Configure OSS for an SAE application for read/write access to external storage-Serverless App Engine(SAE)-阿里云帮助中心

Compared to NAS, Object Storage Service (OSS) provides user-friendly tools and a console for visually managing buckets. It offers a cost-effective solution for persistent storage and distributing data between application instances. OSS is ideal for read-heavy scenarios, such as mounting configuration files or serving frontend static files.

Prerequisites

Accessing the settings

The steps to access the settings vary by scenario:

Create an application

Log on to the SAE console, and in the left navigation bar, select Applications > Application List. Then, select the target region and target namespace, and click Create Application.
On the Basic Information wizard page, configure the settings and click Next: Advanced Settings.

Modify a running application

Warning

After you redeploy an application, the application is restarted. To prevent unpredictable errors such as business interruptions, we recommend that you deploy applications during off-peak hours.

Log on to the SAE console, select Applications > Application List in the left navigation bar, select the target region and namespace, and then click the name of the target application.
On the Basic Information page of the target application, click Deploy Application.

Modify a stopped application

Log on to the SAE console. In the left navigation bar, select Applications > Application List, select the target region and namespace, and then click the name of the target application.
On the Basic Information page of the target application, click Modify Application Configuration.

Procedure

Expand the Configure Persistent Storage section and turn on Enable OSS.

Mount OSS storage

Enter the AccessKey ID and AccessKey Secret.

As a security best practice, use the AccessKey pair of a RAM user to call OSS APIs. For example, to grant the RAM user read-only access to the oss-test/ directory in the test-sae bucket, you can grant the following minimum permissions.

{
    "Statement": [
        {
            "Action": "oss:GetBucket",
            "Effect": "Allow",
            "Resource": "acs:oss:*:*:test-sae"
        },
        {
            "Action": "oss:GetObject",
            "Effect": "Allow",
            "Resource": "acs:oss:*:*:/"
        }
    ],
    "Version": "1"
}

Configure the OSS mount settings. To add multiple entries, click Add.

Parameter	Description	Example
Bucket	An existing OSS bucket.	bucketname
Mount Directory	An existing OSS directory or object. If the specified mount directory does not exist, an error occurs.	Examples: / Note Mounts the bucket root. tmp/oss-test/ tmp/oss-demo.log
Container Path	The path in the SAE container. If the path exists, its contents are overwritten. If the path does not exist, it is created.	/home/admin/app/php/
Permission	The permission that the container path has on the mounted resource. Valid values: read-only read/write	read-only

Unmount OSS storage

If you no longer need the OSS storage, you can unmount it. Unmounting a bucket from the SAE console does not delete the data stored in OSS.

To unmount an OSS configuration, find the entry that you want to unmount and click the icon in the Actions column.

Verification

Check the deployment details.

A successful deployment with no instance exceptions indicates a successful mount.
Verify from inside the container.

Log on to Webshell and run the following command to verify the OSS mount information.
```
cat /proc/mounts | grep ossfs
```
A successful mount returns output similar to the following:
```
# cat /proc/mounts | grep ossfs
ossfs /xxx fuse.ossfs ro,relatime,user_id=0,group_id=0,allow_other 0 0
```
Verify at the application level.

Log on to Webshell and perform operations on the mounted OSS file system path. If the OSS console reflects the changes, the mount is successful.

FAQ

Can I use OSS to store logs?

Use Simple Log Service (SLS) or ApsaraMQ for Kafka for persistent log storage.

Do not use OSS for persistent log storage. OSS is designed for massive file processing workloads, such as handling internet images and audio and video files, and for separating static and dynamic resources for web pages and applications.

Troubleshooting

If you encounter issues such as mount failures, a missing mount path in the container, or permission errors, follow these steps to troubleshoot.

Verify that the configured OSS bucket exists.
1. If you deploy the application from the console, you can select only from existing OSS buckets that are in the same account and region.
2. If you deploy the application by using other methods such as an API, an SDK, the saectl tool, or a Jenkins plug-in, log on to the OSS console and verify that the specified OSS bucket name exists in the same account and region.
Check the permissions of the RAM user that is associated with the AccessKey ID and AccessKey Secret.
1. Identify the RAM user that is associated with the AccessKey ID and AccessKey Secret.
2. Verify that the RAM user has the required permissions on the configured OSS bucket.

Check the Bucket Policy.

Log on to the OSS console. On the details page of the target bucket, choose Permission Control > Bucket Policy in the left-side navigation pane.

Check whether the Bucket Policy blocks access from SAE. Specifically, ensure that the public IP addresses of SAE for your region are added to the allowlist, as shown in the following table.

Note

To obtain the specific public IP addresses for SAE, contact technical support in the DingTalk group (ID: 32874633).

Region	IP address
cn-hangzhou	47.99.xx.xx
cn-shanghai	47.101.xx.xx
cn-beijing	47.94.xx.xx
cn-zhangjiakou	121.89.xx.xx
cn-wulanchabu	8.130.xx.xx
cn-shenzhen	39.108.xx.xx
cn-heyuan	47.121.xx.xx
cn-guangzhou	8.134.xx.xx
cn-chengdu	47.108.xx.xx
cn-hongkong	47.243.xx.xx 8.210.xx.xx
ap-southeast-1	8.219.xx.xx
eu-central-1	8.211.xx.xx
us-west-1	47.89.xx.xx
us-east-1	47.252.xx.xx

上一篇: Configure NAS storage 下一篇: Configure identity authentication (Invitation-only)