Configuring Auto Obtaining of Access Keys for obsutil
Feature Description
In addition to obtaining access keys (AK/SK) from the .obsutilconfig file, obsutil has the feature of automatically obtaining access keys in chain mode, to obtain access keys from system environment variables or to obtain temporary access keys through ECS APIs.
With this feature enabled, obsutil attempts to obtain available access keys from the .obsutilconfig file, system environment variables, and then ECS in sequence.
Configuration Method
- Enable the feature of automatically obtaining access keys in chain mode.
Set autoChooseSecurityProvider in the .obsutilconfig file to true.
- Configure the methods of obtaining access keys for obsutil.
- .obsutilconfig file: Configure parameters ak and sk. The AK and SK have been automatically written into the .obsutilconfig file during initialization (see Performing the Initial Configuration). You can modify them if needed.
- System environment variables: Set OBS_ACCESS_KEY_ID to ak, OBS_SECRET_ACCESS_KEY to sk, and OBS_SECURITY_TOKEN to token (can be left blank).
- ECS APIs: Ensure that the ECS has been bound to an IAM agency that has OBS permissions configured.
Process of Searching for Access Keys
- Search for access keys in the .obsutilconfig file (ak, sk, and token). If access keys are not left blank, the search ends. If they are not blank, continue to the next step.
- Search for access keys from system environment variables (OBS_ACCESS_KEY_ID, OBS_SECRET_ACCESS_KEY, and OBS_SECURITY_TOKEN). If access keys are not left blank, the search ends. If they are left blank, continue to the next step.
- Search for temporary access keys from the ECS where obsutil runs. If the temporary access keys are not left blank, the search ends. Otherwise, access OBS as an anonymous user.
- The "access keys are not empty" means both AK and SK are not empty, but the token can be empty.
- In the environment variables, the value of OBS_ACCESS_KEY_ID is the AK, that of OBS_SECRET_ACCESS_KEY is the SK, and that of OBS_SECURITY_TOKEN corresponds to the token.
- If the cross-region replication mode is enabled, OBS_ACCESS_KEY_ID_CRR corresponds to akCrr, OBS_SECRET_ACCESS_KEY_CRR corresponds to skCrr, and OBS_SECURITY_TOKEN_CRR corresponds to tokenCrr.
- The prerequisite for querying access keys from an ECS is that obsutil is running on this ECS and the ECS has been bound to an agency.
- If the function of automatically obtaining access keys is enabled, you still need to specify the endpoint.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.