How do I configure ossutil? - Object Storage Service - Alibaba Cloud Documentation Center

This topic describes how to configure ossutil.

Prerequisites

ossutil is installed. For more information, see Install ossutil.
Object Storage Service (OSS) is activated.

Configuration methods

You can configure ossutil by using multiple methods, including configuration files, environment variables and command-line options.

Configuration files: Configuration files for ossutil are in the INI file format, in which you can specify parameters.
Environment variables: ossutil supports multiple environment variables that take precedence over configuration files. You can configure ossutil by using these variables.
Command-line options: ossutil provides multiple command-line options. You can configure ossutil by using these options.

Important

If you specify the command-line options to import the AccessKey pair, the AccessKey pair may be recorded by the log system. The AccessKey pair is highly prone to leaks. Please proceed with caution.

Configuration file settings

You can save commonly used ossutil configuration settings and access credentials in a configuration file. Settings in a configuration file are categorized into sections. You can use the --profile option to specify a specific section for ossutil to use. By default, ossutil uses settings in the default section of a configuration file. You can create and reference other settings.

Note

You can use the ossutil config credential command to configure access credentials in a configuration file.

Configuration file format

A configuration file for ossutil is in the INI file format. An INI configuration file consists of sections.

Parameters in sections are in the key=value format.
Section names and key names are case-insensitive.
Keys can be in lowercase and small camel case. Words in a key can be separated by a hyphen character (-) or an underscore character (_). For example, you can set an AccessKey ID in a configuration file by using accesskeyid, accessKeyId, access-key-id, or access_key_id.
Comments start with a number sign (#).

Supported section types

Section	Description	Additional information
[default]	Contains default settings. If you do not specify the --profile option in a command, ossutil uses settings in the default section.	The full form of the [default] section is [profile default].
[profile name]	Contains custom settings. You can use settings in the section by specifying the --profile option in a command.	You can use source_profile to reference configuration settings in a specific profile section.
[buckets name]	Contains bucket-specific settings, including the region, endpoint, and addressing style.	This section type supports inline arrangement of key-value pairs.

Note

You can use the config command to query and configure settings in a configuration file. For more information, see config.

Section type: profile

A profile section can be used to configure access credential-related parameters and global options. A profile section can contain the following information:

Access credential-related parameters

Parameter	Alias	Description
mode	/	The authentication mode. Valid values: AK, StsToken, RamRoleArn, EcsRamRole, and Anonymous.
access-key-id	accessKeyId access_key_id	The AccessKey ID.
access-key-secret	accessKeySecret access_key_secret	The AccessKey secret.
sts-token	stsToken sts_token	The token issued by Security Token Service (STS).
role-arn	roleArn role_arn	The Alibaba Cloud Resource Name (ARN) of the RAM role. This parameter is used in the RamRoleArn authentication mode.
role-session-name	roleSessionName role_session_name	The session name. This parameter is used in the RamRoleArn authentication mode.
ecs-role-name	ecsRoleName ecs_role_name	The role name. This parameter is used in the EcsRamRole authentication mode.
credential-process	credentialProcess credential_process	Specifies an external command.
credential-uri	credentialUri credential_uri	The URI from which ossutil obtains access credentials.
oidc-provider-arn	oidcProviderArn oidc_provider_arn	The ARN of the OpenID Connect (OIDC) identity provider (IdP). The ARN uses the `acs:ram::account-id:oidc-provider/provider-name` format.
oidc-token-file-path	oidcTokenFilePath oidc_token_file_path	The path to the OIDC token.
credential-process-timeout	credentialProcessTimeout credential_process_timeout	Specifies the timeout period of requests initiated by using external credentials. Unit: seconds. The default value is 15, which indicates that the timeout period is set to 15 seconds. The maximum value is 600(10 mins), which indicates that the timeout period is set to 10 minutes. `credential-process-timeout = 60`indicates that the timeout period of a request initiated by using external credentials is set to 60 seconds.

Global parameters

Option	Alias	Description
loglevel	/	The severity level of the log entry. Valid values: off (default) info debug
read-timeout	readTimeout read_timeout	The timeout period in seconds for client read and write requests. Default value: 20
connect-timeout	connectTimeout connect_timeout	The timeout period in seconds for client connections. Default value: 10
retry-times	retryTimes retry_times	The number of retries on an error. Default value: 10
skip-verify-cert	skipVerifyCert skip_verify_cert	Specifies that the digital certificate of the server is not verified.
sign-version	signVersion sign_version	The version of the signature algorithm. Valid values: v1 v4 (default)
output-format	outputFormat output_format	The format of the output. Valid values: raw (default) json xml yaml
addressing-style	addressingStyle addressing_style	The addressing style. Valid values: virtual (default) path cname
language	/	The display language.
endpoint	/	The endpoint for the region. This parameter is optional.

Other parameters

Parameter

Alias

Description

source-profile

sourceProfile

source_profile

References parameters in the specified profile section. Example:

[profile cred]
access-key-id=ak
access-key-secret=sk

[profile dev]
region=cn-hangzhou
source-profile=cred

buckets

References parameters in the specified buckets section.

[profile dev]
region=cn-hangzhou
access-key-id=ak
access-key-secret=sk
buckets=dev-bucket

[bucktes dev-bucket]
bucket-name-hz =
 endpoint=oss-cn-hangzhou-internal.aliyuncs.com
bucket-name-bj =
 region=cn-beijing

Section type: buckets

A buckets section stores mappings between buckets and endpoints. A buckets section contains key=value pairs nested within a key that represents a bucket name:

[buckets name]
bucket-name = 
  key=value

where name is the name of the buckets section, bucket-name is the name of the bucket, and key=value is a configuration item. You can specify bucket-specific parameters in a buckets section. The following table describes the parameters.

Parameter	Alias	Description
region	/	The region where the bucket is located. If you leave this parameter empty, ossutil uses the region parameter in a referenced profile section of the configuration file.
endpoint	/	The endpoint for the region. This parameter is optional.
addressing-style	addressingStyle addressing_style	The addressing style. Valid values: virtual (default): uses the virtual bucket domain. path: uses the path-style address. cname: uses CNAME.

The following lines provide an example of a buckets section:

[buckets dev-bucket]
bucket-hz-01 = 
  region=cn-hangzhou
bucket-hz-02 = 
  region=cn-hangzhou
  endpoint=test.com
  addressing-style=cname
bucket-bj-01 = 
  region=cn-beijing

Environment variables

The following table describes environment variables supported by ossutil.

Environment variable	Corresponding parameter name
OSS_ACCESS_KEY_ID	access-key-id
OSS_ACCESS_KEY_SECRET	access-key-secret
OSS_SESSION_TOKEN	sts-token
OSS_ROLE_ARN	ram-role-arn
OSS_ROLE_SESSION_NAME	role-session-name
OSS_REGION	region
OSS_ENDPOINT	endpoint
OSSUTIL_CONFIG_FILE	config-file
OSSUTIL_PROFILE	profile

Configure access credentials

You can configure different types of access credentials by using the following methods.

Note

You can use the ossutil config credential command to quickly configure access credentials in a configuration file.

Configure temporary access credentials

By using a configuration file

Create a configuration file ~/.myossutilconfig that contains the following settings.

[default]
accessKeyID = STS.LTAI4Fw2NbDUCV8z********
accessKeySecret = 67DLVBkH7EamOjy2W5RVAH********
stsToken = yourSecurityToken
region=cn-hangzhou

Run the following command to list objects in examplebucket.

ossutil ls oss://examplebucket -c ~/.myossutilconfig

By using environment variables

export OSS_ACCESS_KEY_ID=STS.LTAI4Fw2NbDUCV8z********
export OSS_ACCESS_KEY_SECRET=67DLVBkH7EamOjy2W5RVAH********
export OSS_SESSION_TOKEN=yourSecurityToken
ossutil ls oss://examplebucket

By using command line options (not recommended)

Run the following command to list objects in the examplebucket bucket.

ossutil ls oss://examplebucket -i STS.LTAI4Fw2NbDUCV8z******** -k 67DLVBkH7EamOjy2W5RVAH******** -t yourSecurityToken

Configure long-term access credentials

By using a configuration file
Create a configuration file ~/.myossutilconfig that contains the following settings.
```
[default]
accessKeyID = LTAI4Fw2NbDUCV8z********
accessKeySecret = 67DLVBkH7EamOjy2W5RVAH********
region=cn-hangzhou
```
Run the following command to list objects in examplebucket.
```
ossutil ls oss://examplebucket -c ~/.myossutilconfig
```

By using environment variables

export OSS_ACCESS_KEY_ID=LTAI4Fw2NbDUCV8z********
export OSS_ACCESS_KEY_SECRET=67DLVBkH7EamOjy2W5RVAH********
ossutil ls oss://examplebucket

By using command line options (not recommended)
Run the following command to list objects in examplebucket.
```
ossutil ls oss://examplebucket -i LTAI4Fw2NbDUCV8z******** -k 67DLVBkH7EamOjy2W5RVAH********
```

Access credentials for a RAM user

By using a configuration file

Create a configuration file ~/.myossutilconfig that contains the following settings.

[default]
accessKeyID = LTAI4Fw2NbDUCV8z********
accessKeySecret = 67DLVBkH7EamOjy2W5RVAH********
mode = RamRoleArn
roleArn = acs:ram::137918634953****:role/Alice
roleSessionName = session_name_example
region=cn-hangzhou

Run the following command to list objects in examplebucket.

ossutil ls oss://examplebucket -c ~/.myossutilconfig

Note

You cannot configure this type of access credentials by using environment variables or command line options.

Access credentials for a RAM role for ECS instances

By using a configuration file

Create a configuration file ~/.myossutilconfig that contains the following settings.

[default]
mode = EcsRamRole
# The ecsRoleName parameter is optional. If you do not set this parameter, the value is automatically obtained. 
ecsRoleName = EcsRamRoleOss 
region=cn-hangzhou

Run the following command to list objects in examplebucket.

ossutil ls oss://examplebucket -c ~/.myossutilconfig

By using command line options
Run the following command to list objects in examplebucket.
```
ossutil ls oss://examplebucket --mode EcsRamRole
```

Note

You cannot configure this type of access credentials by using environment variables.

OIDC access credentials

For more information about OIDC role-based SSO, see Overview of OIDC-based SSO.

By using a configuration file

Create a configuration file ~/.myossutilconfig that contains the following settings.

[default]
mode = oidcRoleArn
# Provide the ARN of the OIDC IdP in the format of acs:ram::account-id:oidc-provider/provider-name. 
OIDCProviderArn=acs:ram::113511544585****:oidc-provider/TestOidcProvider
# Specify the path to the OIDC token.
OIDCTokenFilePath=OIDCTokenFilePath
# Specify the ARN of the role, that is, the ID of the role. The ARN is in the acs:ram::113511544585****:oidc-provider/TestOidcProvider format.
roleArn=acs:ram::113511544585****:role/testoidc
# Specify the session name, which is used to differentiate tokens. 
roleSessionName= TestOidcAssumedRoleSession
region=cn-hangzhou

Run the following command to list objects in examplebucket.

ossutil ls oss://examplebucket -c ~/.myossutilconfig

Note

You cannot configure this type of access credentials by using environment variables or command line options.

Obtain access credentials by using external processes

ossutil uses an external command to start an external process, which is separate from the ossutil process. An external process returns the output to ossutil by using the standard output. You can obtain access credentials by using an external process.

Note

To mitigate security risks, you must authorize only intended processes or users to run the command to generate access credentials.
The command to generate access credentials does not write confidential information to stdrr or stdout to prevent such information from being captured or recorded. Captured or recorded information may be exposed to unauthorized users.

An external command can return long-term and temporary access credentials.

Long-term credentials

{
	"AccessKeyId" : "ak",
	"AccessKeySecret" : "sk",
}

Temporary credentials

{
	"AccessKeyId" : "ak",
	"AccessKeySecret" : "sk",
	"Expiration" : "2023-12-29T07:45:02Z",
	"SecurityToken" : "token",
}

By using a configuration file

Create a configuration file ~/.myossutilconfig that contains the following settings.

[default]
mode = Process
credentialProcess = user-cmd
region=cn-hangzhou

Run the following command to list objects in examplebucket.

ossutil ls oss://examplebucket -c ~/.myossutilconfig

Note

You cannot configure this type of access credentials by using environment variables or command line options.