This topic describes the logon options and configuration parameters for ossbrowser 1.0.
Logon account permissions
Before you log on, ensure your account has the required permissions to perform operations in ossbrowser 1.0.
Alibaba Cloud account: An Alibaba Cloud account has full permissions for all its resources by default and requires no additional permission configuration.
RAM user: To log on and view the complete bucket and file lists, a RAM user must have at least the
oss:ListBuckets,oss:ListObjects, andoss:GetBucketInfopermissions for all buckets.STS temporary access credential: To log on and view the file list in a specific bucket, an STS temporary access credential must have at least the
oss:ListObjectspermission for that bucket.Authorization code: The permissions for an authorization code are configured by a primary account or a RAM user administrator after they log on to ossbrowser 1.0 and generate an authorization code.
After logging on with a RAM user or an STS temporary access credential, you must configure additional permission policies to perform operations. Use the following table to grant permissions based on the required features. For more information about creating a custom permission policy and granting permissions to a RAM user, see Create a custom permission policy and Manage permissions for RAM users.
Procedure
ossbrowser 1.0 provides the following three logon methods.
Logon method
Description
AK
We recommend using the AccessKey (AK) of an Alibaba Cloud account or a RAM user if you are the resource owner, or if your team needs long-term, persistent access to OSS resources.
Log on with STS
For temporary team access to your OSS resources, obtain an STS temporary access credential by having a RAM user assume a RAM role and call the Security Token Service (STS). Team members can then use this credential to log on and access your OSS resources.
Auth-Code
To grant team members temporary or permanent access to specific OSS resources, you can log on to ossbrowser 1.0 with an AK, grant permissions on specific OSS resources, and generate an authorization code. Team members can then use this code to log on and access the authorized resources.
Choose a logon method based on your use case.
Log on with an AK
When you log on with an AK, configure the following parameters.
Parameter
Description
Endpoint
Default (public cloud): Log on using the endpoint of the region where the destination bucket is located. If you select this option, you can select HTTPS Encryption to encrypt data in transit.
ImportantFor regions that do not support this access method, select the Custom logon method.
Custom: If you select this option, you can use any public cloud endpoint of OSS. For more information about region-to-endpoint mappings, see Regions and endpoints.
NoteIf you do not use an internal endpoint to send requests, public traffic is generated by default, which incurs traffic fees. For more information, see Traffic fees.
CNAME: If you want to access OSS resources using your own custom domain name, you must first map the domain name to the OSS service. For more information, see Map a custom domain name. Then, select this option and enter your custom domain name.
AccessKeyId, AccessKeySecret
Enter the AccessKey (AK) of your account. For information about how to obtain an AK, see Create an AccessKey.
ImportantFor data security, we recommend that you log on to ossbrowser using the AK of a RAM user. If you need to authorize file access, you must also grant the
AliyunOSSFullAccess,AliyunRAMFullAccess, andAliyunSTSAssumeRoleAccesspermissions to the RAM user before logging on. For more information, see Permission management.Preset OSS Path
If the current account has permissions for only a specific bucket or a path within a bucket, or if you log on using a CNAME, you must specify a preset OSS path. The format is oss://bucketname/path.
ImportantIf the bucket you are authorized to access has requester-pays mode enabled and you are not the bucket owner, you must select Pay-by-requester. Otherwise, an
AccessDeniederror is returned when you access the specified resources in the preset OSS path. After you select Pay-by-requester, you can access the resources, and you are charged for the resulting traffic, requests, and other fees. For more information about requester-pays mode, see Requester Pays.Region
If you configure a Preset OSS Path, you must specify the Region where the corresponding bucket is located.
Keep Me Logged on
Select this option to have ossbrowser automatically log you in during future sessions.
Remember secret key
Select this option to save the AK. When you log on again, you can click AK History and select the saved key to log on directly.
WarningTo avoid information security risks, do not select this option on a computer that you are using temporarily.
Log on with STS
When you log on with an STS temporary access credential, configure the following parameters.
Parameter
Description
Example
Endpoint
Default (public cloud): Log on using the endpoint of the region where the destination bucket is located. If you select this option, you can select HTTPS Encryption to encrypt data in transit.
ImportantFor regions that do not support this access method, select the Custom logon method.
Custom: If you select this option, you can use any public cloud endpoint of OSS. For more information about region-to-endpoint mappings, see Regions and endpoints.
NoteIf you do not use an internal endpoint to send requests, public traffic is generated by default, which incurs traffic fees. For more information, see Traffic fees.
CNAME: If you want to access OSS resources using your own custom domain name, you must first map the domain name to the OSS service. For more information, see Map a custom domain name. Then, select this option and enter your custom domain name.
AccessKeyId, AccessKeySecret, STS token
Enter the STS temporary access credential, which includes the AccessKey and the STS token. For information about how to obtain these credentials, see Use an STS temporary access credential to access OSS.
NoteEnter an STS token only when the AccessKeyId is in the
STS.XXXformat.Preset OSS Path
If the current account has permissions for only a specific bucket or a path within a bucket, or if you log on using a CNAME, you must specify a preset OSS path. The format is oss://bucketname/path.
ImportantIf the bucket you are authorized to access has requester-pays mode enabled and you are not the bucket owner, you must select Pay-by-requester. Otherwise, an
AccessDeniederror is returned when you access the specified resources in the preset OSS path. After you select Pay-by-requester, you can access the resources, and you are charged for the resulting traffic, requests, and other fees. For more information about requester-pays mode, see Requester Pays.Region
If you configure a Preset OSS Path, you must specify the Region where the corresponding bucket is located.
Keep Me Logged on
Select this option to have ossbrowser automatically log you in during future sessions.
Remember secret key
Select this option to save the AK. When you log on again, you can click AK History and select the saved key to log on directly.
WarningTo avoid information security risks, do not select this option on a computer that you are using temporarily.
Log on with authorization code
Click Log on with Auth Code and enter your authorization code.
Click Log In to log on to ossbrowser using the authorization code.
After you log on, the remaining time for the temporary credential is displayed in the upper-right corner of the ossbrowser interface. You can navigate to the target bucket directory using the address bar. The file list displays the file name, size, last modified time, and provides options such as Get URL, Download, and Delete.