How to use Amazon S3 SDKs to access OSS - Object Storage Service

Object Storage Service (OSS) provides API operations that are compatible with Amazon Simple Storage Service (Amazon S3). After you migrate your data from Amazon S3 to OSS, you can make your client applications compatible with OSS by using simple configurations. This topic describes how to use Amazon S3 SDKs for different development platforms to initialize configurations and use Amazon S3 SDK API operations to access OSS resources.

Prerequisites

A RAM user is created and an AccessKey pair is obtained. For more information, see Create a RAM user.
System permissions or custom permissions are granted to the RAM user.
- System permissions
  You can attach the AliyunOSSFullAccess policy or the AliyunOSSReadOnlyAccess policy to the RAM user.
- Custom permissions
  You can attach custom RAM policies to the RAM user to implement fine-grained OSS permission control based on business scenarios. For more information, see Common examples of RAM policies.
A client application that integrates Amazon S3 SDKs is created and runs as expected.

Limits

Only public and internal endpoints that are compatible with Amazon S3 SDKs can be used to access an OSS bucket by using Amazon S3 SDKs.

Background information

In this example, the China (Hong Kong) region is used. The S3-compatible public endpoint is s3.oss-cn-hongkong.aliyuncs.com, and the S3-compatible internal endpoint is s3.oss-cn-hongkong-internal.aliyuncs.com. If you want to use the endpoints of another region, replace the region ID in the endpoints. For more information about regions and their endpoints, see Regions and endpoints.

Amazon S3 SDK for Java

Version 1.x

In the following examples, Amazon S3 SDK for Java 1.11.609 is used. The following sample code provides examples on how to initialize an s3Client instance.

Initialize an s3Client instance by reading temporary access credentials from the code

// Specify environment variables to pass temporary access credentials. 
        String accessKeyId = System.getenv().get("OSS_AccessKeyId");;
        String accessKeySecret = System.getenv().get("OSS_AccessKeySecret");;
        String sessionToken = System.getenv().get("OSS_SessionToken");;
        AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(new BasicSessionCredentials(accessKeyId, accessKeySecret, sessionToken)))
                .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(
                        "https://oss-cn-hongkong.aliyuncs.com",
                        ""))
                .withPathStyleAccessEnabled(false)
                .withChunkedEncodingDisabled(true)
                .build();

Initialize an s3Client instance by reading temporary access credentials from a configuration file

Configure the temporary access credentials in the configuration file in ~/.aws/credentials.

[default]
aws_access_key_id = [OSS_AccessKeyId]
aws_secret_access_key = [OSS_AccessKeySecret]
aws_secret_sessiontoken = [OSS_SessionToken]

Initialize an s3Client instance.

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
        .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(
                "https://oss-cn-hongkong.aliyuncs.com",
                ""))
        .withPathStyleAccessEnabled(false)
        .withChunkedEncodingDisabled(true)
        .build();

Version 2.x

In the following example, Amazon S3 SDK for Java 2.17.201 is used. The following sample code provides an example on how to initialize an s3Client instance:

// Specify environment variables to pass temporary access credentials. 
        String accessKeyId = System.getenv().get("OSS_AccessKeyId");;
        String accessKeySecret = System.getenv().get("OSS_AccessKeySecret");;
        String sessionToken = System.getenv().get("OSS_SessionToken");;
        S3Client s3 = S3Client.builder()
                .credentialsProvider(StaticCredentialsProvider.create(AwsSessionCredentials.create(accessKeyId, accessKeySecret, sessionToken)))
                .region(Region.AWS_GLOBAL)
                .endpointOverride(URI.create("http://s3.oss-us-west-1.aliyuncs.com"))
                .serviceConfiguration(S3Configuration.builder()
                        .pathStyleAccessEnabled(false)
                        .chunkedEncodingEnabled(false)
                        .build())
                .build();

Python SDK

In the following example, Amazon S3 SDK for Python 1.9.205 is used. The following sample code provides an example on how to initialize an s3Client instance:

import boto3
import os
from botocore.config import Config

endpoint = 'https://oss-cn-hongkong.aliyuncs.com'
# Specify environment variables to pass temporary access credentials. 
access_key_id = os.getenv('OSS_AccessKeyId')
secret_access_key = os.getenv('OSS_AccessKeySecret')
session_token = os.getenv('OSS_SessionToken')

s3 = boto3.client(
    's3',
    aws_access_key_id=access_key_id,
    aws_secret_access_key=secret_access_key,
    aws_session_token=session_token,
    endpoint_url=endpoint,
    config=Config(s3={"addressing_style": "virtual", "signature_version": 's3v4'}))

Amazon S3 SDK for PHP

In the following example, Amazon S3 SDK for PHP 3.109.3 is used. The following steps describe how to initialize an s3Client instance.

Modify the AWS configuration file and certificate file.
The following example shows how to initialize configurations in Linux:
1. Add the following configuration information to the configuration file in ~/.aws/config:
```
[default]
s3 =
addressing_style = virtual
```
2. Configure the temporary access credentials in the configuration file in ~/.aws/credentials.
```
[default]
aws_access_key_id = [OSS_AccessKeyId]
aws_secret_access_key = [OSS_AccessKeySecret]
aws_secret_sessiontoken = [OSS_SessionToken]
```

Initialize an s3Client instance.

<?php
require_once __DIR__ . '/vendor/autoload.php';

use Aws\Credentials\CredentialProvider;
use Aws\Credentials\Credentials;
use Aws\S3\S3Client;

$provider = CredentialProvider::fromCredentials(new Credentials(
    getenv('OSS_ACCESS_KEY_ID'),
    getenv('OSS_ACCESS_KEY_SECRET'),
    getenv('OSS_SESSION_TOKEN')
));

// Create an s3Client instance. 
$s3Client = new S3Client([
    'region' => 'oss-cn-hangzhou',
    'version' => '2006-03-01',
    'endpoint' => 'http://oss-cn-hangzhou.aliyuncs.com',
    'credentials' => $provider
]);

Node.js SDK

In the following example, Amazon S3 SDK for Node.js 2.509.0 is used. The following sample code provides an example on how to initialize an s3Client instance:

const S3 = require("@aws-sdk/client-s3");

const { S3Client, PutObjectCommand } = S3;

// Initialize the s3Client instance. 
const region = "oss-cn-chengdu";
const s3Client = new S3Client({
  region,
  endpoint: `https://${region}.aliyuncs.com`,
  credentials: {
    accessKeyId: process.env.AccessKeyId,
    secretAccessKey: process.env.AccessKeySecret,
    sessionToken: process.env.SecurityToken,
  },
});

// Use the an s3Client instance to perform operations, such as uploading objects. 
async function uploadObject() {
  const command = new PutObjectCommand({
    // Specify the name of the bucket. 
    Bucket: "yourbucket", 
    // Specify the full paths of the object and the local file. Do not include the bucket name in the full path of the object. 
    Key: "file.txt",
    // Specify the object content or buffer. 
    Body: "Hello from AWS SDK v3!",
  });

  try {
    const response = await s3Client.send(command);
    console.log("Object uploaded successfully", response);
  } catch (error) {
    console.error("Error uploading object:", error);
  }
}

uploadObject();

.NET SDK

In the following example, Amazon S3 SDK for .NET 3.3.104.12 is used. The following sample code provides an example on how to initialize an s3Client instance:

string sAccessKeyId = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_ID");
string sAccessKeySecret = Environment.GetEnvironmentVariable("OSS_ACCESS_KEY_SECRET");
string sToken = Environment.GetEnvironmentVariable("OSS_SESSION_TOKEN");
string endpoint = "https://oss-cn-hangzhou.aliyuncs.com";

var config = newAmazonS3Config(){ServiceURL=endpoint};
var client = new AmazonS3Client(sAccessKeyId, sAccessKeySecret, sToken, config);

Android SDK

Important

A mobile device is used in various environments. It is highly risky to store a permanently valid AccessKey pair on a mobile device to sign requests. We recommend that you use Security Token Service (STS) to obtain temporary access credentials. For more information, see Use temporary credentials provided by STS to access OSS.

In the following example, Amazon S3 SDK for Android 2.14.2 is used. The following sample code provides an example on how to initialize an s3Client instance:

AmazonS3Client s3 = new AmazonS3Client(new AWSCredentialsProvider() {
    @Override
    public AWSCredentials getCredentials() {
         // Obtain the temporary access credentials from STS. 
        return new BasicSessionCredentials(
                "StsToken.AccessKeyId", "StsToken.SecretKeyId", "StsToken.SecurityToken"
        );
    }

    @Override
    public void refresh() {
        //
    }
});
// Specify an endpoint. 
s3.setEndpoint("oss-cn-hongkong.aliyuncs.com");

Amazon S3 SDK for iOS

Important

In the following example, Amazon S3 SDK for iOS 2.10.2 is used. The following steps describe how to initialize an s3Client instance.

Implement the AWSCredentialsProvider protocol.

-(AWSTask<AWSCredentials *> *)credentials{
    // Obtain the temporary access credentials from STS. 
    AWSCredentials *credential = [[AWSCredentials alloc]initWithAccessKey:@"StsToken.AccessKeyId" secretKey:@"StsToken.SecretKeyId" sessionKey:@"StsToken.SecurityToken" expiration:[NSDate dateWithTimeIntervalSince1970:1565770577]];

    return [AWSTask taskWithResult:credential];

}

- (void)invalidateCachedTemporaryCredentials{

}

Initialize an instance.

NSURL* bucketURL = [NSURL URLWithString:@"https://oss-cn-hongkong.aliyuncs.com"];

AWSEndpoint* endpoint = [[AWSEndpoint alloc] initWithRegion:AWSRegionUnknown service:AWSServiceS3 URL:bucketURL];
AWSServiceConfiguration* configuration = [[AWSServiceConfiguration alloc]
    initWithRegion:AWSRegionUSEast2 endpoint:endpoint
    credentialsProvider:[MyCredentialProvider new]];

[[AWSServiceManager defaultServiceManager] setDefaultServiceConfiguration:configuration];

Amazon S3 SDK for Go

Version 1.x

In the following example, Amazon S3 SDK for Go 1.21.9 is used. The following sample code provides an example on how to initialize an s3Client instance:

package main

import (
  "fmt"
  "github.com/aws/aws-sdk-go/aws"
  "github.com/aws/aws-sdk-go/aws/credentials"
  "github.com/aws/aws-sdk-go/aws/session"
  "github.com/aws/aws-sdk-go/service/s3"
  "log"
  "os"
)

func main() {
  sess, _ := newSession()
  service := s3.New(sess)

  bucket := "demo-bucket"

  key := "demo"
  result, err := service.GetObject(&s3.GetObjectInput{
    Bucket: aws.String(bucket),
    Key:    aws.String(key),
  })

  if err != nil {
    log.Printf("LoadDefaultConfig error: %v", err)
    return
  }

  fmt.Printf("result:%#v\n", result)
}

func newSession() (*session.Session, error) {
  accessID := os.Getenv("OSS_ACCESS_KEY_ID")
  accessKey := os.Getenv("OSS_ACCESS_KEY_SECRET")
  token := os.Getenv("OSS_SESSION_TOKEN")
  creds := credentials.NewStaticCredentials(accessID, accessKey, token)
  region := "oss-cn-hangzhou"
  endpoint := "https://oss-cn-hangzhou.aliyuncs.com"
  config := &aws.Config{
    Region:           aws.String(region),
    Endpoint:         &endpoint,
    S3ForcePathStyle: aws.Bool(false),
    Credentials:      creds,
  }
  return session.NewSession(config)
}

Version 2.x

In the following example, Amazon S3 SDK for Go 2.x is used. The following sample code provides an example on how to initialize an s3Client instance:

package main

import (
  "context"
  "fmt"
  "github.com/aws/aws-sdk-go-v2/aws"
  awsconfig "github.com/aws/aws-sdk-go-v2/config"
  "github.com/aws/aws-sdk-go-v2/credentials"
  "github.com/aws/aws-sdk-go-v2/service/s3"
  "log"
  "os"
)

func main() {

  // Specify the name of the bucket. 
  bucketName := "demo-bucket"
  // Specify the full path of the object. Do not include the bucket name in the full path. 
  fileName := "demo.go"
  customResolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
    return aws.Endpoint{
      PartitionID:   "oss",
      URL:           "https://oss-cn-hangzhou.aliyuncs.com",
      SigningRegion: "cn-hangzhou",
    }, nil
  })

  envCredential, err := NewEnvironmentVariableCredentials()
  if err != nil {
    log.Printf("error: %v", err)
    return
  }
  provider := NewAwsS3Provider(envCredential)
  cfg, err := awsconfig.LoadDefaultConfig(context.TODO(), awsconfig.WithCredentialsProvider(provider), awsconfig.WithEndpointResolverWithOptions(customResolver))

  if err != nil {
    log.Printf("LoadDefaultConfig error: %v", err)
    return
  }
  awsS3Client := s3.NewFromConfig(cfg)
  //fp, _ := os.Open(fileName)
  //defer fp.Close()
  result, err := awsS3Client.GetObject(context.TODO(), &s3.GetObjectInput{
    Bucket: aws.String(bucketName),
    Key:    aws.String(fileName),
  })
  if err != nil {
    log.Printf("GetObject error: %v", err)
    return
  }
  fmt.Printf("result:%#v\n", result)
}

type Credentials struct {
  AccessKeyId     string
  AccessKeySecret string
  SecurityToken   string
}

func (credentials *Credentials) GetAccessKeyID() string {
  return credentials.AccessKeyId
}

func (credentials *Credentials) GetAccessKeySecret() string {
  return credentials.AccessKeySecret
}

func (credentials *Credentials) GetSecurityToken() string {
  return credentials.SecurityToken
}

func NewAwsS3Provider(credential *Credentials) credentials.StaticCredentialsProvider {
  return credentials.StaticCredentialsProvider{
    Value: aws.Credentials{
      AccessKeyID:     credential.AccessKeyId,
      SecretAccessKey: credential.AccessKeySecret,
      SessionToken:    credential.SecurityToken,
    },
  }
}

func NewEnvironmentVariableCredentials() (*Credentials, error) {
  var envCredential *Credentials
  accessID := os.Getenv("OSS_ACCESS_KEY_ID")
  if accessID == "" {
    return envCredential, fmt.Errorf("access key id is empty!")
  }
  accessKey := os.Getenv("OSS_ACCESS_KEY_SECRET")
  if accessKey == "" {
    return envCredential, fmt.Errorf("access key secret is empty!")
  }
  token := os.Getenv("OSS_SESSION_TOKEN")
  envCredential = &Credentials{
    AccessKeyId:     accessID,
    AccessKeySecret: accessKey,
    SecurityToken:   token,
  }

  return envCredential, nil
}

Amazon S3 SDK for C++

In the following example, AWS S3 SDK for C++ 1.7.68 is used. The following sample code provides an example on how to initialize configurations.

Modify the AWS configuration file and certificate file.
The following example shows how to initialize configurations in Linux:
1. Add the following configuration information to the configuration file in ~/.aws/config:
```
[default]
s3 =
addressing_style = virtual
```
2. Specify the AccessKey pair in the certificate file that is stored in ~/.aws/credentials.
```
[default]
aws_access_key_id = [OSS_AccessKeyId]
aws_secret_access_key = [OSS_AccessKeySecret]
aws_secret_sessiontoken = [OSS_SessionToken]
```

Specify an endpoint.

Aws::Client::ClientConfiguration awsCC;
awsCC.scheme = Aws::Http::Scheme::HTTP;
awsCC.region = "oss-cn-hongkong";
awsCC.endpointOverride = "oss-cn-hongkong.aliyuncs.com";
Aws::S3::S3Client s3_client(awsCC);