All Products
Search
Document Center

Object Storage Service:Log on to ossbrowser 2.0

Last Updated:Oct 01, 2025

This topic describes the logon options for ossbrowser 2.0 and explains their configuration items.

Logon account permission configuration

Before you log on, ensure that the account has the required permissions for operations in ossbrowser 2.0.

  • Alibaba Cloud account: By default, an Alibaba Cloud account has full permissions on all resources under it. No additional permissions need to be configured.

  • Resource Access Management (RAM) users: To log on and view all bucket and file lists, a RAM user must have at least the oss:ListBuckets, oss:ListObjects, and oss:GetBucketInfo permissions for all buckets.

  • Security Token Service (STS) temporary access credential: To log on and view the file list in a specific bucket, the STS temporary access credential must have at least the oss:ListObjects and oss:GetBucketInfo permissions for that bucket.

  • Authorization code: The permissions for an authorization code are configured by an Alibaba Cloud account owner or a RAM administrator. They log on to ossbrowser 2.0 and perform the File Authorization operation.

After you log on to ossbrowser 2.0 using a RAM user or an STS temporary access credential, you must also configure the corresponding access policies to perform operations. You can configure permissions based on the functional classification of operations in the following table. For more information about how to create custom policies and grant permissions to RAM users, see Create custom policies and Grant permissions to a RAM user.

Required permissions for operations in each functional module of ossbrowser 2.0

Functional module

Action

Description

Permission configuration suggestion

Log on to ossbrowser 2.0

oss:ListBuckets

Lists all buckets that you own.

If you only need to access a specific bucket, the oss:ListBuckets permission is not required. However, you cannot view the bucket list.

oss:ListObjects

Lists information about all objects in a bucket.

To view the file list, you must configure the oss:ListObjects permission.

oss:GetBucketInfo

Views information about a bucket.

To access a specific bucket using a preset path, you must configure the oss:GetBucketInfo permission. If you do not have this permission, you can also manually specify the region where the bucket is located to access it.

Manage buckets

oss:ListBuckets

Lists all buckets that you own.

To view the bucket list, you must configure the oss:ListBuckets permission.

oss:PutBucket

Creates a bucket.

To create a bucket, you must configure the oss:PutBucket permission.

oss:GetBucketInfo

Views information about a bucket.

To obtain basic information about a bucket, you must configure the oss:GetBucketInfo permission.

oss:DeleteBucket

Deletes a bucket.

To delete a bucket, configure the oss:DeleteBucket permission with caution.

File list

oss:ListObjects

Lists information about all objects in a bucket.

To list files, you must configure the oss:ListObjects permission.

Upload and download

oss:ListObjects

Lists information about all objects in a bucket.

To download a folder, you must configure the oss:ListObjects permission.

oss:GetObject

Gets an object.

To download files, you must configure the oss:GetObject permission.

oss:PutObject

Uploads a file.

To upload a file, you must configure the oss:PutObject permission.

Copy, move, and rename

oss:ListBuckets

Lists all buckets that you own.

When you copy and move objects across buckets, you must configure the oss:ListBuckets permission.

oss:ListObjects

Lists information about all objects in a bucket.

When you copy, move, and rename folders, you must configure the oss:ListObjects permission.

oss:GetObject

Gets an object.

You must have the oss:GetObject permission for the source bucket.

oss:PutObject

Uploads a file.

You must have the oss:PutObject permission for the destination bucket.

oss:DeleteObject

Deletes an object.

When you move and rename objects, you must have the oss:DeleteObject permission for the source bucket. Otherwise, the source files cannot be deleted.

oss:GetBucketInfo

Views information about a bucket.

After versioning is enabled for an OSS Bucket, files with the same name can only be overwritten. ossbrowser 2.0 calls GetBucketInfo to query the versioning status of the bucket. However, this permission is not required. If you do not have this permission, an error is reported. You can close the pop-up window. If versioning is enabled for the bucket, selecting the Skip or Ask policy for files with the same name has no effect, and the files can only be overwritten.

File deletion

oss:ListObjects

Lists information about all objects in a bucket.

To delete a folder, you must configure the oss:ListObjects permission.

oss:DeleteObject

Deletes an object.

To delete a file, configure the oss:DeleteObject permission with caution.

Fragmentation management

oss:ListParts

Lists all parts that have been successfully uploaded for a specified Upload ID.

To view file fragments, you must configure the oss:ListParts permission.

oss:ListMultipartUploads

Lists all ongoing multipart upload events. These are events that have been initiated but not yet completed (Complete) or aborted (Abort).

To delete file fragments, you must configure the oss:ListMultipartUploads permission.

File restoration

oss:RestoreObject

Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.

To restore a file, you must configure the oss:RestoreObject permission.

Procedure

  1. Select a logon method

    ossbrowser 2.0 provides four logon methods, as described in the following table.

    Logon method

    Description

    Log On With AK

    If you are the resource owner, or if team members need to manage OSS resources for a long time and require a persistent logon, use the AccessKey (AK) information of an Alibaba Cloud account or a RAM user to log on to ossbrowser 2.0.

    Log On With Account

    If you are the resource owner, or if team members need to manage OSS resources for a long time and require daily security verification for logon, use one of the following methods: scan a QR code using the Alibaba Cloud app, Alipay, or DingTalk, or log on with an Alibaba Cloud account, a RAM user account, or a mobile phone verification code.

    Important

    The account logon method does not support the File Authorization operation. To perform this operation, use another logon method.

    Log on with STS

    If team members need to temporarily manage your OSS resources, you can call the STS service by having a RAM user assume a RAM role to obtain an STS temporary access credential. Then, other team members can use this temporary credential to log on and manage your OSS resources.

    Log On With Authorization Code

    If team members need to temporarily or permanently manage some of your OSS resources, you can log on to ossbrowser 2.0 with an AccessKey pair, authorize the OSS resources, and generate an authorization code. Then, other team members can use this authorization code to log on and manage the OSS resources that you have authorized.

    Select a logon method based on your scenario.

    Log On With AK

    The Log On With AK method lets you log on using the AccessKey information of an Alibaba Cloud account or a RAM user. For improved security, log on using the AccessKey information of a RAM user.

    Log on with an Alibaba Cloud account

    1. Obtain the AccessKey information.

      1. Obtain the AccessKey pair from your local computer: Use the AccessKey ID and AccessKey secret that you saved locally when you created the AccessKey pair.

      2. Create an AccessKey pair: Go to the Create AccessKey page. Click Create AccessKey and follow the on-screen instructions to create an AccessKey pair. After the AccessKey pair is created, click Download CSV File in the pop-up dialog box to save the AccessKey pair to your local machine. Then, use the new AccessKey ID and AccessKey secret to log on.

    2. Click Log On With AK. Enter the AccessKey ID and AccessKey secret to log on.

      image

    Log on with a RAM user: Create and log on with a RAM user

    To create a RAM user, you must use an account that has permissions to manage RAM users, such as an Alibaba Cloud account. Log on to the Alibaba Cloud console and perform the following steps.

    1. Create a RAM user.

      1. Click Create User and follow the instructions in the console to create a RAM user.

        Note

        For more information about how to create a RAM user, see Create a RAM user.

      2. Click Download CSV File. This file contains the AccessKey information, which the RAM user can use to log on. Make sure to save it securely.

    2. Grant permissions to the RAM user.

      1. On the Users page, find the target user and click Permission Management > Add Permissions.

      2. In the search box, search for and add the ossbrowser 2.0 operation permissions, AliyunRAMFullAccess, and AliyunSTSAssumeRoleAccess permissions.

        Note

        For more information about how to grant permissions to RAM users and create custom policies, see Grant permissions to a RAM user and Create custom policies.

    3. Click Log On With AK. Enter the AccessKey ID and AccessKey secret from the CSV file.

      image

    Log on with a RAM user: Log on with an existing RAM user

    1. Obtain the AccessKey information.

      1. Obtain the AccessKey pair from your local computer: Use the AccessKey ID and AccessKey secret that you saved locally when you created the AccessKey pair.

      2. Create an AccessKey pair: If you have forgotten your AccessKey pair, log on to the Alibaba Cloud console using the target RAM user account. Go to the Users page and click the target RAM user. On the user details page, click Create AccessKey and follow the on-screen instructions to create an AccessKey pair. After the AccessKey pair is created, click Download CSV File in the dialog box that appears to save the AccessKey pair to your local machine. Then, use the new AccessKey ID and AccessKey secret to log on.

    2. Confirm OSS authorization.

      1. Go to the Users page. Select the target user and click Permission Management to check whether the user has permissions to manage Object Storage Service (OSS) resources. For example, the AliyunOSSFullAccess permission grants full access to OSS.

      2. If the user does not have permissions to manage OSS resources, go to the Permission Management page for that user and click Add Permissions. In the search box, search for and add the AliyunOSSFullAccess, AliyunRAMFullAccess, and AliyunSTSAssumeRoleAccess permissions.

        Note

        For more information about how to grant permissions to RAM users and create custom policies, see Grant permissions to a RAM user and Create custom policies.

    3. Click Log On With AK. Enter the RAM user's AccessKey ID and AccessKey secret.

      image

    Log on with Account

    1. Click the Log On With Account button.

      image

    2. Go to the Alibaba Cloud Logon Page. Switch to full screen mode. In the upper-right corner, switch to the international site (alibabacloud.com) and select a logon method.

    Log on with STS

    Important

    The STS Token text box is displayed only if the value in the AccessKeyID text box matches the STS.***** format.

    1. Obtain an STS temporary access credential. For more information, see Use an STS temporary access credential to access OSS.

    2. Click Log On With AK. Enter the AccessKey ID, AccessKey secret, and SecurityToken from the temporary access credential.

      image

    Log on with Authorization Code

    1. Obtain an authorization code. For more information, see File Authorization.

    2. Click Log On With Authorization Code and enter the authorization code.

      image

  2. Configure the Endpoint

    Important

    Note that you cannot use an accelerated domain name to log on to ossbrowser 2.0.

    Endpoint

    Description

    Public endpoint

    This applies to scenarios where you use ossbrowser 2.0 on your local machine. In this case, select Public Endpoint.

    image

    Internal same-region endpoint

    This is used in an Alibaba Cloud internal network environment, for example, when ossbrowser 2.0 is installed on an ECS virtual machine. In this case, select Internal Same-region Endpoint. The ECS virtual machine and the destination bucket must be in the same region. For more information about how to create an ECS virtual machine, see Create an ECS instance.

    image

    Specified domain name

    Note

    After you log on to the ossbrowser client using a specified domain name, you cannot switch to other buckets.

    This applies to scenarios where you log on with a specified domain name. For example, after you enable the transfer acceleration service, you can enter the Transfer Acceleration Endpoint. For more information about how to enable the transfer acceleration service and obtain a transfer acceleration endpoint, see Enable transfer acceleration.

    image

    Custom domain name

    This applies to scenarios where you access OSS resources through a custom domain name. You must enter the custom domain name that is attached to OSS. For more information about how to attach a custom domain name, see Attach a custom domain name.

    image

    PrivateLink

    Note

    When you log on to the ossbrowser client using PrivateLink, you must specify the destination bucket in the preset OSS path in advance. During the client runtime, you cannot switch to other buckets.

    This is used in an Alibaba Cloud internal network environment, for example, when you have a target ECS virtual machine and need to establish a more secure and stable private connection. Make sure that the ECS virtual machine and the endpoint are in the same virtual private cloud (VPC), and that the ECS virtual machine and the destination bucket are in the same region.

    Enter the Endpoint Service Domain Name. For more information about how to create an ECS virtual machine, create an endpoint, and obtain an endpoint service domain name, see Create an ECS instance and Create an endpoint.

    image

    CloudBox

    Note

    After you log on to ossbrowser 2.0 using a CloudBox endpoint, the File Authorization operation is not supported.

    This applies to scenarios where you access a CloudBox environment. You must enter the data endpoint of the CloudBox to log on to ossbrowser 2.0.

    image

  3. Configure the preset OSS path

    If you have permissions on only some resources in a bucket, you must specify the OSS resource path. Examples are as follows:

    1. Access the entire bucket, for example, to access all files in bucketname.image

    2. Access a specific folder in a bucket, for example, to access the folder directory in bucketname.

      image

    3. Access a specific file in a bucket, for example, to access the file file in the folder directory of bucketname.

      image

  4. Configure the Bucket Region

    Important

    To access a specific bucket, first configure the preset OSS path, and then configure the bucket region.

    Endpoint type

    Configuration method

    Example

    Public Endpoint

    In the upper-right corner of the logon page, click Advanced Settings > Default Region and select the destination bucket region.

    imageimage

    Internal Same-region Endpoint

    Specified Domain Name

    In the expanded Default Region drop-down list, select the destination bucket region.

    image

    Custom Domain Name

    PrivateLink

  5. Verify the result

    After you log on, the interface appears as shown in the following figure. To quickly familiarize yourself with and use ossbrowser 2.0, see Common operations.

    image

More configurations

Parameter

Description

Pay-by-requester Mode

If the bucket you are authorized to access has the pay-by-requester mode enabled and you are not the bucket owner, select Pay-by-requester Mode. In the upper-right corner of the logon page, click Advanced Settings. On the Advanced Settings page, enable Pay-by-requester Mode.

Important

  • If the bucket you are authorized to access has the pay-by-requester mode enabled, but you are not the bucket owner and have not selected Pay-by-requester Mode, an AccessDenied error is reported when you try to access the specified resource at the preset OSS path.

  • After you select Pay-by-requester Mode, you can access the specified resource at the preset OSS path. You will be charged for the traffic, requests, and other fees generated from accessing the bucket. For more information about the pay-by-requester mode, see Pay by requester.

Keep Me Logged In

If you select Keep Me Logged In, ossbrowser 2.0 will keep you logged in. The next time you open it, you will be logged in automatically.

Save Session

If you select Save Session, the AccessKey pair is saved. The next time you log on, you can click AK History and select a saved key to log on directly.

Warning

To avoid unnecessary security risks, do not select this option on a computer that you are using temporarily.