Set up the environment for ossfs 1.0

更新时间:
复制 MD 格式

Before mounting a bucket, configure the ossfs 1.0 environment. Two methods are available: attach an ECS RAM role to your ECS instance, or store credentials in a configuration file.

ECS RAM role

Attach a RAM role with OSS access permissions to an ECS instance. When ossfs 1.0 mounts a bucket, it automatically retrieves STS temporary credentials from the ECS metadata server. This method is recommended because it uses short-lived credentials and avoids storing an AccessKey pair on the server.

The following example uses a RAM role named EcsRamRoleOssTest. After attaching the role, verify that the ECS instance is correctly configured before mounting buckets.

  1. Attach the RAM role to the ECS instance.

    Procedure

    1. Navigate to the Create Role page in the Resource Access Management (RAM) console.

    2. On the Create Role page, select Cloud Service for Principal Type. Then, select Elastic Compute Service / ECS for Principal Name and click OK.

      image

    3. In the Create Role dialog box, enter a name for the role, and then click OK.

      image

    4. After creating the role, click Grant Permission. Select the AliyunOSSFullAccess permission policy and click Confirm.

      Note

      If you are familiar with Resource Access Management (RAM) permissions, you can go to the Create Policy page to create a custom permission policy with finer-grained access control, then grant it to the RAM role to avoid excessive permissions.

      image

    5. Navigate to the Instances page of the Elastic Compute Service (ECS) console. In the top navigation bar, select the region of your ECS instance. On the Instances page, find the target instance, click the image icon in the Actions column, and select Attach/Detach RAM Role.

      image

    6. In the Attach/Detach RAM Role dialog box, select the RAM role to attach to the ECS instance.

      image

  2. Verify the RAM role attachment to the ECS instance.

    Run the following command to verify that the role is attached. Replace EcsRamRoleOssTest with the name of your RAM role; do not change anything else in the command. A return code of 200 indicates success. A return code of 404 indicates that no RAM role is attached to the instance, or the role name in the command does not match the attached role.

    curl -o /dev/null -s -w "%{http_code}\n" http://100.100.100.200/latest/meta-data/ram/security-credentials/EcsRamRoleOssTest

Configuration file

Store the AccessKey ID and AccessKey secret of an Alibaba Cloud account or RAM user in a configuration file. ossfs 1.0 reads the file at mount time. This method is convenient and fast, but is less secure because it stores the AccessKey pair on the server.

Warning

An Alibaba Cloud account has full permissions over all its resources. Do not use the AccessKey pair of your Alibaba Cloud account — if it is compromised, your entire account is at risk. Use the AccessKey pair of a RAM user with only the minimum required permissions.

Default configuration file

The default configuration file is read automatically at mount time. You do not need to specify its path in the mount command, and you can list multiple buckets in the same file.

  • Path: /etc/passwd-ossfs — required permissions: 640.

  • Format: $bucket_name:$access_key_id:$access_key_secret.

Run the following commands to create the file. They write the bucket and AccessKey information to /etc/passwd-ossfs and set the file permissions to 640.

echo bucket-test-1:AAAI************:AAA8x************************* > /etc/passwd-ossfs
echo bucket-test-2:BBBI************:BBB8x************************* >> /etc/passwd-ossfs
chmod 640 /etc/passwd-ossfs

Custom configuration file

Use a custom configuration file when you need separate credential files for different buckets. Specify the file path in the mount command.

  • Path: Any path you choose, for example /etc/passwd-ossfs-3 or /etc/passwd-ossfs-4 — required permissions: 600.

  • Format: $bucket_name:$access_key_id:$access_key_secret.

Run the following commands to create separate files for each bucket. They write the bucket and AccessKey information to /etc/passwd-ossfs-3 and /etc/passwd-ossfs-4, and set the file permissions to 600.

echo bucket-test-3:CCCIbZcdVCmQ****:CCC8x0y9hxQ31coh7A5e2MZEUz**** > /etc/passwd-ossfs-3
echo bucket-test-4:DDDIbZcdVCmQ****:DDD8x0y9hxQ31coh7A5e2MZEUz**** > /etc/passwd-ossfs-4
chmod 600 /etc/passwd-ossfs-3 /etc/passwd-ossfs-4

What's next

Mount your bucket to a local directory using a default configuration file, a custom configuration file, or an ECS RAM role.