By default, local files are uploaded to DashScope temporary storage (oss:// URLs, 48-hour TTL). For production use, you can configure your own 阿里云 OSS bucket to store uploaded files with no expiration and no rate limits.
Warning — Default temp storage is NOT for production:
- Temporary URLs expire after 48 hours and cannot be renewed.
- The upload policy endpoint is rate-limited to 100 QPS (per account + model) and cannot be increased.
- For production, high-concurrency, or load-testing scenarios, use your own OSS bucket as described below.
Install the 阿里云 OSS SDK (Python):
pip install oss2
You need an existing OSS bucket. Create one in the OSS Console if you don't have one.
Set QWEN_TMP_OSS_BUCKET to activate custom OSS mode. All variables use the QWEN_TMP_OSS_ prefix.
| Variable | Required | Description | Example |
|----------|----------|-------------|---------|
| QWEN_TMP_OSS_BUCKET | Yes (trigger) | OSS bucket name | e.g. do-not-use-this-name-my-ai-assets |
| QWEN_TMP_OSS_REGION | Yes | OSS region | cn-beijing |
| QWEN_TMP_OSS_AK_ID | No* | AccessKey ID for OSS | Lxxxxx... |
| QWEN_TMP_OSS_AK_SECRET | No* | AccessKey Secret for OSS | xxxxx |
| QWEN_TMP_OSS_PREFIX | No | Object key prefix (default: qianwen-uploads) | ai/prod |
| QWEN_TMP_OSS_ENDPOINT | No | Custom endpoint (overrides region) | my-bucket.oss-cn-beijing.aliyuncs.com |
| QWEN_TMP_OSS_URL_EXPIRES | No | Presigned URL expiry in seconds (default: 86400 = 24h) | 3600 |
1. QWEN_TMP_OSS_AK_ID + QWEN_TMP_OSS_AK_SECRET — used if both are set (via StaticCredentialsProvider)
2. OSS_ACCESS_KEY_ID + OSS_ACCESS_KEY_SECRET — standard OSS SDK credentials, used as fallback (via SDK's EnvironmentVariableCredentialsProvider)
3. If neither pair is set, the script exits with an error.
.env Configuration ExamplesDashScope API key (required for all skills)
DASHSCOPE_API_KEY=sk-your-key-hereCustom OSS storage
QWEN_TMP_OSS_BUCKET=do-not-use-this-name-my-ai-assets
QWEN_TMP_OSS_REGION=cn-beijing
QWEN_TMP_OSS_AK_ID=Lxxxxxxxxxxxxxxx
QWEN_TMP_OSS_AK_SECRET=xxxxxxxxxxxxxxxx
DashScope API key
DASHSCOPE_API_KEY=sk-your-key-hereCustom OSS storage (AK from standard OSS SDK env vars)
QWEN_TMP_OSS_BUCKET=do-not-use-this-name-my-ai-assets
QWEN_TMP_OSS_REGION=cn-beijingStandard OSS SDK credentials (shared with other OSS SDK consumers)
OSS_ACCESS_KEY_ID=Lxxxxxxxxxxxxxxx
OSS_ACCESS_KEY_SECRET=xxxxxxxxxxxxxxxx
When QWEN_TMP_OSS_BUCKET is set, all resolve_file() and upload_file() calls automatically route to your OSS bucket instead of DashScope temp storage. The upload returns a presigned https:// URL that DashScope APIs accept natively — no special headers needed.
Files are stored under {prefix}/{date}/{uuid}_{filename} and remain in your bucket until you delete them. The presigned URL expires after the configured duration (default 24 hours), but the file itself persists.
Note on vision skills: The --upload-files flag is still required for vision scripts (analyze, reason, ocr) to trigger file upload. Without it, local files are base64-encoded regardless of custom OSS configuration. Image and video skills always upload local files automatically.
| | Default (DashScope Temp) | Custom OSS |
|---|---|---|
| URL format | oss:// | https:// (presigned) |
| File TTL | 48 hours (auto-deleted) | Permanent (user-managed) |
| Upload rate limit | 100 QPS (not expandable) | OSS limits (much higher) |
| Dependency | None (stdlib only) | oss2 |
| Setup | Zero config | Bucket + env vars |
| Production ready | No | Yes |
OSS credentials (QWEN_TMP_OSS_AK_ID, QWEN_TMP_OSS_AK_SECRET) must be treated with the same security level as DASHSCOPE_API_KEY:
- Never hardcode AccessKey credentials in source code.
QWEN_TMP_OSS_AK_ID or QWEN_TMP_OSS_AK_SECRET in plaintext. Use masked output (e.g. Lxxx...xxxx) in any diagnostic or error message..env to .gitignore to prevent accidental commits.oss:PutObject, oss:GetObject on your bucket).QWEN_TMP_OSS_ENDPOINT) when running in the same region/VPC as your OSS bucket to avoid public network charges.