Log in to ossbrowser 1.0

更新时间:
复制 MD 格式

This topic describes the logon options and configuration parameters for ossbrowser 1.0.

Logon account permissions

Before you log on, ensure your account has the required permissions to perform operations in ossbrowser 1.0.

  • Alibaba Cloud account: An Alibaba Cloud account has full permissions for all its resources by default and requires no additional permission configuration.

  • RAM user: To log on and view the complete bucket and file lists, a RAM user must have at least the oss:ListBuckets, oss:ListObjects, and oss:GetBucketInfo permissions for all buckets.

  • STS temporary access credential: To log on and view the file list in a specific bucket, an STS temporary access credential must have at least the oss:ListObjects permission for that bucket.

  • Authorization code: The permissions for an authorization code are configured by a primary account or a RAM user administrator after they log on to ossbrowser 1.0 and generate an authorization code.

After logging on with a RAM user or an STS temporary access credential, you must configure additional permission policies to perform operations. Use the following table to grant permissions based on the required features. For more information about creating a custom permission policy and granting permissions to a RAM user, see Create a custom permission policy and Manage permissions for RAM users.

Required permissions for different features in ossbrowser 1.0

Feature

Action

Description

Permission recommendation

Log on to ossbrowser 1.0

oss:ListBuckets

Lists all buckets that you own.

If you need to access only a specific bucket, the oss:ListBuckets permission is not required, but you cannot view the bucket list.

oss:ListObjects

Lists information about all objects in a bucket.

To view the file list, you must have the oss:ListObjects permission.

Manage buckets

oss:ListBuckets

Lists all buckets that you own.

To view the bucket list, you must have the oss:ListBuckets permission.

oss:PutBucket

Creates a bucket.

To create a bucket, you must have the oss:PutBucket permission.

oss:GetBucketInfo

Views information about a bucket.

To get basic information about a bucket, you must have the oss:GetBucketInfo permission.

oss:DeleteBucket

Deletes a bucket.

To delete a bucket, you must have the oss:DeleteBucket permission. We recommend that you grant this permission with caution.

File list

oss:ListObjects

Lists information about all objects in a bucket.

To list files, you must have the oss:ListObjects permission.

Upload and download

oss:ListObjects

Lists information about all objects in a bucket.

To download a directory, you must have the oss:ListObjects permission.

oss:GetObject

Gets an object.

To download a file, you must have the oss:GetObject permission.

oss:PutObject

Uploads a file.

To upload a file, you must have the oss:PutObject permission.

Copy, move, and rename

oss:ListBuckets

Lists all buckets that you own.

When you copy or move objects across buckets, you must have the oss:ListBuckets permission.

oss:ListObjects

Lists information about all objects in a bucket.

When you copy, move, or rename a directory, you must have the oss:ListObjects permission.

oss:GetObject

Gets an object.

You must have the oss:GetObject permission for the source bucket.

oss:PutObject

Uploads a file.

You must have the oss:PutObject permission for the destination bucket.

oss:DeleteObject

Deletes an object.

When you move or rename an object, you must have the oss:DeleteObject permission for the source bucket. Otherwise, the source object cannot be deleted.

Delete files

oss:ListObjects

Lists information about all objects in a bucket.

To delete a directory, you must have the oss:ListObjects permission.

oss:DeleteObject

Deletes an object.

To delete an object, you must have the oss:DeleteObject permission. We recommend that you grant this permission with caution.

Procedure

  1. ossbrowser 1.0 provides the following three logon methods.

    Logon method

    Description

    AK

    We recommend using the AccessKey (AK) of an Alibaba Cloud account or a RAM user if you are the resource owner, or if your team needs long-term, persistent access to OSS resources.

    Log on with STS

    For temporary team access to your OSS resources, obtain an STS temporary access credential by having a RAM user assume a RAM role and call the Security Token Service (STS). Team members can then use this credential to log on and access your OSS resources.

    Auth-Code

    To grant team members temporary or permanent access to specific OSS resources, you can log on to ossbrowser 1.0 with an AK, grant permissions on specific OSS resources, and generate an authorization code. Team members can then use this code to log on and access the authorized resources.

  2. Choose a logon method based on your use case.

    Log on with an AK

    When you log on with an AK, configure the following parameters.

    Parameter

    Description

    Endpoint

    Default (public cloud): Log on using the endpoint of the region where the destination bucket is located. If you select this option, you can select HTTPS Encryption to encrypt data in transit.

    Important

    For regions that do not support this access method, select the Custom logon method.

    Custom: If you select this option, you can use any public cloud endpoint of OSS. For more information about region-to-endpoint mappings, see Regions and endpoints.

    Note

    If you do not use an internal endpoint to send requests, public traffic is generated by default, which incurs traffic fees. For more information, see Traffic fees.

    CNAME: If you want to access OSS resources using your own custom domain name, you must first map the domain name to the OSS service. For more information, see Map a custom domain name. Then, select this option and enter your custom domain name.

    AccessKeyId, AccessKeySecret

    Enter the AccessKey (AK) of your account. For information about how to obtain an AK, see Create an AccessKey.

    Important

    For data security, we recommend that you log on to ossbrowser using the AK of a RAM user. If you need to authorize file access, you must also grant the AliyunOSSFullAccess, AliyunRAMFullAccess, and AliyunSTSAssumeRoleAccess permissions to the RAM user before logging on. For more information, see Permission management.

    Preset OSS Path

    If the current account has permissions for only a specific bucket or a path within a bucket, or if you log on using a CNAME, you must specify a preset OSS path. The format is oss://bucketname/path.

    Important

    If the bucket you are authorized to access has requester-pays mode enabled and you are not the bucket owner, you must select Pay-by-requester. Otherwise, an AccessDenied error is returned when you access the specified resources in the preset OSS path. After you select Pay-by-requester, you can access the resources, and you are charged for the resulting traffic, requests, and other fees. For more information about requester-pays mode, see Requester Pays.

    Region

    If you configure a Preset OSS Path, you must specify the Region where the corresponding bucket is located.

    Keep Me Logged on

    Select this option to have ossbrowser automatically log you in during future sessions.

    Remember secret key

    Select this option to save the AK. When you log on again, you can click AK History and select the saved key to log on directly.

    Warning

    To avoid information security risks, do not select this option on a computer that you are using temporarily.

    Log on with STS

    When you log on with an STS temporary access credential, configure the following parameters.

    Parameter

    Description

    Example

    Endpoint

    Default (public cloud): Log on using the endpoint of the region where the destination bucket is located. If you select this option, you can select HTTPS Encryption to encrypt data in transit.

    Important

    For regions that do not support this access method, select the Custom logon method.

    Custom: If you select this option, you can use any public cloud endpoint of OSS. For more information about region-to-endpoint mappings, see Regions and endpoints.

    Note

    If you do not use an internal endpoint to send requests, public traffic is generated by default, which incurs traffic fees. For more information, see Traffic fees.

    CNAME: If you want to access OSS resources using your own custom domain name, you must first map the domain name to the OSS service. For more information, see Map a custom domain name. Then, select this option and enter your custom domain name.

    AccessKeyId, AccessKeySecret, STS token

    Enter the STS temporary access credential, which includes the AccessKey and the STS token. For information about how to obtain these credentials, see Use an STS temporary access credential to access OSS.

    Note

    Enter an STS token only when the AccessKeyId is in the STS.XXX format.

    Preset OSS Path

    If the current account has permissions for only a specific bucket or a path within a bucket, or if you log on using a CNAME, you must specify a preset OSS path. The format is oss://bucketname/path.

    Important

    If the bucket you are authorized to access has requester-pays mode enabled and you are not the bucket owner, you must select Pay-by-requester. Otherwise, an AccessDenied error is returned when you access the specified resources in the preset OSS path. After you select Pay-by-requester, you can access the resources, and you are charged for the resulting traffic, requests, and other fees. For more information about requester-pays mode, see Requester Pays.

    Region

    If you configure a Preset OSS Path, you must specify the Region where the corresponding bucket is located.

    Keep Me Logged on

    Select this option to have ossbrowser automatically log you in during future sessions.

    Remember secret key

    Select this option to save the AK. When you log on again, you can click AK History and select the saved key to log on directly.

    Warning

    To avoid information security risks, do not select this option on a computer that you are using temporarily.

    Log on with authorization code

    1. Click Log on with Auth Code and enter your authorization code.

      Generate an authorization code

      1. Log on to ossbrowser using an AccessKey.

        Click the Log on with AK tab. From the Endpoint drop-down list, select an endpoint. The default is public cloud. Select HTTPS Encryption, and then enter your AccessKeyId and AccessKeySecret. Optionally, specify a Preset OSS path (for example, oss://bucket/key/) and Remarks. You can also select Keep Me Logged In and Remember Secret Key. Click Log In.

      2. Click the name of the target bucket.

      3. Select the directory to authorize, and then click More > Generate Authorization Code.

        Important

        You can generate an authorization code for only one directory at a time.

        To perform operations on multiple directories simultaneously, log on to ossbrowser using an AK or an STS temporary access credential.

      4. Set Permissions, Validity Period, and Role, and then click Generate.

        In the Generate Authorization Code dialog box, you can set Permissions to Read-only, Read/Write, or Full Control. Set the Validity Period in seconds (for example, 3600), and select the corresponding Role by specifying its RAM role ARN.

      5. Click Click to Copy to obtain the generated authorization code.

        You can use the copied authorization code to log on to ossbrowser. The code grants the specified permissions for the target directory for the specified duration.

      6. Log out, click Auth-Code, paste the generated code, and then click Log In before the code expires.

    2. Click Log In to log on to ossbrowser using the authorization code.

      After you log on, the remaining time for the temporary credential is displayed in the upper-right corner of the ossbrowser interface. You can navigate to the target bucket directory using the address bar. The file list displays the file name, size, last modified time, and provides options such as Get URL, Download, and Delete.