Object Storage Service (OSS) Guide

Object Storage Service (OSS)

Alibaba Cloud Object Storage Service (OSS) is a highly scalable, durable, and cost-effective cloud storage service designed for storing and retrieving any amount of data from anywhere on the internet. OSS stores data as objects within buckets, supporting individual object sizes from 1 byte to 48.8 TB. With 99.9999999999% (12 nines) data durability and 99.995% availability for the Standard storage class, OSS is the foundation for data storage across Alibaba Cloud's ecosystem.

OSS powers critical infrastructure across Alibaba Group's businesses — storing product images for Taobao and Tmall, serving static assets for AliExpress, archiving transaction logs for Alipay, and hosting training datasets for AI/ML workloads. This battle-tested heritage means OSS has been optimized for extreme scale, handling trillions of objects and exabytes of data across millions of customers.

This guide covers OSS storage classes, bucket configuration, access control, lifecycle management, data transfer acceleration, cross-region replication, and integration patterns with other Alibaba Cloud services.

Storage Classes

OSS provides four storage classes optimized for different access patterns and cost requirements:

Standard

The default storage class for frequently accessed data. Provides millisecond first-byte latency with high throughput. No minimum storage duration or retrieval fees. Best for websites, mobile applications, content distribution, and data analytics workloads that require immediate access.

Infrequent Access (IA)

Designed for data accessed less than once per month but requiring immediate access when needed. Offers approximately 60% lower storage cost compared to Standard, but charges retrieval fees per GB retrieved. Minimum storage duration of 30 days — objects deleted or transitioned before 30 days incur prorated charges for the remaining days. Best for backups, disaster recovery data, and older application logs.

Archive

For long-term data retention with very infrequent access. Storage costs are approximately 75% lower than Standard. Objects must be restored before access, which takes about 1 minute for bulk restore. Minimum storage duration of 60 days. Best for compliance archives, historical data, and regulatory retention requirements.

Cold Archive

The most cost-effective storage class for data that is rarely, if ever, accessed. Storage costs are approximately 85% lower than Standard. Restoration takes 1-12 hours depending on the restore priority (expedited, standard, or bulk). Minimum storage duration of 180 days. Best for deep archives, legal holds, and data that must be retained but is unlikely to be accessed.

Bucket Configuration

An OSS bucket is the top-level container for objects. Each bucket has a globally unique name, a region assignment, and configuration for access control, versioning, and encryption:

# Create a bucket with default encryption
aliyun oss mb oss://prod-media-assets \
  --region cn-hangzhou \
  --acl private \
  --storage-class Standard

# Enable versioning
aliyun oss bucket-versioning --method put \
  oss://prod-media-assets \
  --versioning-config '{"Status":"Enabled"}'

# Enable server-side encryption with KMS
aliyun oss bucket-encryption --method put \
  oss://prod-media-assets \
  --sse-algorithm KMS \
  --kms-master-keyid key-****

# Enable transfer acceleration
aliyun oss bucket-accelerate --method put \
  oss://prod-media-assets \
  --accel-config '{"Status":"Enabled"}'

# Block public access
aliyun oss bucket-policy --method put \
  oss://prod-media-assets \
  --policy-file policy.json

Access Control

OSS provides multiple layers of access control to secure your data:

Bucket ACL

The simplest access control mechanism with three options: private (default, only the bucket owner can access), public-read (anyone can read objects but only the owner can write), and public-read-write (anyone can read and write). For production workloads, always use private ACL and control access through RAM policies or bucket policies.

RAM Policies

Fine-grained access control through RAM policies attached to users, groups, or roles. RAM policies support conditions based on IP address, VPC ID, time, TLS version, and custom tags. This is the recommended approach for controlling access from Alibaba Cloud services and users.

Bucket Policies

Resource-based policies attached directly to buckets. Bucket policies can grant cross-account access, restrict access by IP range or VPC, and enforce encryption requirements. Similar to AWS S3 bucket policies.

STS Temporary Credentials

Use Security Token Service (STS) to generate temporary credentials with limited permissions and expiration times. Essential for mobile applications, browser-based uploads, and any scenario where you need to grant temporary access to OSS without exposing permanent AccessKey credentials.

# RAM policy for read-only access to a specific prefix
cat > oss-readonly-policy.json << 'POLICY'
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "oss:GetObject",
        "oss:ListObjects"
      ],
      "Resource": [
        "acs:oss:*:*:prod-media-assets",
        "acs:oss:*:*:prod-media-assets/public/*"
      ]
    }
  ]
}
POLICY

# Create the policy
aliyun ram CreatePolicy \
  --PolicyName OSSPublicReadOnly \
  --PolicyDocument "$(cat oss-readonly-policy.json)"

# Generate STS temporary credentials
aliyun sts AssumeRole \
  --RoleArn acs:ram::account-id:role/oss-uploader \
  --RoleSessionName "mobile-upload-session" \
  --DurationSeconds 3600

Lifecycle Management

Lifecycle rules automate the transition of objects between storage classes and the expiration (deletion) of objects based on age or last access time. Properly configured lifecycle rules can reduce storage costs by 50-80% by automatically moving infrequently accessed data to cheaper storage classes.

# Set lifecycle rules
aliyun oss bucket-lifecycle --method put \
  oss://prod-media-assets \
  --lifecycle-config '{
    "Rule": [
      {
        "ID": "transition-to-ia",
        "Prefix": "uploads/",
        "Status": "Enabled",
        "Transition": [
          {"Days": 30, "StorageClass": "IA"},
          {"Days": 90, "StorageClass": "Archive"},
          {"Days": 365, "StorageClass": "ColdArchive"}
        ]
      },
      {
        "ID": "expire-temp-files",
        "Prefix": "tmp/",
        "Status": "Enabled",
        "Expiration": {"Days": 7}
      },
      {
        "ID": "cleanup-old-versions",
        "Prefix": "",
        "Status": "Enabled",
        "NoncurrentVersionExpiration": {"NoncurrentDays": 30},
        "NoncurrentVersionTransition": [
          {"NoncurrentDays": 7, "StorageClass": "IA"}
        ]
      },
      {
        "ID": "abort-multipart",
        "Prefix": "",
        "Status": "Enabled",
        "AbortMultipartUpload": {"Days": 3}
      }
    ]
  }'

Cross-Region Replication (CRR)

Cross-Region Replication automatically copies objects from a source bucket to a destination bucket in a different region. CRR provides geographic redundancy for disaster recovery, reduces latency for users in different regions, and helps meet data residency requirements by maintaining copies in specific regions.

# Enable cross-region replication
aliyun oss replication --method put \
  oss://prod-media-assets \
  --replication-config '{
    "Rule": {
      "PrefixSet": {"Prefix": [""]},
      "Action": "ALL",
      "Destination": {
        "Bucket": "prod-media-assets-dr",
        "Location": "oss-cn-shanghai"
      },
      "HistoricalObjectReplication": "enabled"
    }
  }'

Data Transfer Acceleration

OSS Transfer Acceleration uses Alibaba Cloud's global network of edge nodes to accelerate data uploads and downloads over long distances. When enabled, clients connect to the nearest edge node, and data is transported over Alibaba's optimized backbone network to the OSS endpoint. Transfer Acceleration can improve upload and download speeds by 50-300% for users far from the bucket's region.

Use Transfer Acceleration for:

• Global user bases uploading to a central bucket
• Cross-region data migration and synchronization
• Large file transfers over long distances
• Interactive applications requiring low-latency access from diverse locations

Integration Patterns

OSS integrates with many Alibaba Cloud services for data processing, analytics, and content delivery:

• CDN: Use Alibaba Cloud CDN with OSS as the origin to serve static content globally with low latency. CDN caches objects at edge nodes and reduces OSS egress costs.
• Function Compute: Trigger serverless functions on OSS events (object created, deleted, etc.) for real-time data processing, image resizing, video transcoding, or data validation.
• Data Lake Analytics (DLA): Query data stored in OSS directly using SQL without loading it into a database. DLA supports Parquet, ORC, CSV, JSON, and other formats.
• MaxCompute: Load OSS data into MaxCompute for large-scale data warehousing and analytics. OSS serves as the primary data lake storage for MaxCompute pipelines.
• Machine Learning (PAI): Store training datasets and model artifacts in OSS. PAI can read training data directly from OSS and write model outputs back.
• IMG (Image Processing): Built-in image processing capabilities for resizing, cropping, rotating, watermarking, and format conversion. Process images on-the-fly by appending processing parameters to the object URL.

# Image processing: resize to 200px width, convert to WebP
# Original: https://bucket.oss-cn-hangzhou.aliyuncs.com/photo.jpg
# Processed: https://bucket.oss-cn-hangzhou.aliyuncs.com/photo.jpg?x-oss-process=image/resize,w_200/format,webp

# Upload a file using the CLI
aliyun oss cp ./large-dataset.parquet oss://prod-data-lake/raw/dataset.parquet \
  --storage-class Standard \
  --meta x-oss-meta-team:data-engineering \
  --meta x-oss-meta-pipeline:daily-etl

# Sync a directory to OSS
aliyun oss sync ./build/ oss://prod-static-assets/v2.1/ \
  --delete \
  --include "*.js" \
  --include "*.css" \
  --include "*.html"

# Generate a pre-signed URL (valid for 1 hour)
aliyun oss sign oss://prod-media-assets/reports/q4-2025.pdf \
  --timeout 3600

Cost Optimization

Optimize OSS costs with these strategies:

• Lifecycle rules: Automatically transition data to cheaper storage classes based on age. Most organizations can save 40-60% on storage costs with properly configured lifecycle rules.
• CDN integration: Serve frequently accessed content through CDN instead of directly from OSS. CDN egress is typically 40-50% cheaper than direct OSS egress.
• Transfer within VPC: Use OSS internal endpoints (oss-cn-hangzhou-internal.aliyuncs.com) for traffic within the same region. Internal transfer is free and does not incur egress charges.
• Abort incomplete uploads: Configure lifecycle rules to clean up abandoned multipart uploads that silently accumulate charges.
• Compress before upload: Compress data before uploading to reduce storage and transfer costs. For text-based formats (JSON, CSV, logs), gzip compression typically reduces size by 70-90%.
• Use resource packs: Purchase OSS storage resource packs (subscriptions) for predictable workloads. Resource packs offer 17-35% savings compared to Pay-As-You-Go pricing.