All Products
Document Center

Object Storage Service:Use the AccessKey pair of a RAM user to initiate a request

Last Updated:Jul 28, 2023

You can grant permissions to a RAM user and use the AccessKey pair of the RAM user to access OSS resources. When you access OSS resources, we recommend that you use the AccessKey pair of a RAM user instead of an Alibaba Cloud account to ensure higher access security.

Step 1: Create a RAM user

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • (Optional) Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.


    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select OpenAPI Access and click OK.

  6. Click Copy to save the AccessKey pair of the RAM user.

Step 2: Grant the RAM user the permissions to upload objects

  1. Create a custom policy to grant permissions to upload objects.

    1. In the left-side navigation pane, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab. Enter the policy document to grant the role the permissions to upload objects to the exampledir directory of the examplebucket bucket. The following sample code shows how to grant the role the permissions.


      The following example is for reference only. You must configure fine-grained RAM policies based on your requirements to avoid granting excessive permissions to users. For more information about how to configure fine-grained RAM policies, see the Example 9: Use RAM or STS to authorize users to access OSS resources section of the Common examples of RAM policies topic.

        "Version": "1",
        "Statement": [
            "Effect": "Allow",
            "Action": "oss:PutObject",
            "Resource": "acs:oss:*:*:examplebucket/exampledir/*"
    4. Click Next to edit policy information.

    5. In the Basic Information section, set Name to RamTestPolicy and click OK.

  2. Attach the custom policy to a RAM user.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user to which you want to attach the custom policy.

    3. On the Users page, click Add Permissions in the Actions column of the RAM user.

    4. In the Add Permissions panel, click the Custom Policy tab. Select the RamTestPolicy policy.

    5. Click OK.

Step 3: Use the AccessKey pair of the RAM user to upload objects to OSS

The following Java code provides an example on how to upload an object named exampletest.txt from the D:\\localpath path to the exampledir directory of a bucket named examplebucket:

import com.aliyun.oss.OSS;
import com.aliyun.oss.common.auth.*;
import com.aliyun.oss.OSSClientBuilder;
import com.aliyun.oss.model.PutObjectRequest;


public class RAMAccessKeySample {
    public static void main(String[] args) {
        // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to 
        String endpoint = "yourEndpoint";

        // We recommend that you do not save access credentials in the project code. Otherwise, access credentials may be leaked. As a result, the security of all resources in your account is compromised. In this example, access credentials are obtained from environment variables. You need to configure environment variables before you run the sample code. 
        EnvironmentVariableCredentialsProvider credentialsProvider = CredentialsProviderFactory.newEnvironmentVariableCredentialsProvider();

        // Create an OSSClient instance. 
        OSS ossClient = new OSSClientBuilder().build(endpoint, credentialsProvider);

        // Create a PutObjectRequest object. 
        // Specify the bucket name such as examplebucket, the full path of the object such as exampledir/exampleobject.txt, and the full path of the local file that you want to upload. Do not include the bucket name in the full path. 
        // By default, if you do not specify the path of the local file, the file is uploaded from the local path of the project to which the sample program belongs. 
        PutObjectRequest putObjectRequest = new PutObjectRequest("examplebucket", "exampledir/exampleobject.txt", new File("D:\\localpath\\examplefile.txt"));

        // The following code provides an example on how to set the storage class and the access control list (ACL) of the object. 
        // ObjectMetadata metadata = new ObjectMetadata();
        // metadata.setHeader(OSSHeaders.OSS_STORAGE_CLASS, StorageClass.Standard.toString());
        // metadata.setObjectAcl(CannedAccessControlList.Private);
        // putObjectRequest.setMetadata(metadata);

        // Upload the local file. 

        // Shut down the OSSClient instance. 

For more information about examples on OSS SDKs for other programming languages, see the following topics:

For more information about how to obtain the URL after the object is uploaded, see How do I obtain the URL of a single object or the URLs of multiple objects?