Integrate Alibaba Cloud Object Storage Service (OSS) into Java applications to upload, download, and manage files in the cloud.
Quick integration
Complete the following steps to start using the SDK.
Prerequisites
Java 8 or later.
Run the java -version command to check your Java version. If Java is not installed, or if the version is earlier than Java 8, download and install Java.
Install the SDK
Add the SDK dependency via Maven or build from source.
Maven
Add the following dependency to pom.xml. Replace <version> with the latest version from the Maven Repository.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>alibabacloud-oss-v2</artifactId>
<version><!-- Specify the latest version number--></version>
</dependency>
Source code
Clone the repository from Github and build with Maven.
mvn clean install -DskipTests -Dgpg.skip=true
Configure access credentials
Set environment variables with a RAM user's AccessKey pair.
In the RAM console, create a RAM user with Permanent AccessKey Pair access. Save the AccessKey pair, and grant the AliyunOSSFullAccess permission to the user.
Linux
-
Run the following commands in the command-line interface to append the environment variable settings to the
~/.bashrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bashrc-
Run the following command to apply the changes.
source ~/.bashrc -
Run the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
macOS
-
Run the following command in the terminal to check the default shell type.
echo $SHELL-
Follow the steps for your default shell type.
Zsh
-
Run the following commands to append the environment variable settings to the
~/.zshrcfile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.zshrc -
Run the following command to apply the changes.
source ~/.zshrc -
Run the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
-
Run the following commands to append the environment variable settings to the
~/.bash_profilefile.echo "export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET'" >> ~/.bash_profile -
Run the following command to apply the changes.
source ~/.bash_profile -
Run the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
-
-
Windows
CMD
-
Run the following commands in Command Prompt.
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID" setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"-
Run the following commands to verify that the environment variables are configured.
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
-
PowerShell
-
Run the following commands in PowerShell.
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)-
Run the following commands to verify that the environment variables are configured.
[Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User) [Environment]::GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
-
Initialize the client
Initialize the OSSClient by specifying a region.
-
OSSClient implements AutoCloseable. With try-with-resources, resources are released automatically without calling close().
-
Creating and destroying OSSClient is expensive. Use the singleton pattern to reuse a single instance, and call close() explicitly before the application exits.
Sync OSSClient
Use the synchronous client when you need to wait for each operation to complete before proceeding.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.OSSClientBuilder;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import com.aliyun.sdk.service.oss2.paginator.ListBucketsIterable;
public class Example {
public static void main(String[] args) {
String region = "cn-hangzhou";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
OSSClientBuilder clientBuilder = OSSClient.newBuilder()
.credentialsProvider(provider)
.region(region);
try (OSSClient client = clientBuilder.build()) {
ListBucketsIterable paginator = client.listBucketsPaginator(
ListBucketsRequest.newBuilder()
.build());
for (ListBucketsResult result : paginator) {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n", info.name(), info.region(), info.storageClass());
}
}
} catch (Exception e) {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("ServiceException: requestId:%s, errorCode:%s\n", se.requestId(), se.errorCode());
// }
System.out.printf("error:\n%s", e);
}
}
}
Asynchronous OSSClient
Use the asynchronous client to run multiple OSS operations concurrently without blocking.
import com.aliyun.sdk.service.oss2.OSSAsyncClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
import com.aliyun.sdk.service.oss2.exceptions.ServiceException;
import com.aliyun.sdk.service.oss2.models.*;
import java.util.concurrent.CompletableFuture;
public class ExampleAsync {
public static void main(String[] args) {
String region = "cn-hangzhou";
CredentialsProvider provider = new EnvironmentVariableCredentialsProvider();
try (OSSAsyncClient client = OSSAsyncClient.newBuilder()
.region(region)
.credentialsProvider(provider)
.build()) {
CompletableFuture<ListBucketsResult> future = client.listBucketsAsync(
ListBucketsRequest.newBuilder().build()
);
future.thenAccept(result -> {
for (BucketSummary info : result.buckets()) {
System.out.printf("bucket: name:%s, region:%s, storageClass:%s\n",
info.name(), info.region(), info.storageClass());
}
})
.exceptionally(e -> {
// ServiceException se = ServiceException.asCause(e);
// if (se != null) {
// System.out.printf("Async ServiceException: requestId:%s, errorCode:%s\n",
// se.requestId(), se.errorCode());
// }
System.out.printf("async error:\n%s\n", e);
return null;
});
future.join();
} catch (Exception e) {
System.out.printf("main error:\n%s\n", e);
}
}
}
Sample output listing all buckets in your account:
bucket: name: examplebucket01, region: cn-hangzhou, storageClass: Standard
bucket: name: examplebucket02, region: cn-hangzhou, storageClass: Standard
Client configurations
Use a custom domain name
Using the default OSS domain name may cause files to be inaccessible or fail to preview. Bind a custom domain name to enable browser preview and CDN acceleration.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Specify your custom domain name. For example, www.example-***.com.
String endpoint = "https://www.example-***.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
// Note: Set useCName to true to enable the CNAME option. Otherwise, you cannot use a custom domain name.
.useCName(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Timeout control
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set the timeout for establishing a connection. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Set the timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Retry policy
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.retry.*;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
/*
* SDK retry policy configuration description:
*
* Default retry policy:
* When no retry policy is configured, the SDK uses StandardRetryer as the default client implementation.
* Its default configuration is as follows:
* - maxAttempts: Sets the maximum number of attempts. The default is 3.
* - maxBackoff: Sets the maximum backoff time in seconds. The default is 20 seconds.
* - baseDelay: Sets the base delay time in seconds. The default is 0.2 seconds.
* - backoffDelayer: Sets the backoff algorithm. The default is the FullJitter backoff algorithm.
* Formula: [0.0, 1.0) * min(2^attempts * baseDelay, maxBackoff)
* - errorRetryables: Retryable error types, including HTTP status codes, service error codes, and client errors.
*
* When a retryable error occurs, the provided configuration is used to delay and then retry the request.
* The overall latency of the request increases with the number of retries. If the default configuration
* does not meet your scenario requirements, you can configure retry parameters or modify the retry implementation.
*/
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Retry policy configuration example:
// 1. Customize the maximum number of retries (default is 3, here set to 5).
Retryer customRetryer = StandardRetryer.newBuilder()
.maxAttempts(5)
.build();
// 2. Customize the backoff delay time.
// Adjust the baseDelay to 0.5 seconds (default 0.2 seconds) and maxBackoff to 25 seconds (default 20 seconds).
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FullJitterBackoff(Duration.ofMillis(500), Duration.ofSeconds(25)))
// .build();
// 3. Customize the backoff algorithm.
// Use a fixed-delay backoff algorithm instead of the default FullJitter algorithm, with a 2-second delay each time.
// Retryer customRetryer = StandardRetryer.newBuilder()
// .backoffDelayer(new FixedDelayBackoff(Duration.ofSeconds(2)))
// .build();
// 4. Disable the retry policy.
// To disable all retry attempts, use the NopRetryer implementation.
// Retryer customRetryer = new NopRetryer();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.retryer(customRetryer)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
HTTP/HTTPS protocol
Use disableSsl(true) to disable the HTTPS protocol.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
// Set to not use HTTPS requests.
.disableSsl(true)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Use an internal endpoint
Use an internal endpoint to access OSS within the same region, reducing traffic costs and improving speed.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useInternalEndpoint to true.
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// // Method 2: Directly specify the region and endpoint.
// // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
// String region = "cn-hangzhou";
// // Specify the internal endpoint for the bucket's region. For China (Hangzhou), the endpoint is 'oss-cn-hangzhou-internal.aliyuncs.com'.
// String endpoint = "oss-cn-hangzhou-internal.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useInternalEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Use a transfer acceleration endpoint
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Method 1: Specify the region and set useAccelerateEndpoint to true.
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// // Method 2: Directly specify the region and transfer acceleration endpoint.
// // Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
// String region = "cn-hangzhou";
// // Specify the transfer acceleration endpoint for the bucket's region, for example, 'https://oss-accelerate.aliyuncs.com'.
// String endpoint = "https://oss-accelerate.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.useAccelerateEndpoint(true)
// .endpoint(endpoint) // If using Method 2, uncomment this line and comment out the previous one.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Use a private domain
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Specify your private domain. For example: https://service.corp.example.com
String endpoint = "https://service.corp.example.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Use a Gov Cloud domain name
Configure an OSSClient using an Alibaba Gov Cloud domain name.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region and endpoint.
// Specify the region where the bucket is located. For China (Beijing) Gov Cloud 1, set the region to cn-north-2-gov-1.
String region = "cn-north-2-gov-1";
// Specify the internal endpoint for the bucket's region. For China (Beijing) Gov Cloud 1, the endpoint is 'https://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
// To specify the HTTP protocol, set the domain to 'http://oss-cn-north-2-gov-1-internal.aliyuncs.com'.
String endpoint = "https://oss-cn-north-2-gov-1-internal.aliyuncs.com";
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.endpoint(endpoint)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Use a custom HTTPClient
Use a custom HTTP client when the standard configuration parameters are insufficient.
import com.aliyun.sdk.service.oss2.*;
import com.aliyun.sdk.service.oss2.credentials.*;
import com.aliyun.sdk.service.oss2.transport.HttpClient;
import com.aliyun.sdk.service.oss2.transport.HttpClientOptions;
import com.aliyun.sdk.service.oss2.transport.apache5client.Apache5HttpClientBuilder;
import java.time.Duration;
public class Example {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Specify the region where the bucket is located. For example, for China (Hangzhou), set the region to cn-hangzhou.
String region = "cn-hangzhou";
// Set the parameters for the HTTP client.
HttpClientOptions httpClientOptions = HttpClientOptions.custom()
// Connection timeout. The default value is 5 seconds.
.connectTimeout(Duration.ofSeconds(30))
// Timeout for reading and writing data. The default value is 20 seconds.
.readWriteTimeout(Duration.ofSeconds(30))
// Maximum number of connections. The default value is 1024.
.maxConnections(2048)
// Specifies whether to skip certificate verification. By default, this is false.
.insecureSkipVerify(false)
// Specifies whether to enable HTTP redirection. By default, this is disabled.
.redirectsEnabled(false)
// Set the proxy server.
// .proxyHost("http://user:passswd@proxy.example-***.com")
.build();
// Create an HTTP client and pass in the HTTP client parameters.
HttpClient httpClient = Apache5HttpClientBuilder.create()
.options(httpClientOptions)
.build();
// Create an OSS client with the configured information.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region(region)
.httpClient(httpClient)
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Error occurred: " + e.getMessage());
}
}
}
Access credential configurations
The SDK supports multiple credential types. Choose the method that fits your authentication needs.
How to choose access credentials
Use the AccessKey pair of a RAM user
Initialize the credential provider with the AccessKey pair (AccessKey ID and AccessKey secret) of an Alibaba Cloud account or a RAM user. Suitable for applications in a secure environment that need long-term OSS access. This approach requires manual key maintenance, which increases security risk.
-
An Alibaba Cloud account has full permissions over its resources. Leaking its AccessKey pair poses a significant security risk. Use a RAM user with minimum required permissions instead.
-
To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and secret are displayed only at creation time. Save them immediately. If lost, create a new pair.
Configure environment variables
Linux/macOS
-
Set the environment variables using the AccessKey pair of the RAM user.
export OSS_ACCESS_KEY_ID='YOUR_ACCESS_KEY_ID' export OSS_ACCESS_KEY_SECRET='YOUR_ACCESS_KEY_SECRET' -
Run the following commands to verify that the environment variables are configured.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
CMD
setx OSS_ACCESS_KEY_ID "YOUR_ACCESS_KEY_ID"
setx OSS_ACCESS_KEY_SECRET "YOUR_ACCESS_KEY_SECRET"
PowerShell
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_ID", "YOUR_ACCESS_KEY_ID", [EnvironmentVariableTarget]::User)
[Environment]::SetEnvironmentVariable("OSS_ACCESS_KEY_SECRET", "YOUR_ACCESS_KEY_SECRET", [EnvironmentVariableTarget]::User)
Code sample
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load credential information from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Static credential configuration
Hard-code access credentials by explicitly setting the AccessKey pair.
Do not embed access credentials in your production applications. This method is for testing purposes only.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create a static credential provider and explicitly set the AccessKey pair.
// Replace with your RAM user's AccessKey ID and AccessKey secret.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
"YOUR_ACCESS_KEY_ID",
"YOUR_ACCESS_KEY_SECRET"
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Use an STS token
Use temporary credentials from Security Token Service (STS) — an AccessKey ID, an AccessKey secret, and a security token — for time-limited OSS access. You must manually refresh the token before it expires.
-
To quickly obtain an STS token using OpenAPI, see AssumeRole - Obtain temporary identity credentials for a RAM role.
-
To obtain an STS token using an SDK, see Use an STS token to access OSS.
-
You must specify an expiration time when you generate an STS token. The token becomes invalid after it expires.
-
For a list of STS service endpoints, see Service endpoints.
Configure environment variables
-
This method uses temporary identity credentials (AccessKey ID, AccessKey secret, and a Security Token Service (STS) token) that you obtain from STS, not the AccessKey pair of a RAM user.
-
The AccessKey ID that you obtain from STS starts with "STS", for example, "STS.L4aBSCSJVMuKg5U1****".
Linux/macOS
export OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
export OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
export OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>
Windows
set OSS_ACCESS_KEY_ID=<STS_ACCESS_KEY_ID>
set OSS_ACCESS_KEY_SECRET=<STS_ACCESS_KEY_SECRET>
set OSS_SESSION_TOKEN=<STS_SECURITY_TOKEN>
Code sample
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.EnvironmentVariableCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Load the authentication information required to access OSS from environment variables for identity verification.
CredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Static credential configuration
Hard-code temporary credentials by explicitly setting the AccessKey pair and security token.
Do not embed access credentials in your production applications. This method is for testing purposes only.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.StaticCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Specify the obtained temporary AccessKey ID and AccessKey secret.
// Note that the AccessKey ID obtained from STS starts with "STS".
String stsAccessKeyId = "STS.****************";
String stsAccessKeySecret = "yourAccessKeySecret";
String stsSecurityToken = "yourSecurityToken";
// Create a static credential provider and explicitly set the temporary AccessKey pair and STS security token.
CredentialsProvider credentialsProvider = new StaticCredentialsProvider(
stsAccessKeyId,
stsAccessKeySecret,
stsSecurityToken
);
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Use RAM role ARN credentials
For cross-account access, use the ARN of a RAM role to initialize a credential provider. The SDK automatically calls AssumeRole to obtain and refresh STS tokens. You can set the policy parameter to further restrict permissions.
-
An Alibaba Cloud account has full permissions over its resources. Leaking its AccessKey pair poses a significant security risk. Use a RAM user with minimum required permissions instead.
-
To create an AccessKey pair for a RAM user, see Create an AccessKey pair. The AccessKey ID and secret are displayed only at creation time. Save them immediately. If lost, create a new pair.
-
To obtain a RAM role ARN, see Create a RAM role.
Add a dependency
Add the Alibaba Cloud credentials management dependency to your pom.xml file.
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>
Configure an AccessKey pair and RAM role ARN as access credentials
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure RAM role ARN credentials.
Config credentialConfig = new Config()
.setType("ram_role_arn")
// Obtain the RAM user's AccessKey pair (AccessKey ID and AccessKey secret) from environment variables.
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
// The ARN of the RAM role to assume. Example value: acs:ram::123456789012****:role/adminrole
// You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn("acs:ram::123456789012****:role/adminrole")
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Use ECS RAM role credentials
For applications on ECS instances, ECI instances, or Container Service for Kubernetes worker nodes, use an ECS RAM role. The SDK automatically retrieves and refreshes temporary STS tokens — no manual key management required. To set up the role, see Create a RAM role.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>
Configure an ECS RAM role as an access credential
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure ECS RAM role credentials.
Config credentialConfig = new Config()
.setType("ecs_ram_role") // Access credential type. Fixed as ecs_ram_role.
.setRoleName("EcsRoleExample"); // The name of the RAM role granted to the ECS instance. Optional parameter. If not set, it will be automatically retrieved. We strongly recommend setting it to reduce requests.
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Use OIDC role ARN credentials
In Container Service for Kubernetes, use RAM Roles for Service Accounts (RRSA) for pod-level permission control. The SDK uses an OIDC token mounted into the pod to assume a RAM role and automatically obtain temporary STS tokens. Use RRSA to grant RAM permissions to a ServiceAccount.
Add a dependency
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>credentials-java</artifactId>
<version>0.3.4</version>
</dependency>
Configure an OIDC role ARN as an access credential
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
// Note: The following imports are from the external dependency credentials-java
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class OSSExample {
public static void main(String[] args) {
// Configure OIDC role ARN credentials.
Config credentialConfig = new Config()
// Specify the credential type. Fixed as oidc_role_arn.
.setType("oidc_role_arn")
// The RAM role ARN. You can set the RoleArn via the ALIBABA_CLOUD_ROLE_ARN environment variable.
.setRoleArn(System.getenv("ALIBABA_CLOUD_ROLE_ARN"))
// The OIDC provider ARN. You can set the OidcProviderArn via the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
.setOidcProviderArn(System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"))
// The OIDC token file path. You can set the OidcTokenFilePath via the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
.setOidcTokenFilePath(System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"))
// The role session name. You can set the RoleSessionName via the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
.setRoleSessionName("your-session-name")
// Set a more restrictive permission policy. This is optional. Example value: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
.setPolicy("{\"Statement\": [{\"Action\": [\"*\"],\"Effect\": \"Allow\",\"Resource\": [\"*\"]}],\"Version\":\"1\"}")
// Set the role session validity period in seconds. The default is 3600 seconds (1 hour). This is optional.
.setRoleSessionExpiration(3600);
Client credentialClient = new Client(credentialConfig);
// Create a credential provider for dynamic credential loading.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
try {
com.aliyun.credentials.models.CredentialModel cred = credentialClient.getCredential();
return new Credentials(
cred.getAccessKeyId(),
cred.getAccessKeySecret(),
cred.getSecurityToken()
);
} catch (Exception e) {
throw new RuntimeException("Failed to obtain credentials", e);
}
});
// Create an OSS client instance.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located, for example, China (Hangzhou).
.build()) {
// Use the client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Use custom access credentials
If the built-in credential methods are insufficient, implement a custom credential provider.
Implement through the Supplier interface
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProviderSupplier;
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CredentialsProviderSupplier(() -> {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
});
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Implement the CredentialsProvider interface
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.Credentials;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
public class CustomCredentialsProvider implements CredentialsProvider {
@Override
public Credentials getCredentials() {
// TODO: Implement your custom credential retrieval logic.
// Return long-term credentials.
return new Credentials("access_key_id", "access_key_secret");
// Return an STS token (if needed).
// For temporary credentials, you need to refresh them based on their expiration time.
// return new Credentials("sts_access_key_id", "sts_access_key_secret", "security_token");
}
}
public class OSSExample {
public static void main(String[] args) {
// Create a custom credential provider.
CredentialsProvider credentialsProvider = new CustomCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Anonymous access
Access public-read OSS resources without providing credentials.
import com.aliyun.sdk.service.oss2.OSSClient;
import com.aliyun.sdk.service.oss2.credentials.CredentialsProvider;
import com.aliyun.sdk.service.oss2.credentials.AnonymousCredentialsProvider;
public class OSSExample {
public static void main(String[] args) {
// Create an anonymous credential provider.
CredentialsProvider credentialsProvider = new AnonymousCredentialsProvider();
// Create an OSS client.
try (OSSClient client = OSSClient.newBuilder()
.credentialsProvider(credentialsProvider)
.region("cn-hangzhou") // Specify the region where the bucket is located.
.build()) {
// Use the created client for subsequent operations...
// Note: Anonymous access can only be used for resources with public-read permissions.
} catch (Exception e) {
System.err.println("Operation failed: " + e.getMessage());
}
}
}
Sample code
|
Feature classification |
Example description |
Sync version |
Asynchronous version |
|
Bucket |
Create a bucket |
||
|
List buckets |
|||
|
Get bucket information |
|||
|
Get bucket region |
|||
|
Get bucket storage statistics |
|||
|
Delete a bucket |
|||
|
File upload |
Simple upload |
||
|
Append upload |
|||
|
Multipart upload |
|||
|
List multipart upload tasks |
|||
|
List uploaded parts |
|||
|
Cancel a multipart upload |
|||
|
File download |
Simple download |
||
|
File management |
Copy a file |
||
|
Check if a file exists |
|||
|
List files |
|||
|
List files V2 |
|||
|
Delete a file |
|||
|
Delete multiple files |
|||
|
Get file metadata |
|||
|
Archived object |
Restore a file |
||
|
Clean up a restored file |
|||
|
Symbolic link |
Create a symbolic link |
||
|
Get a symbolic link |
|||
|
Object tagging |
Set object tags |
||
|
Get object tags |
|||
|
Delete object tags |
|||
|
Access control |
Set bucket ACL |
||
|
Get bucket ACL |
|||
|
Set object ACL |
|||
|
Get object ACL |
|||
|
Versioning |
Set versioning |
||
|
Get versioning status |
|||
|
List object versions |
|||
|
Cross-domain access |
Set CORS rules |
||
|
Get CORS rules |
|||
|
Delete CORS rules |
|||
|
Preflight request |
|||
|
System features |
Query endpoint information |