All Products
Search

This Product

    Object Storage Service:Use the AccessKey pair of a RAM user to access OSS

    Document Center

    Object Storage Service:Use the AccessKey pair of a RAM user to access OSS

    Last Updated:Apr 19, 2025

    You can grant permissions to a RAM user and use the AccessKey pair of the RAM user to access OSS resources. When you access OSS resources, we recommend that you use the AccessKey pair of a RAM user instead of an Alibaba Cloud account to ensure higher access security.

    Step 1: Create a RAM user

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User. image

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select OpenAPI Access, and then click ok.

    6. Click Copy to save the AccessKey pair (AccessKey ID and AccessKey Secret).

    Step 2: Grant the RAM user the permissions to upload objects

    1. Create a custom policy to grant the role permissions to upload objects.

      1. In the left navigation bar, select Permission Management > Policies.

      2. Click Create Policy.

      3. On the Create Policy page, click Edit Script, and then enter the following script in the policy editor to grant the role the permissions to upload objects to the exampledir directory in the examplebucket bucket. The following script provides an example on how to grant the role the permissions.

        Warning

        The following policy document is provided only for reference. You must configure fine-grained RAM policies based on your requirements to avoid granting excessive permissions to users. For more information about how to configure fine-grained RAM policies, see Authorize other users to access OSS resources by using RAM or STS.

        {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "oss:PutObject",
      "Resource": "acs:oss:*:*:examplebucket/exampledir/*"
    }
  ]
}

      4. After you configure the policy, click Continue To Edit Basic Information.

      5. In the Basic Information section, set the policy Name to RamTestPolicy, and then click OK.

    2. Attach the custom policy to a RAM user.

      1. In the left navigation bar, select Identities > Users.

      2. On the Users page, find the RAM user.

      3. Click Add Permissions in the Actions column corresponding to the RAM user.

      4. On the Add Permissions page, click the Custom Policy tab, and then select the custom policy RamTestPolicy that you created.

      5. Click OK.

    Step 3: Use the AccessKey pair of the RAM user to upload objects to OSS

    The following Java code provides an example on how to upload the local file examplefile.txt to the exampleobject.txt object in the exampledir directory of the examplebucket bucket.

    import com.aliyun.oss.ClientException;
import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.OSSException;
import com.aliyun.oss.model.PutObjectRequest;
import com.aliyun.oss.model.PutObjectResult;
import java.io.File;

public class Demo {

    public static void main(String[] args) throws Exception {
        // In this example, the endpoint of the China (Hangzhou) region is used. Specify your actual endpoint. 
        String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
        // Obtain access credentials from environment variables. Before you run the sample code, make sure that the OSS_ACCESS_KEY_ID and OSS_ACCESS_KEY_SECRET environment variables are configured. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();
        // Specify the name of the bucket. Example: examplebucket. 
        String bucketName = "examplebucket";
        // Specify the full path of the object. Do not include the bucket name in the full path. Example: exampledir/exampleobject.txt. 
        String objectName = "exampledir/exampleobject.txt";
        // Specify the full path of the local file that you want to upload. Example: D:\\localpath\\examplefile.txt. 
        // By default, if the path of the local file is not specified, the local file is uploaded from the path of the project to which the sample program belongs. 
        String filePath= "D:\\localpath\\examplefile.txt";
        // Specify the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the region to cn-hangzhou.
        String region = "cn-hangzhou";
        
        // Create an OSSClient instance. 
        ClientBuilderConfiguration clientBuilderConfiguration = new ClientBuilderConfiguration();
        clientBuilderConfiguration.setSignatureVersion(SignVersion.V4);        
        OSS ossClient = OSSClientBuilder.create()
        .endpoint(endpoint)
        .credentialsProvider(credentialsProvider)
        .clientConfiguration(clientBuilderConfiguration)
        .region(region)               
        .build();

        try {
            // Create a PutObjectRequest object. 
            PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, objectName, new File(filePath));
            // The following sample code provides an example on how to specify the storage class and ACL of an object when you upload the object: 
            // ObjectMetadata metadata = new ObjectMetadata();
            // metadata.setHeader(OSSHeaders.OSS_STORAGE_CLASS, StorageClass.Standard.toString());
            // metadata.setObjectAcl(CannedAccessControlList.Private);
            // putObjectRequest.setMetadata(metadata);
            
            // Upload the local file. 
            PutObjectResult result = ossClient.putObject(putObjectRequest);           
        } catch (OSSException oe) {
            System.out.println("Caught an OSSException, which means your request made it to OSS, "
                    + "but was rejected with an error response for some reason.");
            System.out.println("Error Message:" + oe.getErrorMessage());
            System.out.println("Error Code:" + oe.getErrorCode());
            System.out.println("Request ID:" + oe.getRequestId());
            System.out.println("Host ID:" + oe.getHostId());
        } catch (ClientException ce) {
            System.out.println("Caught an ClientException, which means the client encountered "
                    + "a serious internal problem while trying to communicate with OSS, "
                    + "such as not being able to access the network.");
            System.out.println("Error Message:" + ce.getMessage());
        } finally {
            if (ossClient != null) {
                ossClient.shutdown();
            }
        }
    }
}

    For more information about examples on OSS SDKs for other programming languages, see the following topics:

    FAQ

    How do I view the AccessKey pair of a RAM user? Can I view the previous AccessKey Secret?

    1. To view the AccessKey pair of a RAM user, see View the AccessKey information of a RAM user.

    2. The AccessKey secret of a RAM user is displayed only when the AccessKey pair is created. You cannot view the AccessKey pair at a later time. If you forget the AccessKey secret, you cannot retrieve it. You can visit the RAM console, select a specific user, and create a new AccessKey pair for rotation. For more information, see Create an AccessKey pair.

    How do I troubleshoot the AccessDenied error that occurs when I use the AccessKey pair of a RAM user to upload objects?

    The AccessDenied error typically occurs for two reasons: incorrect AccessKey pair or lack of upload permissions. You can perform the following steps to troubleshoot the AccessDenied error:

    1. Check whether the AccessKey pair of the RAM user is correct. For more information, see View the AccessKey information of a RAM user.

    2. The AccessKey secret of a RAM user is displayed only when the AccessKey pair is created. You cannot view the AccessKey pair at a later time. If you forget the AccessKey secret, you cannot retrieve it. You can visit the RAM console, select a specific user, and create a new AccessKey pair for rotation. For more information, see Create an AccessKey pair.

    3. Log on to the RAM console, select a specific user, and grant the RAM user the permissions to upload objects to OSS.

    How do I query the specific error type when an error occurs?

    For information about error types, see EC error codes in the OSS documentation. For example, for common authentication errors, see 02-AUTH.

    How do I resolve the NoSuchBucket error?

    This error occurs because the specified bucket does not exist. Make sure that you specify an existing bucket.

    How do I resolve the The bucket you are attempting to access must be addressed using the specified endpoint. error?

    This error code is returned because the Endpoint parameter is invalid. Specify a valid endpoint based on the region in which the bucket is located. For more information about the mapping between regions and endpoints, see Regions and endpoints.

    References

    • After you upload objects to OSS, you can share the objects with third-party users for preview or download by using signed URLs. For more information, see Use a signed URL to download an object.