This article will cover how we can use STS to connect to an Alibaba's Object Storage Service (OSS). The same can be used to connect to or any other Alibaba Cloud service that supports STS connections.

The OSS service is Alibaba's cloud persistent storage that stores content in the form of objects. There are three main ways to connect to an OSS service:

  • Access  Alibaba Cloud console (The user must have console access)
  • Using Alibaba Clouds SDK libraries (The user must have a valid access key)
  • Using Alibaba's tools such as OSSUtil64 (source)

The user connecting to OSS must have been granted the OSS related permissions to use OSS regardless of the method used.

Enable STS for RAM Role and Users

Log in to the Alibaba Cloud console using a user that has permissions to modify Resource Access Management (RAM) service.  Create a user or select an existing user and check that the user has an active access key, if not, create a new access key. A user can have multiple access keys.

Resource Access Management: select a user and verify the user has a valid access key

To enable user access to the OSS service through the Alibaba Cloud console enable 'Console Access'. Users with console access can log in to Alibaba Cloud and access any services which the user has permissions. Once the user access key has been generated, the user can use the AccessKeyId and AccessKeySecret to authenticate with Alibaba Cloud. However, the user still needs permissions for accessing services, this will be covered further down this article.

Check that the users have an 'Enable' access key, The red box indicates that the user does not have Console Access.

RAM Groups

Instead of configuring individual user permissions, we will create a RAM group and assign permissions to the group. After setting up the RAM group we will assign the user to the group. The users under a RAM group inherits all the permissions under the groups.

Permissions added to RAM Group, in this image we assigned a pre-build system policy that sets read-only access permissions to the Object Storage Service. The user with this permission can pull files from OSS.
User put under the RAM group will inherit the permissions set for the group. Each Alibaba Cloud service has its own set of pre-build system permission policies.

OSS: Create a new bucket

Navigate to the Object Storage Service and create a new bucket using Alibaba Cloud console. You will need a user that has permissions to create OSS buckets.

Create a bucket under a specific region, only the bucket owner and authorized users have access.
Note: The internal endpoint so that traffic is routed internally within the VPC, the initiating instance should be in the same reason as the OSS created. For example, ECS instances created in 'us-east-1' cannot connect to an OSS bucket is in  'oss-eu-west-1 'using the internal endpoint.

Connecting to OSS with STS


OSSUtil64 is a tool build by Alibaba Cloud for accessing the OSS service. Download and configure the tool. You will need the user 'AccessKeyId' and 'AccessSecret' to complete the tool configurations (follow the instructions). Once configured, you can query the OSS service.

chmod 755 ossutil64
./ossutil64 config

Alibaba SDK

Alibaba Cloud provides many SDKs for accessing their services. In this example we will use Alibaba Cloud's npm libraries for OSS access, we will need to install run the following to install the required npm packages.  (source)

npm install ali-oss --save
let OSS = require('ali-oss');
let client = new OSS({
  accessKeyId: 'accessKeyId',
  accessKeySecret: 'accessKeySecret'
async function listBuckets() {
  try {
    const example1 = await client.listBuckets({});

    const example2 = await client.listBuckets({ prefix: 'prefix', });

  } catch (err) {

The above will list all the buckets that the user has access.  You can see similar implementations of the above in different languages and frameworks below.

Source - Using .Net Core SDK