Use ALIYUN::OSS::Bucket to create an OSS bucket.
Syntax
{
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": String,
"RefererConfiguration": Map,
"ServerSideEncryptionConfiguration": Map,
"CORSConfiguration": Map,
"Tags": Map,
"LoggingConfiguration": Map,
"LifecycleConfiguration": Map,
"StorageClass": String,
"DeletionForce": Boolean,
"Policy": Map,
"BucketName": String,
"RedundancyType": String,
"VersioningConfiguration": Map,
"ResourceGroupId": String,
"EnableOssHdfsService": Boolean,
"WebsiteConfigurationV2": Map,
"BlockPublicAccess": Boolean
}
}Properties
Property | Type | Required | Update allowed | Description | Constraints |
BucketName | String | Yes | No | The name of the bucket. | The name must be 3 to 63 characters in length. It must start and end with a lowercase letter or a digit, and can contain lowercase letters, digits, and hyphens (-). Note The name must be globally unique. You can use AutoCompleteInput in AssociationProperty to automatically generate a random string. For more information, see How do I control the length of a random string?. |
AccessControl | String | No | Yes | The access permissions. | Valid values:
|
CORSConfiguration | Map | No | Yes | The cross-origin request configuration. | For more information, see CORSConfiguration properties. |
DeletionForce | Boolean | No | Yes | Specifies whether to force delete files in the OSS bucket. | Valid values:
|
EnableOssHdfsService | Boolean | No | Yes | Specifies whether to enable the OSS-HDFS service. | Valid values:
|
BlockPublicAccess | Boolean | No | Yes | Specifies whether to enable Block Public Access for the bucket. | Valid values:
|
LifecycleConfiguration | Map | No | Yes | The file lifecycle configuration. | For more information, see LifecycleConfiguration properties. |
LoggingConfiguration | Map | No | No | The log storage configurations. | For more information, see LoggingConfiguration properties. |
Policy | Map | No | Yes | The bucket policy. | For more information, see Common examples of bucket policies. |
RedundancyType | String | No | No | The data redundancy type of the bucket. | Valid values:
|
RefererConfiguration | Map | No | Yes | The hotlink protection configuration. | For more information, see RefererConfiguration properties. |
ResourceGroupId | String | No | No | The ID of the resource group. | None |
ServerSideEncryptionConfiguration | Map | No | Yes | The server-side encryption rule configuration. | For more information, see ServerSideEncryptionConfiguration properties. |
StorageClass | String | No | No | The storage class of the bucket. | Valid values:
|
Tags | Map | No | Yes | The tags of the bucket. A tag is a key-value pair. | You can add up to 20 tags. A key must be 1 to 64 characters in length and cannot start with A value can be 0 to 128 characters in length and must be in UTF-8. |
VersioningConfiguration | Map | No | Yes | The container that stores the versioning status. | For more information, see VersioningConfiguration properties. |
WebsiteConfigurationV2 | Map | No | No | The website configuration. | For more information, see WebsiteConfigurationV2 properties. |
CORSConfiguration syntax
"CORSConfiguration": {
"CORSRule": List,
"ResponseVary": Boolean
}CORSConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
CORSRule | List | No | Yes | The cross-origin request rules. | For more information, see CORSRule properties. |
ResponseVary | Boolean | No | Yes | Specifies whether to return the | Valid values:
Note Note: This field cannot be configured alone. At least one cross-origin rule must be configured for this field to take effect. |
CORSRule syntax
"CORSRule": [
{
"MaxAgeSeconds": Number,
"AllowedMethod": List,
"ExposeHeader": List,
"AllowedOrigin": List,
"AllowedHeader": List
}
]CORSRule properties
Property | Type | Required | Update allowed | Description | Constraints |
AllowedHeader | List | No | Yes | The allowed headers for cross-origin requests. | Valid values:
|
AllowedMethod | List | No | Yes | The allowed methods for cross-origin requests. | Valid values:
|
AllowedOrigin | List | No | Yes | The allowed origins for cross-origin requests. | None |
ExposeHeader | List | No | Yes | The response headers that users can access from applications. | Do not use an asterisk (*). |
MaxAgeSeconds | Number | No | Yes | The cache duration for the response to an OPTIONS request for a specific resource. | None |
LifecycleConfiguration syntax
"LifecycleConfiguration": {
"Rule": List
}LifecycleConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
Rule | List | Yes | No | The lifecycle rules. | For more information, see Rule properties. |
Rule syntax
"Rule": [
{
"Status": String,
"AbortMultipartUpload": Map,
"Expiration": Map,
"Prefix": String,
"ID": String,
"Filter": Map,
"Transition": List
}
]Rule properties
Property | Type | Required | Update allowed | Description | Constraints |
Prefix | String | Yes | No | The prefix to which the rule applies. | Only objects that match the prefix can be affected by this rule. |
AbortMultipartUpload | Map | No | No | The expiration properties of incomplete multipart uploads. | For more information, see AbortMultipartUpload properties. |
Expiration | Map | No | No | The expiration properties of the object rule. | For more information, see Expiration properties. |
ID | String | No | No | The unique ID of the rule. | The ID can be up to 255 characters in length. If you do not specify an ID or the ID is empty, OSS automatically generates a unique value. |
Status | String | No | Yes | Enables or disables the rule. | Valid values:
|
Filter | Map | No | No | This exclusion rule can have at most one conditional rule. | For more information, see Filter properties. |
Transition | List | No | No | The list of storage class transition tasks. | For more information, see Transition properties. |
Transition syntax
"Transition": [
{
"CreatedBeforeDate": String,
"Days": Integer,
"IsAccessTime": Boolean,
"ReturnToStdWhenVisit": Boolean,
"AllowSmallFile": Boolean,
"StorageClass": String
}
]Transition properties
Property | Type | Required | Update allowed | Description | Constraints |
CreatedBeforeDate | String | No | No | Specifies a date. OSS applies the lifecycle rule to data last modified before this date. | The date must be in the ISO 8601 format and must be in UTC at midnight (00:00:00). |
Days | Integer | No | No | Specifies the number of days after an object is last updated that the lifecycle rule takes effect. | Valid values: positive integers, such as 30, 90, and 180. |
IsAccessTime | Boolean | No | No | Specifies whether to apply the lifecycle rule based on the last access time of an object. |
|
ReturnToStdWhenVisit | Boolean | No | No | Specifies whether to change the storage class of a non-Standard object to Standard after the object is accessed. | This option takes effect only when IsAccessTime is set to true. |
AllowSmallFile | Boolean | No | No | Indicates whether to use the last access time of the object. | This setting applies to objects smaller than 64 KB. Valid destination storage classes are IA, Archive, and Cold Archive. |
StorageClass | String | No | No | The storage class to which the object is transitioned. | Valid values:
|
Filter syntax
"Filter":{
"Not": Map
}Filter properties
Property | Type | Required | Update allowed | Description | Constraints |
Not | Map | No | No | The exclusion rule. | For more information, see Not properties. |
Not syntax
"Not":{
"Tag": List,
"Prefix": String
}Not properties
Property | Type | Required | Update allowed | Description | Constraints |
Tag | List | No | No | The tag of the exclusion rule. | This exclusion rule applies to at most one object tag. |
Prefix | String | No | No | The rule prefix. | The prefix of the object names to which this exclusion rule applies. The prefix must meet the following conditions:
In essence, this rule specifies that for an exclusion rule, if a parent rule defines a prefix, any subordinate prefix must be a subset or a more specific version of that parent prefix. A subordinate prefix cannot be identical to the parent prefix unless a tag configuration is used. This design enables more granular and flexible filtering logic for files and objects, particularly in scenarios such as cloud storage, data backup, or content filtering. |
Expiration syntax
"Expiration":{
"Days": Number,
"CreatedBeforeDate": String,
"ExpiredObjectDeleteMarker": Boolean
}Expiration properties
Property | Type | Required | Update allowed | Description | Constraints |
CreatedBeforeDate | String | No | No | Specifies a date. OSS executes the rule for data whose last update date is earlier than this date. | The date must be in the ISO 8601 format and must be in UTC at midnight. For example: |
Days | Number | No | No | The number of days after which the rule takes effect since the object was last modified. | The rule is executed to delete the object after the specified number of days has passed since the last modification time. If you set the time to 30 days, an object last modified on January 1, 2016 will be deleted by the backend program on January 31, 2016. |
ExpiredObjectDeleteMarker | Boolean | No | No | Specifies whether expired delete markers should be automatically deleted. | Valid values:
|
AbortMultipartUpload syntax
"AbortMultipartUpload": {
"CreatedBeforeDate": String,
"Days": Number
}AbortMultipartUpload properties
Property | Type | Required | Update allowed | Description | Constraints |
CreatedBeforeDate | String | No | No | The time before which the rule takes effect. | The date is in the ISO 8601 format and the value must be in UTC at midnight. For example: |
Days | Number | No | No | The number of days after which the rule takes effect since the object was last modified. | The rule is executed to delete the object after the specified number of days has passed since the last modification time. If you set the time to 30 days, an object last modified on January 1, 2016 will be deleted by the backend program on January 31, 2016. |
LoggingConfiguration syntax
"LoggingConfiguration": {
"TargetBucket": String,
"TargetPrefix": String
}LoggingConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
TargetBucket | String | No | No | The bucket where access logs are stored. | None |
TargetPrefix | String | No | No | The prefix for the saved access log files. | None |
WebsiteConfigurationV2 syntax
"WebsiteConfiguration":{
"RoutingRules": List,
"IndexDocument": Map,
"ErrorDocument": Map
}WebsiteConfigurationV2 properties
Property | Type | Required | Update allowed | Description | Constraints |
ErrorDocument | Map | No | No | The hosted static error page. | None |
IndexDocument | Map | No | No | The hosted static home page. | None |
RoutingRules | List | No | No | The list of routing rules. | Maximum length: 20. |
IndexDocument syntax
"IndexDocument":{
"Suffix": String,
"Type": String,
"SupportSubDir": String
}IndexDocument properties
Property | Type | Required | Update allowed | Description | Constraints |
Suffix | String | Yes | No | The default home page. | After you set a default home page, OSS returns this default home page if you access an object that ends with a forward slash (/). |
Type | String | No | No | The behavior when you try to access an object that does not exist and does not end with a forward slash (/), after a default home page is set. | This rule takes effect only when `SupportSubDir` is set to `true`. It is applied after `RoutingRule` and before `ErrorFile`. Assume the default home page is `index.html`. When you access `bucket.oss-cn-hangzhou.aliyuncs.com/abc` and the `abc` object does not exist, the behavior varies based on the value of `Type`:
|
SupportSubDir | String | No | No | Specifies whether to redirect to the default home page of a subdirectory when the subdirectory is accessed. | Valid values:
|
RoutingRules syntax
"RoutingRules":[{
"Redirect": Map,
"Condition": Map,
"RuleNumber": Integer
}]RoutingRules properties
Property | Type | Required | Update allowed | Description | Constraints |
Redirect | Map | Yes | No | Specifies the operation to perform when this rule is matched. | For more information, see Redirect properties. |
Condition | Map | Yes | No | The matching conditions. | This rule is executed only when all specified items are met. A match is considered successful only when all conditions for each node under this container are met. For more information, see Condition properties. |
RuleNumber | Integer | Yes | No | The serial number to match and execute the RoutingRule. OSS matches rules in order based on this serial number. | If a match is successful, this rule is executed and subsequent rules are no longer executed. |
Condition syntax
"Condition":{
"KeyPrefixEquals": String,
"HttpErrorCodeReturnedEquals": String,
"IncludeHeaders": List,
"KeySuffixEquals": String
}Condition properties
Property | Type | Required | Update allowed | Description | Constraints |
KeyPrefixEquals | String | No | No | The prefix of the object name to match. | None. |
HttpErrorCodeReturnedEquals | String | No | No | This status must be returned when accessing the specified object for this rule to be met. | When the redirection rule is of the mirroring-based back-to-origin type, this field must be 404. |
IncludeHeaders | List | No | No | This rule matches only if the request contains the specified header and its value is the specified value. | You can set up to 10 such conditions. For more information, see IncludeHeaders properties. |
KeySuffixEquals | String | No | No | The suffix of the object name to match. | None. |
IncludeHeaders syntax
"IncludeHeaders": [
{
"Equals": String,
"Key": String
}
]IncludeHeaders properties
Property | Type | Required | Update allowed | Description | Constraints |
Equals | String | No | No | The value of the header. | None |
Key | String | Yes | No | The name of the header. | None |
RefererConfiguration syntax
"RefererConfiguration":{
"AllowEmptyReferer": String,
"RefererList": List
}RefererConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
AllowEmptyReferer | Boolean | No | No | Specifies whether to allow access from requests with an empty Referer field. | Valid values:
|
RefererList | List | No | No | The whitelist of allowed Referer fields. | None |
Redirect syntax
"Redirect":{
"MirrorFollowRedirect": Boolean,
"MirrorURL": String,
"PassQueryString": Boolean,
"MirrorPassQueryString": Boolean,
"ReplaceKeyWith": String,
"Protocol": String,
"HttpRedirectCode": String,
"ReplaceKeyPrefixWith": String,
"RedirectType": String,
"MirrorHeaders": Map,
"MirrorCheckMd5": Boolean,
"EnableReplacePrefix": Boolean,
"HostName": String
}Redirect properties
Property | Type | Required | Update allowed | Description | Constraints |
MirrorFollowRedirect | Boolean | No | No | Specifies whether to continue redirecting to the specified Location to obtain data if the result of the mirroring-based back-to-origin is a 3xx status code. | This setting takes effect only when RedirectType is set to Mirror. For example, when we mirror a request back to the origin server, the origin server returns a 302 status code with Location information.
|
MirrorURL | String | No | No | The address of the origin server for mirroring-based back-to-origin. | This setting takes effect only when RedirectType is set to Mirror. The origin URL must start with http:// or https:// and end with a forward slash (/). OSS appends the object name to this to form the URL to be returned. For example, if the object to be accessed is named myobject, and you set this to http://example.com/, the back-to-origin URL will be http://example.com/myobject. If you set it to http://example.com/dir1/, the back-to-origin URL will be http://example.com/dir1/myobject. |
PassQueryString | Boolean | No | No | Specifies whether to carry request parameters when performing a redirect or mirroring-based back-to-origin. | If a user accesses OSS with request parameters like a=b&c=d and PassQueryString is set to true, these request parameters are appended to the Location header of the redirect if the rule type is a 302 redirect, for example, Location: example.com?a=b&c=d. If the rule type is mirroring-based back-to-origin, these request parameters are also carried in the initiated back-to-origin request. Valid values: true, false (default). |
MirrorPassQueryString | Boolean | No | No | Same as PassQueryString, but takes precedence over PassQueryString. This setting is valid only when RedirectType is set to Mirror. | Default value: false. |
ReplaceKeyWith | String | No | No | When using a Redirect rule, the object name is replaced with the value specified by ReplaceKeyWith, which lets you set variables. | The {key} variable that specifies the object name in the request is supported. For example, the name of the object that you want to access is test. If you set ReplaceKeyWith to prefix/{key}.suffix when you access the test object, the address specified by Location is http://example.com/prefix/test.suffix. If a client requests an original object, such as test, the server uses a Redirect rule to redirect the request to a new location with a path that is dynamically generated from the pattern defined by ReplaceKeyWith. In this example, the new path is created by appending the original object name, test, to "prefix/", and the final redirected URL is "http://example.com/prefix/test.suffix". In this URL, ".suffix" is a fixed suffix, and "${key}" is replaced by the object name "test". |
Protocol | String | No | No | The protocol specification for the redirect. | This rule applies only if RedirectType is set to External or AliCDN. If you want to access a file named "test" and redirect it to "example.com" with the https protocol, the Location header in the HTTP response should be set to "https://example.com/test". Optional protocol values are: http, https. |
HttpRedirectCode | String | No | No | The status code returned during a redirect. | Applies only when RedirectType is set to External or AliCDN. Default value: 302. Optional values: 301, 302, 307. |
ReplaceKeyPrefixWith | String | No | No | This value replaces the prefix of the object name in the redirect. If the prefix is empty, this string is inserted before the object name. | Note Note: Only the ReplaceKeyWith or ReplaceKeyPrefixWith node is allowed. Assume the object to be accessed is ABC/test.TXT. If KeyPrefixEquals is set to ABC/ and ReplaceKeyPrefixWith is set to def/, the Location will point to http://example.com/def/test.txt. |
RedirectType | String | Yes | No | Specifies the type of redirect. | Valid values:
|
MirrorHeaders | Map | No | No | Specifies the headers that are mirrored when passed back to the origin. | This setting takes effect only when RedirectType is set to Mirror. For more information, see MirrorHeaders properties. |
MirrorCheckMd5 | Boolean | No | No | Specifies whether to check MD5 on back-to-origin. | This configuration takes effect only when RedirectType is set to Mirror. When MirrorCheckMd5 is set to true, if the response from the origin server contains the Content-Md5 header, OSS checks if the MD5 of the pulled data matches this header. If it does not match, the data will not be saved to OSS. Default value: false. |
EnableReplacePrefix | Boolean | No | No | If this field is set to true, the prefix of the object will be replaced with the value specified by ReplaceKeyPrefixWith. If this field is not specified or is empty, it means the prefix of the object will be truncated. | Note: This field cannot be set to true when the ReplaceKeyWith field is not empty. Default value: false. |
HostName | String | No | No | The domain name for the redirect. | The domain name should follow domain name specifications. If the file to be accessed is named test, the protocol is set to https, and the hostname is set to example.com, the Location header should be https://example.com/test. |
MirrorHeaders syntax
"MirrorHeaders":{
"Remove": List,
"PassAll": Boolean,
"Sets": List,
"Pass": List
}MirrorHeaders properties
Property | Type | Required | Update allowed | Description | Constraints |
Remove | List | No | No | Disables pass-through of specified headers to the origin. | This is valid only when RedirectType is set to Mirror. Each header can be up to 1,024 bytes long, and the character set includes 0-9, a-z, A-Z, and hyphens (-). You can specify up to 10 headers for this field. |
PassAll | Boolean | No | No | Specifies whether to pass headers other than the excluded ones to the origin. | This is valid only when RedirectType is set to Mirror. The excluded headers include the following: - content-length, authorization2, authorization, range, date, and other common headers - specific headers starting with oss- / x-oss- / x-drs- Default value: false This means that, by default, these specific headers are passed to the mirror source. To change this behavior, you can adjust this setting to true to prevent these headers from being passed through. |
Sets | List | No | No | Sets a header to the origin server. When the request is passed back to the origin server, this header is set, regardless of whether the specified header is included in the request. | This feature is effective only when RedirectType is set to Mirror. This container can set up to 10 groups of headers in this way. For more information, see Sets properties. |
Pass | List | No | No | Passes the specified header information to the source. | This operation is valid only when RedirectType is set to Mirror. Each header can be up to 1,024 bytes long and can only contain the character set 0-9, a-z, A-Z, and hyphens (-). You can specify up to 10 headers for this field. |
Sets syntax
"Sets": [
{
"Value": String,
"Key": String
}
]Sets properties
Property | Type | Required | Update allowed | Description | Constraints |
Value | String | Yes | No | Set the value of the header to a maximum of 1024 bytes, excluding \r\n. | This setting is valid only when RedirectType is set to Mirror. |
Key | String | Yes | No | Set the header key to a maximum of 1024 bytes, using the same character set as Pass. | This setting is valid only when RedirectType is set to Mirror. |
ErrorDocument syntax
"ErrorDocument":{
"Key": String,
"HttpStatus": String
}ErrorDocument properties
Property | Type | Required | Update allowed | Description | Constraints |
Key | String | Yes | No | The default error page. | When an error page is specified, this error page is returned if the accessed object does not exist. |
HttpStatus | String | No | No | The HTTP status code of the error page. | Valid values: 200, 404 (default). |
ServerSideEncryptionConfiguration syntax
"ServerSideEncryptionConfiguration":{
"KMSMasterKeyID": String,
"SSEAlgorithm": String
}ServerSideEncryptionConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
SSEAlgorithm | String | Yes | No | The default server-side encryption method. | Valid values:
|
KMSMasterKeyID | String | No | No | The key ID. | You must specify the key ID only when SSEAlgorithm is KMS and you are using a specified key for encryption. |
VersioningConfiguration syntax
"VersioningConfiguration":{
"Status": String
}VersioningConfiguration properties
Property | Type | Required | Update allowed | Description | Constraints |
Status | String | Yes | No | The versioning status. | Valid values:
|
Return values
Fn::GetAtt
Name: The globally unique name of the bucket.
DomainName: The public domain name of the bucket.
InternalDomainName: The internal domain name of the bucket.
Arn: The Alibaba Cloud Resource Name (ARN).
Examples
ROSTemplateFormatVersion: '2015-09-01'
Description: Creates a simple oss bucket
Parameters:
BucketName:
AssociationProperty: AutoCompleteInput
AssociationPropertyMetadata:
Length: 5
Prefix: simple-oss-bucket
CharacterClasses:
- Class: lowercase
min: 1
Type: String
Label:
en: Bucket Name
Outputs:
BucketDomainName:
Value:
Fn::GetAtt:
- MyBucket
- DomainName
Resources:
MyBucket:
Type: ALIYUN::OSS::Bucket
Properties:
AccessControl: private
BucketName:
Ref: BucketName
Metadata: {}
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Creates a simple oss bucket",
"Parameters": {
"BucketName": {
"Type": "String",
"Label": {
"en": "Bucket Name"
},
"AssociationProperty": "AutoCompleteInput",
"AssociationPropertyMetadata": {
"Length": 5 ,
"Prefix": "simple-oss-bucket",
"CharacterClasses": [
{
"Class": "lowercase",
"min": 1
}
]
}
}
},
"Metadata": {
},
"Resources": {
"MyBucket": {
"Type": "ALIYUN::OSS::Bucket",
"Properties": {
"AccessControl": "private",
"BucketName": {
"Ref": "BucketName"
}
}
}
},
"Outputs": {
"BucketDomainName": {
"Value": {
"Fn::GetAtt": [
"MyBucket",
"DomainName"
]
}
}
}
}