                .readWriteTimeout(Duration.ofSeconds(30))
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Retry policy

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.retry.*;
import java.time.Duration;

public class Example {
    public static void main(String[] args) {
        /*
         * SDK retry policy configuration description:
         *
         * Default retry policy:
         * When no retry policy is configured, the SDK uses StandardRetryer as the default client implementation.
         * Its default configuration is as follows:
         * - maxAttempts: Sets the maximum number of attempts. The default is 3.
         * - maxBackoff: Sets the maximum backoff time in seconds. The default is 20 seconds.
         * - baseDelay: Sets the base delay time in seconds. The default is 0.2 seconds.
         * - backoffDelayer: Sets the backoff algorithm. The default is the FullJitter backoff algorithm.
         *   Formula: [0.0, 1.0) * min(2^attempts * baseDelay, maxBackoff)
         * - errorRetryables: Retryable error types, including HTTP status codes, service error codes, and client errors.
         *
         * When a retryable error occurs, the provided configuration is used to delay and then retry the request.
         * The overall latency of the request increases with the number of retries. If the default configuration
         * does not meet your scenario requirements, you can configure retry parameters or modify the retry implementation.
         */

        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Retry policy configuration example:

        // 1. Customize the maximum number of retries (default is 3, here set to 5).
        Retryer customRetryer = StandardRetryer.newBuilder()
                .maxAttempts(5)
                .build();

        // 2. Customize the backoff delay time.
        // Adjust the baseDelay to 0.5 seconds (default 0.2 seconds) and maxBackoff to 25 seconds (default 20 seconds).
        // Retryer customRetryer = StandardRetryer.newBuilder()
        //         .backoffDelayer(new FullJitterBackoff(Duration.ofMillis(500), Duration.ofSeconds(25)))
        //         .build();

        // 3. Customize the backoff algorithm.
        // Use a fixed-delay backoff algorithm instead of the default FullJitter algorithm, with a 2-second delay each time.
        // Retryer customRetryer = StandardRetryer.newBuilder()
        //         .backoffDelayer(new FixedDelayBackoff(Duration.ofSeconds(2)))
        //         .build();

        // 4. Disable the retry policy.
        // To disable all retry attempts, use the NopRetryer implementation.
        // Retryer customRetryer = new NopRetryer();

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .retryer(customRetryer)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

HTTP/HTTPS protocol

Use disableSsl(true) to disable the HTTPS protocol.

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                // Set to not use HTTPS requests.
                .disableSsl(true)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Use an internal endpoint

Use an internal endpoint to access OSS within the same region, reducing traffic costs and improving speed.

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Method 1: Specify the region and set useInternalEndpoint to true.
        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // // Method 2: Directly specify the region and endpoint.
        // // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        // String region = "cn-hangzhou";
        // // Specify the internal endpoint for the bucket's region. For China (Hangzhou), the endpoint is 'oss-cn-hangzhou-internal.aliyuncs.com'.
        // String endpoint = "oss-cn-hangzhou-internal.aliyuncs.com";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .useInternalEndpoint(true)
                // .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Use a transfer acceleration endpoint

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Method 1: Specify the region and set useAccelerateEndpoint to true.
        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // // Method 2: Directly specify the region and transfer acceleration endpoint.
        // // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        // String region = "cn-hangzhou";
        // // Specify the transfer acceleration endpoint for the bucket's region, for example, 'https://oss-accelerate.aliyuncs.com'.
        // String endpoint = "https://oss-accelerate.aliyuncs.com";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .useAccelerateEndpoint(true)
                // .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Use a private domain

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Specify your private domain. For example: https://service.corp.example.com
        String endpoint = "https://service.corp.example.com";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .endpoint(endpoint)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Use a Gov Cloud domain name

Configure an OSSClient using an Alibaba Gov Cloud domain name.

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region and endpoint.
        // Specify the region where the bucket is located. For China (Beijing) Gov Cloud 1, set the region to cn-north-2-gov-1.
        String region = "cn-north-2-gov-1";
        // Specify the internal endpoint for the bucket's region. For China (Beijing) Gov Cloud 1, the endpoint is 'https://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
        // To specify the HTTP protocol, set the domain to 'http://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
        String endpoint = "https://oss-cn-north-2-gov-1-internal.aliyuncs.com";

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .endpoint(endpoint)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Use a custom HTTPClient

Use a custom HTTP client when the standard configuration parameters are insufficient.

import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.transport.HttpClient;
import com.aliyun.sdk.service.oss2.transport.HttpClientOptions;
import com.aliyun.sdk.service.oss2.transport.apache5client.Apache5HttpClientBuilder;
import java.time.Duration;

public class Example {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();

        // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
        String region = "cn-hangzhou";

        // Set the parameters for the HTTP client.
        HttpClientOptions httpClientOptions = HttpClientOptions.custom()
                // Connection timeout. The default value is 5 seconds.
                .connectTimeout(Duration.ofSeconds(30))
                // Timeout for reading and writing data. The default value is 20 seconds.
                .readWriteTimeout(Duration.ofSeconds(30))
                // Maximum number of connections. The default value is 1024.
                .maxConnections(2048)
                // Specifies whether to skip certificate verification. By default, this is false.
                .insecureSkipVerify(false)
                // Specifies whether to enable HTTP redirection. By default, this is disabled.
                .redirectsEnabled(false)
                // Set the proxy server.
                // .proxyHost("http://user:passswd@proxy.example-***.com")
                .build();

        // Create an HTTP client and pass in the HTTP client parameters.
        HttpClient httpClient = Apache5HttpClientBuilder.create()
                .options(httpClientOptions)
                .build();

        // Create an OSS client with the configured information.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region(region)
                .httpClient(httpClient)
                .build()) {

            // Use the created client for subsequent operations...

        } catch (Exception e) {
            System.err.println("Error occurred: " + e.getMessage());
        }
    }
}

Access credential configurations

The SDK supports multiple credential types. Choose the method that fits your authentication needs.

How to choose access credentials

Credential provider initialization method

Scenario

Java SDK 2.0 support

Underlying credentials

Credential validity

Credential rotation or refresh method

Use the AccessKey pair of a RAM user

Applications in a secure environment requiring long-term access without frequent credential rotation.

Built-in support

AccessKey

Long-term

Manual rotation

Use an STS token

Applications in an untrusted environment where you control the validity period and permissions of access.

Built-in support

Security Token Service token

Temporary

Manual refresh

Use RAM role ARN credentials

Cross-account access to OSS, requiring temporary credentials obtained by assuming a RAM role.

Extended support

Security Token Service token

Temporary

Auto-refresh

Use ECS RAM role credentials

Applications on ECS instances, ECI instances, or Container Service for Kubernetes.

Extended support

Security Token Service token

Temporary

Auto-refresh

Use OIDC role ARN credentials

RRSA in Container Service for Kubernetes for pod-level permission isolation.

Extended support

Security Token Service token

Temporary

Auto-refresh

Use custom access credentials

Custom credential retrieval when the above methods are insufficient.

Built-in support

Custom

Custom

Custom

Anonymous access

Access public-read OSS resources without credentials.

Built-in support

None

None

None

Credential features marked as Extended support must be implemented using the custom access credentials method and the Alibaba Cloud credentials management library. The SDK provides built-in support for basic credential configuration methods. You can implement extended features by integrating the credentials-java library.

Use the AccessKey pair of a RAM user

Initialize the credential provider with the AccessKey pair (AccessKey ID and AccessKey secret) of an Alibaba Cloud account or a RAM user. Suitable for applications in a secure environment that need long-term OSS access. This approach requires manual key maintenance, which increases security risk.

Important
  • An Alibaba Cloud account has full permissions over its resources. Leaking its AccessKey pair poses a significant security risk. Use a RAM user with minimum required permissions instead.

  • To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and secret are displayed only at creation time. Save them immediately. If lost, create a new pair.

Configure environment variables

Linux/macOS

  1. Set the environment variables using the AccessKey pair of the RAM user.

    export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'
    export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'
  2. Run the following commands to verify that the environment variables are configured.

    echo $OSS_ACCESS_KEY_ID
    echo $OSS_ACCESS_KEY_SECRET

Windows

CMD

setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID"
setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"

PowerShell

[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)

Code sample

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;

public class OSSExample {
    public static void main(String[] args) {
        // Load credential information from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Static credential configuration

Hard-code access credentials by explicitly setting the AccessKey pair.

Warning

Do not embed access credentials in your production applications. This method is for testing purposes only.

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;

public class OSSExample {
    public static void main(String[] args) {
        // Create a static credential provider and explicitly set the AccessKey pair.
        // Replace with your RAM user's AccessKey ID and AccessKey secret.
        CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
                "YOUR_ACCESS_KEY_ID",
                "YOUR_ACCESS_KEY_SECRET"
        );
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Use an STS token

Use temporary credentials from Security Token Service (STS) — an AccessKey ID, an AccessKey secret, and a security token — for time-limited OSS access. You must manually refresh the token before it expires.

Configure environment variables

Important
  • This method uses temporary identity credentials (AccessKey ID, AccessKey secret, and a Security Token Service (STS) token) that you obtain from STS, not the AccessKey pair of a RAM user.

  • The AccessKey ID that you obtain from STS starts with "STS", for example, "STS.L4aBSCSJVMuKg5U1****".

Linux/macOS

export OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
export OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
export OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>

Windows

set OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
set OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
set OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>

Code sample

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;

public class OSSExample {
    public static void main(String[] args) {
        // Load the authentication information required to access OSS from environment variables for identity verification.
        CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Static credential configuration

Hard-code temporary credentials by explicitly setting the AccessKey pair and security token.

Warning

Do not embed access credentials in your production applications. This method is for testing purposes only.

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;

public class OSSExample {
    public static void main(String[] args) {
        // Specify the obtained temporary AccessKey ID and AccessKey secret.
        // Note that the AccessKey ID obtained from STS starts with "STS".
        String stsAccessKeyId = "STS.****************";
        String stsAccessKeySecret = "yourAccessKeySecret";
        String stsSecurityToken = "yourSecurityToken";
        
        // Create a static credential provider and explicitly set the temporary AccessKey pair and STS security token.
        CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
                stsAccessKeyId,
                stsAccessKeySecret,
                stsSecurityToken
        );
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Use RAM role ARN credentials

For cross-account access, use the ARN of a RAM role to initialize a credential provider. The SDK automatically calls AssumeRole to obtain and refresh STS tokens. You can set the policy parameter to further restrict permissions.

Important
  • An Alibaba Cloud account has full permissions over its resources. Leaking its AccessKey pair poses a significant security risk. Use a RAM user with minimum required permissions instead.

  • To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and secret are displayed only at creation time. Save them immediately. If lost, create a new pair.

  • To obtain a RAM role ARN, see Create a RAM role.

Add a dependency

Add the Alibaba Cloud credentials management dependency to your pom.xml file.

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>credentials-java</artifactId>
    <version>0.3.4</version>
</dependency>

Configure an AccessKey pair and RAM role ARN as access credentials

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;

public class OSSExample {
    public static void main(String[] args) {
        // Configure RAM role ARN credentials.
        Config credentialConfig = new Config()
                .setType("ram_role_arn")
                // Obtain the RAM user's AccessKey pair (AccessKey ID and AccessKey secret) from environment variables.
                .setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
                .setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
                // The ARN of the RAM role to assume. Example value: acs:ram::123456789012****:role/adminrole
                // You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
                .setRoleArn("acs:ram::123456789012****:role/adminrole")
                // The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
                .setRoleSessionName("your-session-name")
                // Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
                .setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
                // Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
                .setRoleSessionExpiration(3600);

        Client credentialClient = new Client(credentialConfig);

        // Create a credential provider for dynamic credential loading.
        CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
            try {
                com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
                return new Credentials(
                    cred.getAccessKeyId(),
                    cred.getAccessKeySecret(),
                    cred.getSecurityToken()
                );
            } catch (Exception e) {
                throw new RuntimeException("Failed to obtain credentials", e);
            }
        });

        // Create an OSS client instance.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
                .build()) {
            
            // Use the client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Use ECS RAM role credentials

For applications on ECS instances, ECI instances, or Container Service for Kubernetes worker nodes, use an ECS RAM role. The SDK automatically retrieves and refreshes temporary STS tokens — no manual key management required. To set up the role, see Create a RAM role.

Add a dependency

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>credentials-java</artifactId>
    <version>0.3.4</version>
</dependency>

Configure an ECS RAM role as an access credential

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;

public class OSSExample {
    public static void main(String[] args) {
        // Configure ECS RAM role credentials.
        Config credentialConfig = new Config()
                .setType("ecs_ram_role")      // Access credential type. Fixed as ecs_ram_role.
                .setRoleName("EcsRoleExample"); // The name of the RAM role granted to the ECS instance. Optional parameter. If not set, it will be automatically retrieved. We strongly recommend setting it to reduce requests.

        Client credentialClient = new Client(credentialConfig);

        // Create a credential provider for dynamic credential loading.
        CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
            try {
                com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
                return new Credentials(
                    cred.getAccessKeyId(),
                    cred.getAccessKeySecret(),
                    cred.getSecurityToken()
                );
            } catch (Exception e) {
                throw new RuntimeException("Failed to obtain credentials", e);
            }
        });

        // Create an OSS client instance.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
                .build()) {
            
            // Use the client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Use OIDC role ARN credentials

In Container Service for Kubernetes, use RAM Roles for Service Accounts (RRSA) for pod-level permission control. The SDK uses an OIDC token mounted into the pod to assume a RAM role and automatically obtain temporary STS tokens. Use RRSA to grant RAM permissions to a ServiceAccount.

Add a dependency

<dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>credentials-java</artifactId>
    <version>0.3.4</version>
</dependency>

Configure an OIDC role ARN as an access credential

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;

public class OSSExample {
    public static void main(String[] args) {
        // Configure OIDC role ARN credentials.
        Config credentialConfig = new Config()
                // Specify the credential type. Fixed as oidc_role_arn.
                .setType("oidc_role_arn")
                // The RAM role ARN. You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
                .setRoleArn(System.getenv("ALIBABA_CLOUD_ROLE_ARN"))
                // The OIDC provider ARN. You can set the OidcProviderArn via the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
                .setOidcProviderArn(System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
                // The OIDC token file path. You can set the OidcTokenFilePath via the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
                .setOidcTokenFilePath(System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
                // The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
                .setRoleSessionName("your-session-name")
                // Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
                .setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
                // Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
                .setRoleSessionExpiration(3600);

        Client credentialClient = new Client(credentialConfig);

        // Create a credential provider for dynamic credential loading.
        CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
            try {
                com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
                return new Credentials(
                    cred.getAccessKeyId(),
                    cred.getAccessKeySecret(),
                    cred.getSecurityToken()
                );
            } catch (Exception e) {
                throw new RuntimeException("Failed to obtain credentials", e);
            }
        });

        // Create an OSS client instance.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
                .build()) {
            
            // Use the client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Use custom access credentials

If the built-in credential methods are insufficient, implement a custom credential provider.

Implement through the Supplier interface

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;

public class OSSExample {
    public static void main(String[] args) {
        // Create a custom credential provider.
        CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
            // TODO: Implement your custom credential retrieval logic.
            
            // Return long-term credentials.
            return new Credentials("access_key_id", "access_key_secret");
            
            // Return an STS token (if needed).
            // return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
        });
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Implement the CredentialsProvider interface

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;

public class CustomCredentialsProvider implements CredentialsProvider {
    
    @Override
    public Credentials getCredentials() {
        // TODO: Implement your custom credential retrieval logic.
        
        // Return long-term credentials.
        return new Credentials("access_key_id", "access_key_secret");
        
        // Return an STS token (if needed).
        // For temporary credentials, you need to refresh them based on their expiration time.
        // return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
    }
}

public class OSSExample {
    public static void main(String[] args) {
        // Create a custom credential provider.
        CredentialsProvider credentialsProvider = new CustomCredentialsProvider();
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Anonymous access

Access public-read OSS resources without providing credentials.

import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.AnonymousCredentialsProvider;

public class OSSExample {
    public static void main(String[] args) {
        // Create an anonymous credential provider.
        CredentialsProvider credentialsProvider = new AnonymousCredentialsProvider();
        
        // Create an OSS client.
        try (OSSClient client = OSSClient.newBuilder()
                .credentialsProvider(credentialsProvider)
                .region("cn-hangzhou") // Specify the region where the bucket is located.
                .build()) {
            
            // Use the created client for subsequent operations...
            // Note: Anonymous access can only be used for resources with public-read permissions.
            
        } catch (Exception e) {
            System.err.println("Operation failed: " + e.getMessage());
        }
    }
}

Sample code

Feature classification

Example description

Sync version

Asynchronous version

Bucket

Create a bucket

PutBucket.java

PutBucketAsync.java

List buckets

ListBuckets.java

ListBucketsAsync.java

Get bucket information

GetBucketInfo.java

GetBucketInfoAsync.java

Get bucket region

GetBucketLocation.java

GetBucketLocationAsync.java

Get bucket storage statistics

GetBucketStat.java

GetBucketStatAsync.java

Delete a bucket

DeleteBucket.java

DeleteBucketAsync.java

File upload

Simple upload

PutObject.java

PutObjectAsync.java

Append upload

AppendObject.java

AppendObjectAsync.java

Multipart upload

MultipartUpload.java

MultipartUploadAsync.java

List multipart upload tasks

ListMultipartUploads.java

ListMultipartUploadsAsync.java

List uploaded parts

ListParts.java

ListPartsAsync.java

Cancel a multipart upload

AbortMultipartUpload.java

AbortMultipartUploadAsync.java

File download

Simple download

GetObject.java

GetObjectAsync.java

File management

Copy a file

CopyObject.java

CopyObjectAsync.java

Check if a file exists

HeadObject.java

HeadObjectAsync.java

List files

ListObjects.java

ListObjectsAsync.java

List files V2

ListObjectsV2.java

ListObjectsV2Async.java

Delete a file

DeleteObject.java

DeleteObjectAsync.java

Delete multiple files

DeleteMultipleObjects.java

DeleteMultipleObjectsAsync.java

Get file metadata

GetObjectMeta.java

GetObjectMetaAsync.java

Archived object

Restore a file

RestoreObject.java

RestoreObjectAsync.java

Clean up a restored file

CleanRestoredObject.java

CleanRestoredObjectAsync.java

Symbolic link

Create a symbolic link

PutSymlink.java

PutSymlinkAsync.java

Get a symbolic link

GetSymlink.java

GetSymlinkAsync.java

Object tagging

Set object tags

PutObjectTagging.java

PutObjectTaggingAsync.java

Get object tags

GetObjectTagging.java

GetObjectTaggingAsync.java

Delete object tags

DeleteObjectTagging.java

DeleteObjectTaggingAsync.java

Access control

Set bucket ACL

PutBucketAcl.java

PutBucketAclAsync.java

Get bucket ACL

GetBucketAcl.java

GetBucketAclAsync.java

Set object ACL

PutObjectAcl.java

PutObjectAclAsync.java

Get object ACL

GetObjectAcl.java

GetObjectAclAsync.java

Versioning

Set versioning

PutBucketVersioning.java

PutBucketVersioningAsync.java

Get versioning status

GetBucketVersioning.java

GetBucketVersioningAsync.java

List object versions

ListObjectVersions.java

ListObjectVersionsAsync.java

Cross-domain access

Set CORS rules

PutBucketCors.java

PutBucketCorsAsync.java

Get CORS rules

GetBucketCors.java

GetBucketCorsAsync.java

Delete CORS rules

DeleteBucketCors.java

DeleteBucketCorsAsync.java

Preflight request

OptionObject.java

OptionObjectAsync.java

System features

Query endpoint information

DescribeRegions.java

DescribeRegionsAsync.java