OSS data retention policies use the Write Once, Read Many (WORM) attribute. Once set, no user — including the bucket owner — can modify or delete objects until the retention period expires. Before the retention period expires, objects are read-only. After it expires, objects can be modified or deleted.
Read Retention policies before configuring this feature.
Policy states
A retention policy has two states that determine which operations are permitted:
| State | Description | Permitted operations |
|---|---|---|
InProgress (unlocked) | Policy is created but not yet locked. | Upload, read, cancel |
Locked | Policy is permanently locked for compliance. Cannot be canceled or shortened. | Upload, read, extend retention period (increase only) |
Key constraint: Once locked, a policy cannot be canceled and its retention period cannot be shortened. Lock only when you are ready for full compliance enforcement.
Prerequisites
Before you begin, make sure you have:
An OSS bucket
The
OSS_ACCESS_KEY_IDandOSS_ACCESS_KEY_SECRETenvironment variables set with valid access credentials
Create a data retention policy
Creates a new retention policy in InProgress state. The response includes a worm ID that you use for subsequent lock and extend operations.
const OSS = require('ali-oss');
const client = new OSS({
// Region where the bucket is located, for example: oss-cn-hangzhou
region: '<region-id>',
// Read access credentials from environment variables
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
authorizationV4: true,
bucket: '<bucket-name>',
});
async function initiateBucketWorm() {
// Specify the retention period in days
const days = '<retention-days>';
const res = await client.initiateBucketWorm('<bucket-name>', days);
// Save the worm ID — you need it to lock or extend the policy
console.log(res.wormId);
}
initiateBucketWorm();Parameters:
| Parameter | Description | Example |
|---|---|---|
<region-id> | Region where the bucket is located | oss-cn-hangzhou |
<bucket-name> | Name of your OSS bucket | my-bucket |
<retention-days> | Retention period in days | 365 |
Return value:
| Field | Type | Description |
|---|---|---|
res.wormId | string | Unique identifier for the retention policy. Save this value to use in lock and extend operations. |
Cancel a data retention policy
Cancels an InProgress (unlocked) retention policy. This operation is only available before the policy is locked — locked policies cannot be canceled.
const OSS = require('ali-oss');
const client = new OSS({
region: '<region-id>',
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
authorizationV4: true,
bucket: '<bucket-name>',
});
async function abortBucketWorm() {
try {
await client.abortBucketWorm('<bucket-name>');
console.log('Policy canceled.');
} catch (err) {
console.log(err);
}
}
abortBucketWorm();Lock a data retention policy
Locks the retention policy, putting it into full compliance mode. Requires the worm ID returned when the policy was created.
Locking is irreversible. A locked policy cannot be canceled, and its retention period cannot be shortened.
const OSS = require('ali-oss');
const client = new OSS({
region: '<region-id>',
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
authorizationV4: true,
bucket: '<bucket-name>',
});
async function completeBucketWorm() {
try {
await client.completeBucketWorm('<bucket-name>', '<worm-id>');
console.log('Policy locked.');
} catch (err) {
console.log(err);
}
}
completeBucketWorm();Parameters:
| Parameter | Description |
|---|---|
<worm-id> | Worm ID returned by initiateBucketWorm |
Get a data retention policy
Retrieves the current retention policy, including its state and retention period.
const OSS = require('ali-oss');
const client = new OSS({
region: '<region-id>',
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
authorizationV4: true,
bucket: '<bucket-name>',
});
async function getBucketWorm() {
try {
const res = await client.getBucketWorm('<bucket-name>');
console.log(res.wormId); // Policy ID
console.log(res.state); // "InProgress" (unlocked) or "Locked"
console.log(res.days); // Retention period in days
} catch (err) {
console.log(err);
}
}
getBucketWorm();Return values:
| Field | Type | Description |
|---|---|---|
res.wormId | string | Unique identifier for the retention policy |
res.state | string | "InProgress" — unlocked; "Locked" — locked for compliance |
res.days | number | Retention period in days |
Extend the retention period
Extends the retention period of a locked policy. The new period must be longer than the current period — decreasing the retention period is not supported.
This operation applies only to locked policies. To modify an unlocked policy's retention period, cancel it and create a new one.
const OSS = require('ali-oss');
const client = new OSS({
region: '<region-id>',
accessKeyId: process.env.OSS_ACCESS_KEY_ID,
accessKeySecret: process.env.OSS_ACCESS_KEY_SECRET,
authorizationV4: true,
bucket: '<bucket-name>',
});
async function extendBucketWorm() {
try {
// The new value must be greater than the current retention period
const res = await client.extendBucketWorm('<bucket-name>', '<worm-id>', '<new-retention-days>');
console.log(res);
} catch (err) {
console.log(err);
}
}
extendBucketWorm();Parameters:
| Parameter | Description |
|---|---|
<worm-id> | Worm ID of the locked policy |
<new-retention-days> | New retention period in days — must be greater than the current value |