So if you have been following our series on “Getting Started with Alibaba Cloud” then by now, you should have a fully functional RAM User which can deploy Aliyun ECS Instances. Before we conclude our series with a small project, we will discuss another service which is Alibaba Cloud’s Object Storage Service.
If you are coming from any other cloud platform, this should be fairly familiar with you. As in AWS has S3, GCP has Cloud Storage, Azure has Azure Blob Storage and so on. Object Storage Service or OSS is Alibaba Cloud’s object type storage service which provides similar features you may have used previously and then some more.
In this article, we would cover what Object Storage is and the features of Aliyun OSS by demonstrating how to make a Bucket in OSS and then its features. In the next article, we would use another Cloud Providor to use the data in OSS, thus, giving you a taste of what’s rage right now – “multi-cloud”. So without further ado…
What is Object Type Storage?
Object Type Storage is where every piece of data is managed as distinct “objects”. This is different from your usual storage on PCs. You cannot “install” and operating system in object storage. There is no specific hierarchy to be followed as in File Systems. The data is not managed as “blocks” on a hard drive. Data is assigned an ‘unique’ identifier and then stored as a ‘blob’ in the storage. There’s no structure to it. Things like “defragmentation” which you would need in block storage or on the drives on your workstations are not needed here. The advantage to it is that you can store a lot of data regardless of its format at a comparatively cheaper cost.
We will understand Alibaba’s OSS by making a cloud bucket. For this, we will be using the RAM User we made in the previous demo. If you have already deleted that user from the previous tutorial, you have two choices – use the Root/Admin Account (not recommended) or make another user.
In the previous tutorial, the RAM User we had made had the permission to deploy a few general services in Alibaba Cloud like ECS, RDS and such. Firstly we will give this user the permission to use OSS. For this.
1. Sign-in using your Admin Account and open the RAM console.
2. Click on Policies form the left blade.
3. You would see the Custom Policy we had defined. Click on the Policy. In our case, it was named “BaseAdminAccessPolicy”. You would see something similar to what is shown below.
Notice the JSON in the on-screen editor? That actually represents the permissions. You can edit this JSON in a specific format to either grant or revoke the User’s Scope. In this case, we will append to this JSON. For this, you can scroll down inside the editor and add the permission as shown in the figure below.
In the picture above, Lines 44-53 give any User/Group with this policy to use OSS. Effect is set to “Allow” (by default, its all “Deny”). Action details “oss:*” which stands for Object Storage Service. Resource are the sub-operations considered to be a part of OSS and Condition are any conditions which you would like to impose. In our case, there are no conditions.
After this step, we have one final step which would help us in the next part of our series. That is “Access Key”. Access Keys are unique for each RAM User and one RAM User may have multiple Access Keys. To make one for ourselves, click on “Users” and then click on the RAM User you created, as shown in the picture below, click on “Create AccessKey” under User AccessKeys.
This will show you the Access Key for the first and last time. We would recommend that you download the CSV File from the download link or copy it to a secure place. With this, we are ready to actually begin. Sign-out from the Root/Admin Account and then log in using your RAM User. You should see the Alibaba Cloud console. Click on Object Storage Service. A similar screen should appear as shown below.
If you are using OSS for the first time (and chances are that if you are a beginner following our articles, then you are), then the service is not active for your account. You need to activate the service.
Once you have activated the Service, you will be directed to the OSS console as shown below. Click on “Create Bucket” button as in the figure.
This will show the configuration of the Bucket you are about to create. The following options would be shown. Let’s discuss them briefly.
First up is the Bucket Name. This field is self-explanatory. For our case, we use “test-bucket-abhik”. While entering this name, you might get confused if you are encountering Objetct Type Storage for the first time. OSS bucket names are unique accross all users. This mean there can be no two buckets with the same name even between two different users.
Next up, Region. This is where the bucket will be created. The common logic is to choose a region closest to you which in out case is Mumbai. After this is the Endpoint. All the objects in your bucket will be accessible accross URLs which have the same endpoint as shown in this field.
Then there is an important field – Storage Class. There are 3 options to select from – 1. Standard, 2. IA or Infrequent Access, 3. Archive. The cost of storage decreases in the order as mentioned. This means if you store data in Standard, you will have to pay more than that of storing in IA or Archive. The catch to this is the Retrieve time, i.e., the time taken to get back or ‘thaw’ the data stored in bucket which increases in the order the names are mentioned. Standard is the general purpose storage class which satisfies most use cases. IA is for data that you will store and won’t need to access for a long time. Archive is used for storing data which you won’t need access to even longer periods. These two classes of storage are used for storing things like backup or logs of data/events which have happened in the past. You won’t need these kind of data for day-to-day operations. But you will need them in case of Disaster Recovery or Audit. Both of which don’t happen often if you follow best practices in the business.
Versioning is where you get to save the same object but with different versions. The latest version is saved and you have a history of the object being changed overtime. This also provides a way to recover any objects or data you may have deleted by mistake.
Access Control Lists are a very important part of security in OSS. At this time, you determine whether only you will be able to access the bucket (Private), whether the data in the bucket will be available to others in the internet for just viewing (Public Read) or whether the any outside person in the internet would be able to modify the data (Public Read/Write). This is bucket level ACL so keep in mind that every piece of data you upload to this bucket will inherit this ACL unless you manually change that object’s ACL post upload.
Last but not the Least, Encryption Method. This is where we think that you need to get familiasr with two important terms – Encryption at Rest and in-transit. The former refers to encrypting your data is stored in a cloud bucket or any storage. The latter refers to the encryption used when you are sending data from one end to another. In this case, its Encryption at Rest we are concerned with. AES or Advanced Encryption Standard with 256 bit key space is used here. You can also leave this as “None” or use your own keys for encryption. In the second scenario, you will have to use another Alibaba Cloud service called Key Management Service or KMS for storing the part of keys to be rotated.
Clicking on “OK” will create the bucket and direct you to the Overview of the Cloud Bucket. Clicking on “Files” option in the menu shown second last from left will give you a view of the bucket as shown below.
As you can notice, at this point, we have created a Cloud Bucket but it is empty. So let’s upload something. Choose a file from your PC for uploading by first clicking on “Upload” option which appears near the name of the cloud bucket.
In our case, we have uploaded a picture of deity Durga. Notice that when you click on the file name, a panel pops up from the right which displays details like Filename, ACL, File Type and Encryption Standard as well as Storage Class. We discussed these earlier. You should also notice an URL. You can access this data object using this URL. If the bucket or file was selectively made public, everyone would be able to use this link to access the data.
Clicking on the “Access Control” option in the second to last from left panel shows you something similar to what is shown below.
This is where you can control/modify details about the bucket like its ACL or allow which RAM users other than yourself to access it. Next, clicking on “Basic Settings” in the same panel would show you an option “Lifecycle”. Click on it and then click on “Create Rule”. You should see something as shown below.
Lifecycle management cuts a lot of effort for you actually. You can do things like move from Standard to IA or Archive after a certain number of days have passed for a object. This would happen automatically once you set the rule here. You can make selective rules to choose to either move the whole bucket or any files beginning with a certain prefix. In our case, we create a rule which deletes the data stored in the bucket after 10 days of inactivity of a specific file. This serves as our personal insurance as we won’t be billed for data uploaded but forgotten.
Another thing that might catch your eye in the Basic Settings menu would be “Static Pages”. If you are coming from another cloud vendor, you would already know that you can leverage Object Storage Type Services to host static HTML files. You can essentially host your portfolio for very low cost here (note that its not free like you would have in GCP). You need to set your Homepage and Error page and your Bucket would essentially serve the files over the Endpoint shown during creation.
You can also do things like enable Cross Region Replication in the “Redundancy for Fault Tolerance” section. If you are vying for compliance then this is a must for you. You can also attach a custom domain name to your bucket in which case all the traffic to that domain will be directed to this bucket and you would have a hosting service. You can do that from the “Transmission” menu as its shown below. Since we do not have a domain at this time for demo, let’s forgo that part.
You can do many other interesting things and play around with Aliyun’s OSS. One feature that OSS gives which caught our eye would be the Image Processing Function. Yes, you heard that right, you can do tricks like rotate, crop or blur images in the bucket while querying through the URL. You can also enable the Anti-leech feature by adding only a set of permitted sites as origin for querying the objects in this bucket. This would remove the chances of your data being discovered by something as simple as Google Dorking. We encourage you to check out the extensive documentation that Alibaba has provided for OSS if you wish to go beyond the basics shown here.
This concludes our article. We discussed the basic functionalities and covered the features provided by Alibaba Cloud’s OSS or Object Storage Service. We are nearing the end of “Getting Started with Alibaba Cloud” series. Infact, this article was an introduction to OSS which would be used for our last mini-project where we will make a simple server and host it on Google Cloud Platform or GCP’s Compute Instance to showcase the use of Alibaba Cloud’s SDK. That is where you would need to use the Access Keys (hope you saved them). This would also help you get a very basic taste of Multi-cloud. Till then, stay safe and as we say at DC on Cloud, “Keep Calm n’ Cloud”.