Create an Object Storage Service (OSS) bucket in a specified region using the ossutil api put-bucket command. By default, new buckets use Standard storage, locally redundant storage (LRS), and private access control list (ACL).
Since October 13, 2025 (10:00 UTC+8), new buckets created through the API, SDKs, or ossutil have Block Public Access enabled by default. Public ACLs (public-read, public-read-write) and bucket policies that grant public access are blocked. To allow public access, disable Block Public Access after the bucket is created. This change is rolling out in phases across all regions. For the rollout schedule, see Block Public Access rollout schedule.
Prerequisites
ossutil is installed and configured with a valid endpoint and credentials
An active Alibaba Cloud account with the
oss:PutBucketpermission
Synopsis
ossutil api put-bucket
--bucket <bucket-name>
[--acl <value>]
[--create-bucket-configuration <value>]
[--resource-group-id <value>]| Flag | Required | Description |
|---|---|---|
--bucket | Yes | Bucket name (3-63 characters, lowercase letters, digits, hyphens) |
--acl | No | Access control: private (default), public-read, public-read-write |
--create-bucket-configuration | No | Storage class and redundancy type (inline JSON, inline XML, or file:// path) |
--resource-group-id | No | Resource group to assign the bucket to |
Examples
Create a bucket with default settings
ossutil api put-bucket --bucket examplebucketOn success, the command returns HTTP 200. Verify the bucket exists:
ossutil ls oss://examplebucketAn empty listing with no error confirms the bucket is ready.
Create an Infrequent Access bucket with zone-redundant storage
ossutil api put-bucket --bucket examplebucket \
--create-bucket-configuration '{"StorageClass":"IA","DataRedundancyType":"ZRS"}'The bucket is created with IA storage class and zone-redundant storage (ZRS).
Load configuration from a JSON file
Create a file named
bucket-config.json:{ "StorageClass": "IA", "DataRedundancyType": "ZRS" }Run the command:
ossutil api put-bucket --bucket examplebucket \ --create-bucket-configuration file://bucket-config.json
Load configuration from an XML file
Create a file named
bucket-config.xml:<?xml version="1.0" encoding="UTF-8"?> <CreateBucketConfiguration> <StorageClass>Archive</StorageClass> <DataRedundancyType>LRS</DataRedundancyType> </CreateBucketConfiguration>Run the command:
ossutil api put-bucket --bucket examplebucket \ --create-bucket-configuration file://bucket-config.xml
Set the ACL and assign a resource group
ossutil api put-bucket --bucket examplebucket \
--acl private \
--resource-group-id rg-123 \
--create-bucket-configuration '{"StorageClass":"Standard","DataRedundancyType":"LRS"}'Parameters
--bucket string (required)
The bucket name. Names must meet all of the following rules:
3 to 63 characters long
Contains only lowercase letters, digits, and hyphens (
-)Starts and ends with a lowercase letter or digit
No consecutive hyphens
Bucket names are globally unique across all OSS users. If the name is taken by another account, the command returns BucketAlreadyExists.
--acl string (optional)
The access control list for the bucket. Defaults to private.
| Value | Description |
|---|---|
private (default) | Only the bucket owner can read and write objects |
public-read | Anyone can read objects; only the owner can write |
public-read-write | Anyone can read and write objects |
If Block Public Access is enabled, settingpublic-readorpublic-read-writereturns an error.
--create-bucket-configuration string (optional)
The storage class and redundancy type. Accepts an inline JSON string, an inline XML string, or a file path prefixed with file://.
| Field | Type | Valid values | Default |
|---|---|---|---|
StorageClass | string | Standard, IA (Infrequent Access), Archive, ColdArchive (Cold Archive), DeepColdArchive (Deep Cold Archive) | Standard |
DataRedundancyType | string | LRS (locally redundant storage), ZRS (zone-redundant storage) | LRS |
Inline JSON:
{
"StorageClass": "Standard",
"DataRedundancyType": "LRS"
}Inline XML:
<?xml version="1.0" encoding="UTF-8"?>
<CreateBucketConfiguration>
<StorageClass>Standard</StorageClass>
<DataRedundancyType>LRS</DataRedundancyType>
</CreateBucketConfiguration>From a file:
--create-bucket-configuration file://bucket-config.json
--create-bucket-configuration file://bucket-config.xml--resource-group-id string (optional)
The resource group to assign the bucket to. If omitted, the bucket is added to the default resource group.
Output
Returns HTTP 200 with an empty response body on success. The bucket is immediately available -- upload objects and configure additional settings without delay.
Limitations
Each Alibaba Cloud account can create up to 100 buckets per region.
Each region has its own endpoint. For the full list, see Regions and endpoints.
Idempotency
put-bucket is not idempotent. Calling the command with a bucket name that already exists returns one of the following errors:
| Scenario | Error code |
|---|---|
| Bucket is owned by your account | BucketAlreadyOwnedByYou |
| Bucket is owned by a different account | BucketAlreadyExists |
Do not retry on either error. Choose a different bucket name instead. In scripts, check the exit code and error message before retrying any operation.
Permissions
An Alibaba Cloud account has full permissions by default. RAM users and RAM roles have no permissions by default. Grant access through a RAM policy or bucket policy.
| Action | Required for |
|---|---|
oss:PutBucket | Creating the bucket |
oss:PutBucketAcl | Setting --acl during creation, or modifying the ACL after creation |
Minimal RAM policy:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:PutBucket",
"oss:PutBucketAcl"
],
"Resource": "acs:oss:*:*:*"
}
]
}Replace * in the resource ARN with a specific bucket name (for example, acs:oss:*:*:examplebucket) to restrict access to that bucket.
Common errors
| Error code | Cause | Resolution |
|---|---|---|
BucketAlreadyExists | The bucket name is taken by a different account | Choose a different bucket name |
BucketAlreadyOwnedByYou | The bucket already exists in your account | No action needed. The bucket is ready to use |
InvalidBucketName | The bucket name violates naming rules | Review the naming rules under the --bucket parameter |
TooManyBuckets | Your account reached the 100-bucket-per-region limit | Delete unused buckets or submit a quota increase request |
AccessDenied | The RAM user or role lacks the required permissions | Attach a RAM policy that grants oss:PutBucket |
InvalidArgument | An unsupported ACL value was specified with Block Public Access enabled | Disable Block Public Access or use private ACL |
What's next
Upload an object -- Add objects to the bucket.
Regions and endpoints -- Look up the correct endpoint for your bucket's region.
Block Public Access -- Configure or disable Block Public Access on an existing bucket.
RAM policy overview -- Create and attach RAM policies to control access to buckets and objects.