diff --git a/bin/ofs/Cargo.lock b/bin/ofs/Cargo.lock
index f6be8cdd8bd..37352c5a0e6 100644
--- a/bin/ofs/Cargo.lock
+++ b/bin/ofs/Cargo.lock
@@ -126,13 +126,12 @@ checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
 
 [[package]]
 name = "backon"
-version = "0.4.4"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d67782c3f868daa71d3533538e98a8e13713231969def7536e8039606fc46bf0"
+checksum = "2caf634d05fe0642d0fb1ab43497fa627088ecd93f84b2d0f2a5d7b91f7730db"
 dependencies = [
  "fastrand",
- "futures-core",
- "pin-project",
+ "gloo-timers",
  "tokio",
 ]
 
@@ -670,6 +669,18 @@ version = "0.29.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "40ecd4077b5ae9fd2e9e169b102c6c330d0605168eb0e8bf79952b256dbefffd"
 
+[[package]]
+name = "gloo-timers"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994"
+dependencies = [
+ "futures-channel",
+ "futures-core",
+ "js-sys",
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.14.5"
diff --git a/core/src/services/oss/backend.rs b/core/src/services/oss/backend.rs
index aa81ef2e55c..ec99b375d33 100644
--- a/core/src/services/oss/backend.rs
+++ b/core/src/services/oss/backend.rs
@@ -241,6 +241,54 @@ impl OssBuilder {
         self.config.allow_anonymous = true;
         self
     }
+
+    /// Set role_arn for this backend.
+    ///
+    /// If `role_arn` is set, we will use already known config as source
+    /// credential to assume role with `role_arn`.
+    pub fn role_arn(mut self, role_arn: &str) -> Self {
+        if !role_arn.is_empty() {
+            self.config.role_arn = Some(role_arn.to_string())
+        }
+
+        self
+    }
+
+    /// Set role_session_name for this backend.
+    pub fn role_session_name(mut self, role_session_name: &str) -> Self {
+        if !role_session_name.is_empty() {
+            self.config.role_session_name = Some(role_session_name.to_string())
+        }
+
+        self
+    }
+
+    /// Set oidc_provider_arn for this backend.
+    pub fn oidc_provider_arn(mut self, oidc_provider_arn: &str) -> Self {
+        if !oidc_provider_arn.is_empty() {
+            self.config.oidc_provider_arn = Some(oidc_provider_arn.to_string())
+        }
+
+        self
+    }
+
+    /// Set oidc_token_file for this backend.
+    pub fn oidc_token_file(mut self, oidc_token_file: &str) -> Self {
+        if !oidc_token_file.is_empty() {
+            self.config.oidc_token_file = Some(oidc_token_file.to_string())
+        }
+
+        self
+    }
+
+    /// Set sts_endpoint for this backend.
+    pub fn sts_endpoint(mut self, sts_endpoint: &str) -> Self {
+        if !sts_endpoint.is_empty() {
+            self.config.sts_endpoint = Some(sts_endpoint.to_string())
+        }
+
+        self
+    }
 }
 
 impl Builder for OssBuilder {
@@ -303,6 +351,27 @@ impl Builder for OssBuilder {
             cfg.access_key_secret = Some(v);
         }
 
+        if let Some(v) = self.config.role_arn {
+            cfg.role_arn = Some(v);
+        }
+
+        // override default role_session_name if set
+        if let Some(v) = self.config.role_session_name {
+            cfg.role_session_name = v;
+        }
+
+        if let Some(v) = self.config.oidc_provider_arn {
+            cfg.oidc_provider_arn = Some(v);
+        }
+
+        if let Some(v) = self.config.oidc_token_file {
+            cfg.oidc_token_file = Some(v);
+        }
+
+        if let Some(v) = self.config.sts_endpoint {
+            cfg.sts_endpoint = Some(v);
+        }
+
         let client = if let Some(client) = self.http_client {
             client
         } else {
diff --git a/core/src/services/oss/config.rs b/core/src/services/oss/config.rs
index 743fbb02ea1..90cd64c9d6a 100644
--- a/core/src/services/oss/config.rs
+++ b/core/src/services/oss/config.rs
@@ -46,8 +46,28 @@ pub struct OssConfig {
     pub access_key_id: Option<String>,
     /// Access key secret for oss.
     pub access_key_secret: Option<String>,
-    /// batch_max_operations
+    /// The size of max batch operations.
     pub batch_max_operations: Option<usize>,
+    /// If `role_arn` is set, we will use already known config as source
+    /// credential to assume role with `role_arn`.
+    pub role_arn: Option<String>,
+    /// role_session_name for this backend.
+    pub role_session_name: Option<String>,
+    /// `oidc_provider_arn` will be loaded from
+    ///
+    /// - this field if it's `is_some`
+    /// - env value: [`ALIBABA_CLOUD_OIDC_PROVIDER_ARN`]
+    pub oidc_provider_arn: Option<String>,
+    /// `oidc_token_file` will be loaded from
+    ///
+    /// - this field if it's `is_some`
+    /// - env value: [`ALIBABA_CLOUD_OIDC_TOKEN_FILE`]
+    pub oidc_token_file: Option<String>,
+    /// `sts_endpoint` will be loaded from
+    ///
+    /// - this field if it's `is_some`
+    /// - env value: [`ALIBABA_CLOUD_STS_ENDPOINT`]
+    pub sts_endpoint: Option<String>,
 }
 
 impl Debug for OssConfig {