Category: tool
OSS (ossutil 2.0) CLI Skill
Validation
CODEBLOCK0
Pass criteria: command exits 0 and output/alicloud-storage-oss-ossutil/validate.txt is generated.
Output And Evidence
- - Save command outputs, object listings, and sync logs under
output/alicloud-storage-oss-ossutil/. - Keep at least one upload or listing result as evidence.
Goals
- - Use ossutil 2.0 to manage OSS: upload, download, sync, and resource management.
- Provide a unified CLI flow for install, config, credentials, and region/endpoint handling.
Quick Start Flow
- 1. Install ossutil 2.0.
- Configure AK/SK and default region (
ossutil config or config file). - Run
ossutil ls to list buckets, then list objects using the bucket region. - Execute upload/download/sync or API-level commands.
Install ossutil 2.0
- - See
references/install.md for platform-specific install steps.
Configure ossutil
- - Interactive configuration:
CODEBLOCK1
- - Default config file paths:
- Linux/macOS:
~/.ossutilconfig
- Windows:�INLINECODE6
Main configuration fields include:
- - �INLINECODE7
- INLINECODE8
- INLINECODE9�(example default
cn-hangzhou; ask the user if the best region is unclear) - INLINECODE11�(optional; auto-derived from region if omitted)
AccessKey configuration notes
Use RAM users/roles with least privilege and avoid passing AK in plain text on command line.
Recommended method (environment variables):
CODEBLOCK2
INLINECODE12� can be used as default region; if unset choose the most reasonable region, ask user if unclear.
Or use the standard shared credentials file:
INLINECODE13
CODEBLOCK3
Command structure (2.0)
- - High-level command example:�INLINECODE14
- API-level command example:�INLINECODE15
Common command examples
CODEBLOCK4
Recommended execution flow (list buckets first, then objects)
1) List all buckets
CODEBLOCK5
2) Get target bucket region from output (e.g. oss-cn-shanghai) and convert it to --region format (cn-shanghai).
3) When listing objects, explicitly set --region and -e to avoid cross-region signature/endpoint errors.
CODEBLOCK6
4) For very large buckets, limit output size first.
CODEBLOCK7
Common errors and handling
- Cause: missing region configuration.
- Fix: add
region in config file, or pass
--region cn-xxx.
- Cause: request endpoint does not match bucket region.
- Fix: use endpoint of the bucket region, e.g.
-e https://oss-cn-hongkong.aliyuncs.com.
- Cause: signature region does not match bucket region.
- Fix: correct both
--region and
-e; both must match bucket region.
Credential and security guidance
- - Prefer RAM user AK for access control.
- CLI options can override config file, but passing secrets on command line has leakage risk.
- In production, manage secrets via config files or environment variables.
Clarifying questions (ask when uncertain)
- 1. Is your target a Bucket or an Object?
- Do you need upload/download/sync, or management actions like ACL/lifecycle/CORS?
- What are the target region and endpoint?
- Are you accessing OSS from ECS in the same region (intranet endpoint may be preferred)?
References
- - OSSUTIL 2.0 overview and install/config:
- https://help.aliyun.com/zh/oss/developer-reference/ossutil-overview
- - Official source list:�INLINECODE29
Prerequisites
- - Configure least-privilege Alibaba Cloud credentials before execution.
- Prefer environment variables:
ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID. - If region is unclear, ask the user before running mutating operations.
Workflow
1) Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
2) Run one minimal read-only query first to verify connectivity and permissions.
3) Execute the target operation with explicit parameters and bounded scope.
4) Verify results and save output/evidence files.
技能名称: alicloud-storage-oss-ossutil
详细描述:
类别: 工具
OSS (ossutil 2.0) CLI 技能
验证
bash
python skills/storage/oss/alicloud-storage-oss-ossutil/scripts/check_ossutil.py --output output/alicloud-storage-oss-ossutil/validate.txt
通过标准:命令退出码为 0,且生成了 output/alicloud-storage-oss-ossutil/validate.txt 文件。
输出与证据
- - 将命令输出、对象列表和同步日志保存在 output/alicloud-storage-oss-ossutil/ 目录下。
- 至少保留一个上传或列表结果作为证据。
目标
- - 使用 ossutil 2.0 管理 OSS:上传、下载、同步和资源管理。
- 提供统一的 CLI 流程,涵盖安装、配置、凭证以及区域/端点处理。
快速入门流程
- 1. 安装 ossutil 2.0。
- 配置 AK/SK 和默认区域(ossutil config 或配置文件)。
- 运行 ossutil ls 列出存储桶,然后使用存储桶区域列出对象。
- 执行上传/下载/同步或 API 级别的命令。
安装 ossutil 2.0
- - 各平台的安装步骤请参见 references/install.md。
配置 ossutil
bash
ossutil config
- Linux/macOS:~/.ossutilconfig
- Windows:C:\Users\issuser\.ossutilconfig
主要配置字段包括:
- - AccessKey ID
- AccessKey Secret
- Region(例如默认 cn-hangzhou;如果不确定最佳区域,请询问用户)
- Endpoint(可选;如果省略,则从区域自动推导)
AccessKey 配置说明
使用 RAM 用户/角色并遵循最小权限原则,避免在命令行中以明文传递 AK。
推荐方法(环境变量):
bash
export ALICLOUDACCESSKEY_ID=
export ALICLOUDACCESSKEY_SECRET=
export ALICLOUDREGIONID=cn-beijing
ALICLOUDREGIONID 可用作默认区域;如果未设置,则选择最合理的区域,如果不确定请询问用户。
或者使用标准的共享凭证文件:
~/.alibabacloud/credentials
ini
[default]
type = access_key
accesskeyid =
accesskeysecret =
命令结构(2.0 版本)
- - 高级命令示例:ossutil config
- API 级别命令示例:ossutil api put-bucket-acl
常用命令示例
bash
ossutil ls
ossutil ls oss://your-bucket -r --short-format --region cn-shanghai -e https://oss-cn-shanghai.aliyuncs.com
ossutil cp ./local.txt oss://your-bucket/path/local.txt
ossutil cp oss://your-bucket/path/remote.txt ./remote.txt
ossutil sync ./local-dir oss://your-bucket/path/ --delete
推荐执行流程(先列出存储桶,再列出对象)
1) 列出所有存储桶
bash
ossutil ls
2) 从输出中获取目标存储桶区域(例如 oss-cn-shanghai),并将其转换为 --region 格式(cn-shanghai)。
3) 列出对象时,显式设置 --region 和 -e,以避免跨区域签名/端点错误。
bash
ossutil ls oss://your-bucket \
-r --short-format \
--region cn-shanghai \
-e https://oss-cn-shanghai.aliyuncs.com
4) 对于非常大的存储桶,先限制输出大小。
bash
ossutil ls oss://your-bucket --limited-num 100
ossutil ls oss://your-bucket/some-prefix/ -r --short-format --region cn-shanghai -e https://oss-cn-shanghai.aliyuncs.com
常见错误及处理
- - Error: region must be set in sign version 4.
- 原因:缺少区域配置。
- 修复:在配置文件中添加 region,或传递 --region cn-xxx。
- - The bucket you are attempting to access must be addressed using the specified endpoint
- 原因:请求端点与存储桶区域不匹配。
- 修复:使用存储桶区域的端点,例如 -e https://oss-cn-hongkong.aliyuncs.com。
- - Invalid signing region in Authorization header
- 原因:签名区域与存储桶区域不匹配。
- 修复:同时修正 --region 和 -e;两者必须与存储桶区域一致。
凭证与安全指导
- - 优先使用 RAM 用户 AK 进行访问控制。
- CLI 选项可以覆盖配置文件,但在命令行中传递密钥存在泄露风险。
- 在生产环境中,通过配置文件或环境变量管理密钥。
澄清问题(不确定时询问)
- 1. 您的目标是存储桶还是对象?
- 您需要上传/下载/同步,还是管理操作(如 ACL、生命周期、CORS)?
- 目标区域和端点是什么?
- 您是否从同一区域的 ECS 访问 OSS(可能优先使用内网端点)?
参考
- https://help.aliyun.com/zh/oss/developer-reference/ossutil-overview
- - 官方来源列表:references/sources.md
前提条件
- - 执行前配置最小权限的阿里云凭证。
- 优先使用环境变量:ALICLOUDACCESSKEYID、ALICLOUDACCESSKEYSECRET,可选 ALICLOUDREGIONID。
- 如果区域不明确,在执行变更操作前请询问用户。
工作流程
1) 确认用户意图、区域、标识符,以及操作是只读还是变更操作。
2) 先运行一个最小的只读查询,以验证连接和权限。
3) 使用显式参数和限定范围执行目标操作。
4) 验证结果并保存输出/证据文件。
