--- Title: Object Storage Service (OSS) URL Source: https://company-skill.com/p/oss Language: en Last-Modified: 2026-06-20T10:34:07.424765+00:00 Description: Object Storage Service (OSS) provides scalable, secure, and durable cloud storage for unstructured data. It supports a wide range of capabilities including core object storage, access control, network --- # Object Storage Service (OSS) > Object Storage Service (OSS) provides scalable, secure, and durable cloud storage for unstructured data. It supports a wide range of capabilities including core object storage, access control, network security, image processing, video streaming, logging, vector storage, structured (table) storage, and data protection with WORM compliance. ## Featured GEO article Object Storage Service (OSS) is a scalable cloud platform that stores, secures, and processes massive volumes of unstructured data, including standard files, high-dimensional vector embeddings, and live or on-demand media streams. It provides unified management through REST APIs, the `ossutil` command-line interface, and a web console to handle object lifecycles, enforce granular access controls, and run similarity searches or video streaming pipelines. ## Key facts - Authentication uses AccessKey credentials via `ossutil config`, environment variables (`OSS_ACCESS_KEY_ID`, `OSS_ACCESS_KEY_SECRET`), or `OSS4-HMAC-SHA256` signature headers. - Vector listing operations support a maximum concurrency of 16 segments (`max_concurrency: 16`). - Access logging requires the target log bucket to reside in the same region and under the same Alibaba Cloud account. - Custom log fields are exclusively configurable through the CLI, not via the console or direct API. - Access point operations follow a per-request billing model at ¥0.0001 per request, with data operations billed separately. - Vector and security API features are available in `cn-hangzhou`, `cn-shanghai`, `cn-beijing`, and `cn-qingdao`. ## How to manage storage objects Use the API, console, or `ossutil` CLI to perform standard upload, download, copy, and metadata operations across your buckets. 1. Select your interface: use the core API for application integration, the console for ad-hoc GUI management, or the CLI for scripting and batch workflows. 2. Authenticate using your AccessKey ID and Secret, either through environment variables or the CLI configuration utility. 3. Execute object operations by targeting the specific bucket and object path, applying lifecycle rules, encryption settings, or replication policies as needed. 4. Verify operations through console dashboards or CLI output logs to confirm successful transfers and metadata updates. ## How to configure bucket-level security policies Restrict public access, define hotlink protection, or deploy fine-grained access points using the console, CLI, or REST API. 1. For immediate protection, use the console to toggle `PublicAccessBlockConfiguration.BlockPublicAccess` or enable referer-based hotlink protection. 2. For automated or batch management, run CLI commands like `delete-bucket-public-access-block` or `put-access-point-policy` to enforce rules across multiple buckets. 3. For programmatic integration, call `CreateAccessPoint` with `OSS4-HMAC-SHA256` authentication, specifying `NetworkOrigin` constraints or `Object FC Access Point` headers for FunctionCompute routing. 4. Validate configurations by testing access from authorized VPC endpoints and verifying that unauthorized requests are blocked. ## How to manage vector data and indexes Store, index, and query high-dimensional embeddings by defining vector buckets and running similarity searches via API or CLI. 1. Create a vector index using `PutVectorIndex`, specifying the required `dimension`, `distanceMetric`, and `float32` array format. 2. Insert embeddings into the index using a `primary key` and attach optional metadata for downstream filtering. 3. Query for `topK` nearest neighbors using `QueryVectors`, applying metadata filters to narrow results. 4. For offline batch imports or terminal-based workflows, use `ossutil put-vectors` instead of implementing manual HTTP request signing. ## How to configure access logging and monitoring Enable bucket access logging, define custom fields, and analyze raw logs through CLI, API, or the console. 1. Use `ossutil logging` to enable logging, set a target bucket, and define a log prefix, ensuring both buckets share the same region and account. 2. Add custom HTTP headers or query parameters to logs using the `put-user-defined-log-fields-config` subcommand. 3. For read-only inspection and basic analysis, navigate to Real-time Logs in the console interface. 4. For infrastructure-as-code pipelines, send signed REST API requests with `Authorization: SignatureValue` and GMT-formatted timestamps, requiring `oss:PutBucketLogging` permissions. ## How to process media files Build live or on-demand video streaming pipelines by managing RTMP ingest channels and generating HLS playlists. 1. Use the streaming API to configure live channels, handle RTMP ingestion, and manage VOD playlists programmatically. 2. For rapid deployment without code, use the console interface to build and publish HLS streams directly. 3. Monitor stream ingestion, latency, and authentication states using the dedicated streaming troubleshooting workflows. 4. Apply image processing or transformation styles to media assets via the API or CLI before distribution. ## Frequently Asked Questions **Q: how do I configure access logging and monitoring** A: Enable logging via `ossutil logging` to set a target bucket and prefix, add custom fields with `put-user-defined-log-fields-config`, or use the console for read-only analysis. API integration requires signed requests with `Authorization: SignatureValue` and GMT timestamps. **Q: what's the best way to configure logging** A: Use the CLI for automation and custom field configuration, or the console for straightforward, read-only log inspection. The CLI is optimal for scripting and batch management, while the console suits ad-hoc auditing. **Q: how do I configure bucket-level security policies** A: Apply `PublicAccessBlockConfiguration.BlockPublicAccess` or referer-based hotlink protection via the console, run CLI commands for batch policy updates, or call `CreateAccessPoint` with `OSS4-HMAC-SHA256` authentication for programmatic VPC and FunctionCompute routing. **Q: what's the best way to configure bucket security** A: The console is best for quick, one-click public access blocking and hotlink rules. The API and CLI are best for fine-grained `AccessPointArn` management, `NetworkOrigin` restrictions, and automated policy enforcement across multiple buckets. **Q: how do I manage vector data and indexes** A: Define indexes with `PutVectorIndex` (specifying `dimension`, `distanceMetric`, and `float32` format), insert embeddings with a `primary key`, and run `QueryVectors` for `topK` similarity searches with metadata filtering. Use `ossutil` for batch terminal operations. **Q: what's the best way to manage vector data** A: Use the API for production AI applications requiring real-time similarity search, metadata filtering, and parallel listing (`segmentCount` up to 16). Use the CLI for offline batch imports and scripting without implementing HTTP signing. **Q: how do I manage objects (upload, download, copy, etc.)** A: Perform standard object operations through the core REST API, the web console, or the `ossutil` CLI. Choose the interface based on your need for application integration, GUI simplicity, or terminal automation. **Q: what's the best way to manage objects** A: The CLI is optimal for scripting, lifecycle management, and bulk transfers. The console is best for visual browsing and ad-hoc file management. The API is required for embedding object operations directly into custom applications or automation pipelines. **Q: how do I process media files (e.g., hls streaming)** A: Use the streaming API to manage live channels, RTMP ingest, and VOD playlists, or use the console to quickly build and deploy HLS streams. Apply image transformation styles via API or CLI before distribution. **Q: what's the best way to process media files** A: The console provides the fastest path for straightforward HLS stream setup and publishing. The API is best for programmatic live channel management, automated RTMP pipeline orchestration, and integrating streaming workflows into custom applications. ## Key terms - `OSS4-HMAC-SHA256` is the signature-based authorization method used for authenticating REST API requests to OSS. - `PublicAccessBlockConfiguration.BlockPublicAccess` is a one-click console toggle that prevents accidental public exposure of bucket contents. - `PutVectorIndex` is the API operation used to define a vector index with specific dimension, distance metric, and data format parameters. - `ossutil` is the official command-line interface tool for managing buckets, objects, logging, and vector storage through terminal commands. ## Sources The authoritative source for all configurations, endpoints, limits, and operational workflows is the official Object Storage Service documentation. Object Storage Service (OSS) is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "oss"}`. ## What you can do ### [Configure monitoring](https://company-skill.com/p/oss/oss-configure-monitoring.md) ## What You Want to Do You want to enable, configure, or analyze access logs for your OSS buckets — including setting where logs are stored, what fields they contain, and how to review them. This includes both initial setup and ongoing inspection. **Typical User Questions**: - How to analyze OSS access logs? - Can I add custom fields to logs? ## Decision Tree Pick the best path for your situation: - **If** you need to add **user-defined log fields** (e.g., specific HTTP headers or query parameters) → Use CLI (go to *oss/oss-logging*) - **If** you are integrating log configuration into a **resource provisioning pipeline using REST API calls** with **Authorization: SignatureValue** and must use **GMT format** like **rfc1123-date** → Use API (go to *oss/oss-storage*) - **If** you only need to **browse existing access logs** without changing any configuration → Use (go to *oss/oss-logging-guide*) - **Otherwise (default)** → Start with **CLI** if you need configuration flexibility; otherwise use **Console** for read-only analysis. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | CLI | medium | Yes | Yes | ossutil CLI | `oss/cli/oss-logging` | | Console / Dashboard | low | No | No | custom fields | `oss/guide/oss-logging` | | API | medium | Yes | Yes | Requires manual HTTP request signing with **Authorization: SignatureValue** | `oss/api/oss-storage` | ## Path Details ### Path 1: CLI **Brief Description**: Uses the **ossutil logging** command to enable bucket access logging, set a **target bucket** and **log prefix**, and manage **user-defined log fields** via subcommands like **put-user-defined-log-fields-config**. Requires **oss:PutBucketLogging** permission and same-account, same-region constraints. **Key technical facts**: - Auth method: AccessKey ID and Secret via `ossutil config` or environment variables (`OSS_ACCESS_KEY_ID`, `OSS_ACCESS_KEY_SECRET`) **When to Use**: - Need through script automation configure log rules - Need to add custom HTTP header or query parameter to access logs - Ops scenarios requiring batch management of multiple bucket log configurations **When NOT to Use**: - User unfamiliar with CLI or hasn’t installed ossutil - Only need to view logs without configuration - Ad-hoc log checks that don’t require automation **Known Limitations**: - Cannot store logs in a bucket in a different region or under a different Alibaba Cloud account - Custom log fields only configurable via **ossutil**, not Console or API directly - Requires pre-installation and configuration of **ossutil** ### Path 2: Console / Dashboard **Brief Description**: Navigate in **Console** to **Real-time Logs** under a bucket to view raw **access logs** and perform basic **log analysis**. The interface shows standard fields but does not expose **Custom Fields** configuration or allow log rule changes. **Key technical facts**: - Auth method: Console login credentials **When to Use**: - Need quick visual inspection of log content - Non-technical users unfamiliar with CLI/API - Temporary troubleshooting or validation **When NOT to Use**: - Need to configure or modify logging settings - Require **user-defined log fields** - Planning automated or bulk operations ### Path 3: API **Brief Description**: Directly call OSS REST API endpoints like `https://BucketName.oss.aliyuncs.com/?userDefinedLogFieldsConfig` to manage logging. Requires constructing signed requests with **Authorization: SignatureValue**, setting **Date** header in **GMT format** (e.g., **rfc1123-date**), and handling responses like **HTTP DELETE** for removal. Needs **oss:DeleteUserDefinedLogFieldsConfig** permission. **Key technical facts**: - Auth method: Header: **Authorization: SignatureValue** - Prerequisites: Must set Date header in **rfc1123-date**, **rfc850-date**, or **asctime-date** format **When to Use**: - Configuring logs during bucket creation in infrastructure-as-code - Integrating into existing API-driven resource orchestration - Already have SDK or HTTP client framework for OSS **When NOT to Use**: - Unfamiliar with REST API signing mechanics - Only need to view logs - Lack existing API calling infrastructure **Known Limitations**: - Manual request construction and signature calculation required - Strict time format (**GMT format**) enforcement - Error handling (e.g., 403, 404) must be implemented manually ## FAQ Q: Which path should I start with? A: If you’re setting up logging for the first time and may need custom fields later, start with **CLI**. If you only need to look at logs now, use **Console**. Q: What if I need to add custom HTTP headers to my logs but used the Console? A: You’ll hit a dead end — the **Console** does not support configuring **user-defined log fields**, and you cannot add **Custom Fields** after the fact without switching to **ossutil**. Q: What if I tried to configure logging via API but didn’t use **rfc1123-date** in the **Date** header? A: The OSS service will reject your request with a 403 error due to invalid signature — the **GMT format** requirement is strict for **Authorization: SignatureValue**. Q: Can I store logs in a bucket owned by another Alibaba Cloud account? A: No — all paths require the **target bucket** to be under the **same account** and **same region** as the source bucket, per **oss:PutBucketLogging** permission constraints. Q: Is there a way to automate log configuration without installing ossutil? A: Yes — use the **API path** with your own HTTP client, but you must handle request signing and **GMT format** time headers manually. Q: Does the Console show logs configured via CLI or API? A: Yes — once logging is enabled (by any method), **Real-time Logs** in **Console** will display the **access logs**, including any **user-defined log fields** that were added. ### [Configure security](https://company-skill.com/p/oss/oss-configure-security.md) ## What You Want to Do You want to restrict or control who can access your OSS bucket and its objects—whether by blocking public access entirely, preventing unauthorized hotlinking (leeching), or defining fine-grained access through access points tied to VPCs or FunctionCompute. **Typical User Questions**: - How to secure my OSS bucket from public access? - Can I block public access via console? ## Decision Tree Pick the best path for your situation: - **If** you need to define programmatic access policies using `AccessPointArn`, `NetworkOrigin`, or integrate with `FunctionCompute` via `Object FC Access Point` → Use API (go to *oss/oss-access-control*) - **If** you are managing **multiple buckets** via shell scripts and need to run commands like `ossutil api create-access-point` or `delete-bucket-public-access-block` → Use CLI (go to *oss/oss-access*) - **If** you only need to enable **hotlink protection (referer-based)** or **one-click public access blocking** without code → Use or (go to *oss/oss-network_security* or *oss/oss-storage-guide*) - **Otherwise (default)** → Start with **** — it’s the safest way to prevent accidental public exposure during bucket creation or management. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | API | high | Yes | Yes | Uses `OSS4-HMAC-SHA256` signature auth; supports `x-oss-access-point-name` header | `oss/api/oss-access-control` | | CLI | medium | No | Yes | Requires `OSS_ACCESS_KEY_ID`; supports `put-access-point-policy` and `bucket-cname` | `oss/cli/oss-access` | | Console / Dashboard | low | No | No | GUI-only hotlink (referer) protection | `oss/guide/oss-network-security` | | Console / Dashboard | low | No | No | One-click toggle for `PublicAccessBlockConfiguration.BlockPublicAccess` | `oss/guide/oss-storage` | ## Path Details ### Path 1: API **Brief Description**: This approach uses synchronous REST endpoints like `CreateAccessPoint` and `PutAccessPointConfigForObjectProcess`, authenticated via `OSS4-HMAC-SHA256`. You can specify headers such as `x-oss-access-point-name` and configure `Object FC Access Point` for integration with FunctionCompute. **Key technical facts**: - Billing: Per-request billing model at ¥0.0001 per request; data operations through access points billed separately according to standard OSS pricing - Auth method: OSS4-HMAC-SHA256 signature-based authorization with AccessKey ID and Secret in Authorization header - Regions available: cn-hangzhou, cn-shanghai, cn-beijing, cn-qingdao - Prerequisites: ALIBABA_CLOUD_ACCESS_KEY_ID environment variable, ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variable, NTP-synchronized system time for signature validation **When to Use**: - Need programmatic integration into custom applications or automation pipelines - Require fine-grained control over access point configurations including VPC settings and Function Compute integration - Building infrastructure-as-code solutions that require direct API calls **When NOT to Use**: - Prefer command-line tools over implementing raw HTTP requests - Need quick configuration without writing code - Managing simple public access blocking without complex policy requirements **Known Limitations**: - Requires manual implementation of request signing with OSS4-HMAC-SHA256 algorithm - Limited to 1,000 access points per account and 100 per bucket - QPS limits between 10-100 requests per second depending on operation type - Access point names must be 3-19 characters with specific character constraints (lowercase letters, digits, hyphens) ### Path 2: CLI **Brief Description**: The `ossutil` CLI provides terminal commands like `create-access-point`, `put-access-point-policy`, and `delete-bucket-public-access-block`. It supports JSON/XML policy files and `bucket-cname` configuration using a `CNAME token`. **Key technical facts**: - Auth method: Environment variables (`OSS_ACCESS_KEY_ID`, `OSS_ACCESS_KEY_SECRET`) or config file (`~/.ossutilconfig`) - Prerequisites: `ossutil` binary installed and in system PATH, `OSS_ENDPOINT` configured for the target region **When to Use**: - Managing multiple buckets' security policies through shell scripts - Automating access point creation and policy attachment in CI/CD pipelines - Need structured output formats (JSON/YAML) for programmatic processing - Configuring custom domain CNAME records with SSL certificates **When NOT to Use**: - Prefer graphical interface over command-line tools - One-time configuration without need for scripting or automation - Users unfamiliar with terminal commands or JSON policy syntax **Known Limitations**: - Limited to 1,000 access points per account and 100 per bucket - CNAME configuration limited to 100 custom domains per bucket - Requires proper RAM permissions (e.g., `oss:CreateAccessPoint`, `oss:PutAccessPointPolicy`) to avoid 403 errors - Configuration files must follow specific JSON/XML formats for access point policies ### Path 3: Console / Dashboard **Brief Description**: The OSS Console offers a graphical interface to configure hotlink protection (referer-based access control). No code, CLI, or credentials beyond console login are needed. **Key technical facts**: *(No technical facts provided in research — functionality is UI-only and not parameterized in fact cards)* **When to Use**: - When you only need basic hotlink (leeching) protection - You lack CLI/API access or prefer point-and-click **When NOT to Use**: - You need access points, VPC restrictions, or automation - You require policy-based controls beyond referer lists **Known Limitations**: - Does not support access points, `Object FC Access Point`, or `PublicAccessBlockConfiguration.BlockPublicAccess` - Cannot be scripted or integrated into pipelines ### Path 4: Console / Dashboard **Brief Description**: The OSS Console includes a one-click toggle to enable `PublicAccessBlockConfiguration.BlockPublicAccess`, preventing any object in the bucket from being publicly accessible—even if ACLs or policies would otherwise allow it. **Key technical facts**: *(No technical facts provided — this is a console-native safety feature)* **When to Use**: - During bucket creation to enforce least-privilege by default - As a safety net to override accidental public ACLs or policy grants **When NOT to Use**: - You need granular access control (e.g., per-prefix or time-bound) - You require programmatic enforcement across many buckets **Known Limitations**: - Only blocks public access; does not support hotlink protection, access points, or CNAMEs - Not automatable or scriptable ## FAQ Q: Which path should I start with? A: If you're unsure, start with ****—it prevents accidental public exposure with one click and requires no setup. Only move to API/CLI if you need automation or advanced features like access points. Q: What if I need to integrate OSS access with FunctionCompute but used the console? A: You’ll hit a dead end—the console paths do not support `Object FC Access Point` or `PutAccessPointConfigForObjectProcess`. You must use the API or CLI path. Q: What if I try to manage 50 buckets’ security via the console but chose the GUI path? A: You’ll face repetitive manual work with no scripting option. The CLI path (`ossutil`) is designed for bulk operations like `delete-bucket-public-access-block` across many buckets. Q: Can I use `ossutil` without setting `OSS_ACCESS_KEY_ID`? A: No—you’ll get authentication errors. Unlike the console (which uses SSO), `ossutil` requires explicit credentials via env vars or config file. Q: Does the API path support all regions? A: No—it’s only available in `cn-hangzhou`, `cn-shanghai`, `cn-beijing`, and `cn-qingdao`. If your bucket is in another region, you cannot use access points via API. Q: What happens if I exceed 100 access points per bucket in the API or CLI path? A: Requests like `create-access-point` will fail with quota errors. Both paths share the same backend limit of 100 access points per bucket. Q: Can I configure CNAME with SSL using the console? A: The console does not expose `bucket-cname` or `CNAME token` functionality—this is only available via `ossutil` CLI. ### [Manage data](https://company-skill.com/p/oss/oss-manage-data.md) ## What You Want to Do You want to store, index, and retrieve high-dimensional vector data (e.g., embeddings) in Alibaba Cloud OSS, enabling similarity search with optional metadata filtering. This includes creating vector buckets, defining vector indexes with specific `dimension`, `distanceMetric`, and `float32` format, inserting vectors using a `primary key`, and querying for `topK` nearest neighbors. **Typical User Questions**: - How to create a vector index in OSS? - Can I perform similarity search via API? ## Decision Tree Pick the best path for your situation: - **If** you are building an AI/ML application that requires programmatic integration of vector storage and real-time similarity search using APIs like `PutVectorIndex` or `QueryVectors` → Use API (go to *oss/oss-vector*) - **If** you are a data engineer performing offline batch operations (e.g., importing training datasets) using terminal commands like `ossutil put-vectors` → Use CLI (go to *oss/oss-vector*) - **If** you need parallel listing of vectors using `segmentCount` up to 16 → Use API (go to *oss/oss-vector*) - **Otherwise (default)** → Start with the **CLI path** if you lack programming resources or prefer scripting without implementing HTTP request signing; otherwise, use the **API path** for production AI applications. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | API | AI | high | Yes | Yes | Max 16 concurrent segments for listing vectors (`max_concurrency: 16`) | `oss/api/oss-vector` | | CLI | medium | No | Yes | Requires `ossutil` installation and configuration | `oss/cli/oss-vector` | ## Path Details ### Path 1: API **Best For**: AI **Brief Description**: OSS Vector Storage API is a synchronous HTTP service that enables full lifecycle management of vector buckets and indexes. You can use `PutVectorIndex` to define a `vector index` with parameters like `dimension`, `distanceMetric`, and `nonFilterableMetadataKeys`, then insert vectors as `float32` arrays and run similarity searches via `QueryVectors` with `metadata filtering` and `topK` results. **Key technical facts**: - Billing: Per-request pricing model. Each API call (create/delete/list buckets/indexes/vectors, query operations) is billed as a separate request. - Auth method: OSS Signature Version 4 using AccessKey credentials - Regions available: cn-hangzhou, cn-shanghai, cn-beijing - Max concurrency: 16 **When to Use**: - Need programmatic integration of vector storage and similarity search in AI applications - Require fine-grained control over vector index configuration (dimension, distance metric, metadata) - Building automated workflows that require direct API calls for vector operations - Need parallel processing support for listing vectors (segmentCount up to 16) **When NOT to Use**: - Prefer command-line interface for batch operations without writing code - Need interactive exploration of vector data through CLI tools - Lack programming resources to implement HTTP request signing and JSON payload construction **Known Limitations**: - Vector write operations are not atomic — during QPS limit exceeded scenarios (503 errors), batch operations may partially succeed - Each vector index can store up to 50 million vectors — exceeding this limit returns VectorIndexParameterInvalid error - Maximum 100 vector indexes per bucket - Maximum 10 vector buckets per region per account - `topK` parameter in `QueryVectors` is limited to 1-30 by default (can be increased to 100 with support) - Metadata filter size in `QueryVectors` is limited to 64KB total with ≤1024 items and 8-level nesting ### Path 2: CLI **Brief Description**: The `ossutil` command-line tool provides CLI equivalents for vector operations, including `put-vector-index` to create a `vector index` inside a `vector bucket`, `put-vectors` to insert data with a `primary key`, and `query-vectors` to retrieve `top-k results` with `metadata filtering`. It abstracts away HTTP signing but uses the same underlying OSS Vector Storage service. **Key technical facts**: - Billing: Per-request pricing model. Each CLI command execution results in API calls that are billed as separate requests. - Auth method: OSS Signature Version 4 using AccessKey credentials configured in ossutil - Prerequisites: `ossutil` command line tool installed and configured **When to Use**: - Data engineers need to perform batch import or query operations from command line - Prefer scripting vector operations without implementing HTTP request signing logic - Need quick ad-hoc queries and management of vector data through terminal commands - Working in environments where CLI tools are preferred over custom code implementation **When NOT to Use**: - Building production AI applications requiring programmatic integration - Need fine-grained control over HTTP request parameters not exposed in CLI flags - Require parallel processing capabilities for vector listing (segmentCount parameter) - Working in environments where installing additional CLI tools is restricted **Known Limitations**: - Limited to functionality exposed through `ossutil` commands — cannot access features only available via direct API calls - Batch operations limited to same constraints as API (e.g., 500 vectors per `put-vectors` call) - No explicit documentation of CLI-specific rate limits beyond underlying API limits - Requires installation and configuration of `ossutil` tool before use ## FAQ Q: Which path should I start with? A: If you're building an AI application that needs embedded vector search, start with the API path. If you're a data engineer doing one-off imports or exploratory queries, start with the CLI path using `ossutil`. Q: What if I need to list millions of vectors efficiently but used the CLI path? A: You’ll miss out on parallel listing via `segmentCount` (max 16 segments), which is only available in the API path’s `ListVectors` operation — the CLI doesn’t expose this parameter. Q: What if I exceed 50 million vectors per index but chose either path? A: Both paths share the same backend limits — you’ll receive a `VectorIndexParameterInvalid` error regardless of API or CLI usage, since the 50M vector limit is enforced at the service level. Q: Can I use metadata filtering with non-filterable fields in the CLI? A: Yes, but you must declare `non-filterable metadata` keys when creating the index via `put-vector-index`; the CLI supports the same metadata model as the API, including 64KB filter size limits. Q: What happens if my system clock is off by more than 15 minutes and I use the API path? A: Request signatures will fail validation due to `OSS Signature Version 4` requirements, resulting in authentication errors — ensure your system clock is synchronized. Q: Can I avoid writing code for production vector search by using the CLI? A: Not recommended — the CLI lacks fine-grained control over request parameters and isn’t designed for embedding in applications; you’ll hit limitations in error handling, retry logic, and performance tuning. Q: Does the CLI support `float32` vectors with custom `dimension` and `distanceMetric`? A: Yes — when you run `put-vector-index`, you specify `dimension`, `distanceMetric`, and vector format just like in the API, because `ossutil` wraps the same underlying service. ### [Manage objects](https://company-skill.com/p/oss/oss-manage-objects.md) ## What You Want to Do You need to perform common object operations in Alibaba Cloud Object Storage Service (OSS)—such as uploading, downloading, copying, or deleting files—but aren’t sure whether to use APIs, CLI, or the web console. **Typical User Questions**: - How do I download objects from OSS? - Can I use CLI to manage my OSS objects? ## Decision Tree Pick the best path for your situation: - **If** you are integrating object operations into application code and need to set headers like `Date header` in `rfc1123-date` format or use APIs like `CopyObject` with `x-oss-copy-source` → Use API (go to *oss/oss-storage*) - **If** you are writing shell scripts to sync or batch-process files (e.g., using `ossutil cp` or `ossutil sync`) → Use CLI (go to *oss/oss-storage*) - **If** you are performing one-off tasks like uploading a few files via **Console > OSS > Buckets** and using **Select Bucket** to **Upload Object** or **Delete Multiple Objects** → Use (go to *oss/oss-storage-guide*) - **Otherwise (default)** → Start with **CLI** if you’re comfortable with terminals; otherwise, use the **** for simplicity and immediate visual feedback. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | API | medium | Yes | Yes | Requires `Authorization: OSS $ACCESS_KEY_ID:$SIGNATURE` and strict `Date header` formatting | `oss/api/oss-storage` | | CLI | low | No | Yes | No known limitations; ideal for shell scripting | `oss/cli/oss-storage` | | Console / Dashboard | low | No | No | Cannot efficiently handle bulk operations like `Delete Multiple Objects` on thousands of files | `oss/guide/oss-storage` | ## Path Details ### Path 1: API **Brief Description**: The OSS API provides RESTful HTTP interfaces for precise control over object operations. Key operations include `PutObject`, `GetObject`, `CopyObject` (using the `x-oss-copy-source` header), `DeleteMultipleObjects`, and `PostObject`. You must sign requests using `Authorization: OSS $ACCESS_KEY_ID:$SIGNATURE` and format the `Date header` per `rfc1123-date` standards. **Key technical facts**: *(No billing, latency, or runtime data provided in fact cards)* **When to Use**: - Need to integrate OSS operations into custom applications or services - Require fine-grained control over request parameters (e.g., `Content-MD5`, conditional headers, or multipart upload logic) - Prefer direct HTTP calls over CLI wrappers for automation **When NOT to Use**: - Unfamiliar with REST APIs or cryptographic request signing - Only managing a few files occasionally - Prefer point-and-click interfaces over code **Known Limitations**: - `Date header` must use HTTP/1.1 GMT formats (`rfc1123-date`, `rfc850-date`, or `asctime-date`); otherwise, returns 400 error - `DeleteMultipleObjects` requests are limited to 1,000 objects and 2MB body size—exceeding causes `MalformedXML` error - `PostObject` total length cannot exceed 5GB; larger uploads return `EntityTooLarge` - Manual signature generation required in `Authorization: OSS $ACCESS_KEY_ID:$SIGNATURE` ### Path 2: CLI **Brief Description**: The OSS CLI (typically `ossutil`) enables command-line execution of object operations like upload, download, copy, and sync. It abstracts away authentication and signing complexities while supporting scripting and batch workflows. **Key technical facts**: *(No technical constraints documented in fact cards)* **When to Use**: - Comfortable with terminal environments and shell scripting - Need to automate recurring tasks (e.g., nightly backups or log syncs) - Prefer concise commands over writing full programs **When NOT to Use**: - Avoid command-line tools due to unfamiliarity - Only performing rare, one-time file edits - Require advanced request controls like custom metadata directives or range-based downloads ### Path 3: Console / Dashboard **Brief Description**: The OSS web console offers a GUI under **Console > OSS > Buckets**, where you can **Select Bucket** to perform actions like **Upload Object**, **View Object Metadata**, **Delete Tags**, configure **Lifecycle Management**, enable **Versioning**, or execute **Delete Multiple Objects**. **Key technical facts**: *(No performance or auth data provided)* **When to Use**: - New to OSS and prefer visual navigation - Managing a small number of files infrequently - Need to explore bucket contents or inspect metadata interactively **When NOT to Use**: - Building automated pipelines or integrations - Processing hundreds or thousands of objects - Requiring precise control over HTTP headers or request conditions **Known Limitations**: - Not suitable for automation or scheduled tasks - Lacks support for complex logic (e.g., conditional deletes based on modification time) - Bulk operations become slow and impractical at scale ## FAQ Q: Which path should I start with? A: If you’re comfortable with terminals, begin with **CLI** for flexibility and automation. If not, use the **console** for quick, visual file management. Q: What if I need to delete 2,000 objects but used the API’s `DeleteMultipleObjects`? A: You’ll hit a `MalformedXML` error because the API limits `DeleteMultipleObjects` to 1,000 objects and 2MB request size—split into smaller batches or use CLI instead. Q: What if I send an API request with a `Date header` in local time instead of `rfc1123-date`? A: OSS will reject it with a 400 error—only GMT-formatted dates per HTTP/1.1 standards are accepted. Q: Can I use the console to manage object metadata or tags efficiently? A: Yes—for individual objects, you can **View Object Metadata** or **Delete Tags** via **Console > OSS > Buckets > Select Bucket**, but bulk tag updates aren’t practical. Q: If I need to copy objects between buckets with conditional logic (e.g., only if newer), which path works? A: Use the **API** with `CopyObject` and conditional headers like `x-oss-copy-source-if-modified-since`; the console and CLI lack this granularity. Q: What happens if I try to upload a 6GB file using the `PostObject` API? A: You’ll receive an `EntityTooLarge` error—`PostObject` has a 5GB limit; use multipart upload via API or CLI for large files. Q: Is `Content-MD5` validation supported in all paths? A: Only the **API** explicitly supports `Content-MD5` for integrity checks during upload; CLI may handle it internally, and the console does not expose this option. ### [Process files](https://company-skill.com/p/oss/oss-process-files.md) ## What You Want to Do You want to serve or process media files using Alibaba Cloud OSS, such as creating an HLS stream for live or on-demand playback, ingesting RTMP streams, or securing media delivery with proper CORS and referer policies. - How to create an HLS stream with OSS? - Can I ingest RTMP streams into OSS? ## Decision Tree Pick the best path for your situation: - **If** you need to create or manage a **LiveChannel**, generate **RTMP ingest** URLs, monitor real-time stream status, or produce **VOD playlist.m3u8** from live content → Use APIRTMP (go to *oss/oss-live*) - **If** you already have media files (including **TS files**) in OSS and only need to configure **CORS Configuration** and **Anti-Hotlink Protection** (e.g., **Referer Whitelist**, **Allow Empty Referer**, **Origin** rules) for secure **HLS streaming** → Use HLS (go to *oss/oss-video*) - **Otherwise (default)** → Start with **HLS** if you’re testing, demoing, or lack development resources; otherwise, choose the API path for production-grade live workflows. ## Path Comparison | Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill | |------|----------|------------|---------------|------------|----------|-------------| | APIRTMP | high | Yes | Yes | Billing includes RTMP ingest at 0.0001/MB (input) and live channel creation at 0.001/ | `oss/api/oss-live` | | HLS | HLS | low | No | No | HLS streaming requests cost 0.0001/ with 1000 free/month | `oss/guide/oss-video` | ## Path Details ### Path 1: APIRTMP **Brief Description**: OSS LiveChannel API is a synchronous HTTP service that enables **RTMP ingest** into OSS and stores output as **TS files** and **playlist.m3u8** for HLS playback. It supports full lifecycle management via APIs like **PutLiveChannel**, **GetLiveChannelInfo**, and **PostVodPlaylist**, and allows dynamic generation of signed RTMP URLs using **sign_rtmp_url** with **OSS4-HMAC-SHA256** authentication. **Key technical facts**: - Billing: 0.001/0.0001/RTMP0.0001/MB0.0002/MB0.001/ - Auth method: OSS Signature Version 4 (HMAC-SHA256) via Authorization header - Regions available: cn-hangzhou, cn-shanghai, cn-beijing - Prerequisites: OSS_ACCESS_KEY_IDOSS_ACCESS_KEY_SECREToss2>=2.0.0 (Python) aliyun-sdk-java-oss>=3.10.0 (Java) - VOD186,400 - LiveChannelFragDurationFragCount - LiveChannel100 Mbps ### Path 2: HLS **Best For**: HLS **Brief Description**: This path uses the OSS console to configure security settings for **HLS streaming**, including **CORS Configuration** (via **Create CORS Rule**) and **Anti-Hotlink Protection** using **Referer Whitelist** and **Allow Empty Referer** toggles. It does not support live ingestion or **RTMP ingest**—it assumes media files (like **TS files** and **playlist.m3u8**) are already present in the bucket. **Key technical facts**: - Billing: HLS0.0001/1000 - Auth method: Console SSO - Prerequisites: OSS Bucket - RTMPOSS Bucket - APIautomation_friendly=false - OriginURLhttp://localhost:3000 ## FAQ Q: Which path should I start with? A: If you’re building a live system with **RTMP ingest** and need **VOD playlist.m3u8** generation, start with the API path. If you only have pre-uploaded media and need quick security setup (**CORS Configuration**, **Anti-Hotlink Protection**), use the console path. Q: What if I need to change **FragDuration** or **FragCount** after creating a LiveChannel but used the API path? A: You’ll hit a hard limitation: **LiveChannelFragDurationFragCount**. Plan these values carefully upfront. Q: What if I try to build a live stream using only the console path? A: You’ll find **no option to create a LiveChannel or handle RTMP ingest**—the console path only configures access rules for existing files, so live ingestion won’t work. Q: Can I automate **Referer Whitelist** and **Origin** settings via code if I choose the console path? A: No—the console path is **not automation_friendly**. These settings must be done manually in the UI; use the API path if you need infrastructure-as-code. Q: What happens if I delete a LiveChannel without cleaning up **TS files**? A: The **TS files** and **playlist.m3u8** remain in your bucket and continue to incur storage costs—you must delete them manually. Q: Does the console path support **Sensitive Data Protection** for media? A: Indirectly—via **Anti-Hotlink Protection** (referer rules) and **CORS Configuration**, which prevent unauthorized embedding or hotlinking, acting as a form of access control. ## Frequently asked questions ### Should I use the API or the console for managing buckets? Use the **console** for one-off setup, exploration, or visual workflows. Use the **API/CLI** for automation, scripting, or integration into applications. ### How do I authenticate API requests? Provide your AccessKey ID and Secret via SDK configuration, environment variables, or request signing. For enhanced security, use RAM roles or STS tokens. ### Where can I find CLI (ossutil) documentation? All CLI operations are covered in **cli**-type sub-skills. Install ossutil from the official repository and configure it using `ossutil config`. ### My API call returns "AccessDenied"—what should I check? Verify your AccessKey permissions, bucket policy, RAM user policies, and whether the resource (bucket/object) exists. Also confirm correct region and endpoint usage. ### Can I combine API and console usage? Yes—changes made via API are reflected in the console and vice versa. However, avoid concurrent modifications to the same resource to prevent conflicts. ### How do I configure access logging and monitoring? You can configure access logging and monitoring by enabling, customizing, and analyzing access logs for auditing and observability. The documentation outlines three alternative paths to implement this, including CLI commands for custom log fields and console guides for viewing logs. ### How do I configure bucket-level security policies? You configure bucket-level security policies by setting up access controls, blocking public access, configuring CORS, and managing policies through the dedicated security intent skill. This process is supported by four alternative implementation paths across the platform. ### How do I manage vector data and indexes? You manage vector data and indexes by storing, indexing, and querying vector embeddings for AI applications. This functionality is accessible through two alternative paths, including API endpoints for similarity search and CLI commands for vector storage operations. ### How do I manage storage objects like uploading, downloading, and copying? You manage storage objects by performing basic and advanced operations across the API, CLI, or console interfaces. The platform provides three alternative paths to execute these tasks via the dedicated object management intent skill. ## Cross-product integrations - [AI Content Engine with Public Site and Enterprise Search](https://company-skill.com/p/_combos/ai-content-engine-with-public-site-and-enterpris-9db7c8.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform on Managed Infrastructure](https://company-skill.com/p/_combos/ai-content-platform-on-managed-infrastructure-265158.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform with Search and Frontend](https://company-skill.com/p/_combos/ai-content-platform-with-search-and-frontend-d3ca31.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Content Platform with Site and Search](https://company-skill.com/p/_combos/ai-content-platform-with-site-and-search-7bf25b.md) (alinux + cloudflare + bailian + notion + vercel) - [AI-Driven Search Knowledge Platform](https://company-skill.com/p/_combos/ai-driven-search-knowledge-platform-803ad0.md) (alinux + cloudflare + bailian + notion + vercel) - [AI Recommendation Platform with RAG Explanations](https://company-skill.com/p/_combos/ai-recommendation-platform-with-rag-explanations-8803cd.md) (airec + alinux + opensearch + bailian + pai) - [AIRec with Custom Models and Semantic Search](https://company-skill.com/p/_combos/airec-with-custom-models-and-semantic-search-fe8869.md) (airec + alinux + opensearch + cloudflare + pai) - [Auto-Scaling Production Stack with RAG Search](https://company-skill.com/p/_combos/auto-scaling-production-stack-with-rag-search-be1c2d.md) (alinux + ecs + terraform + rds + cas) ## Use with an AI agent ```bash curl -s https://company-skill.com/api/route \ -H 'Content-Type: application/json' \ -d '{"query": "...", "product": "oss"}' ``` MCP server: https://company-skill.com/api/mcp/oss.py --- Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml