In addition to including the Authorization header in the request, you can also add signature information to a URL so that you can forward the URL to a third party for authorized access.

Notice
  • If you generate a signed URL, the data that is authorized will be exposed to the Internet as long as the authorization is valid. We recommend that you assess the risks in advance.
  • A signature cannot be included in a URL and a header at the same time.
  • You can add a signature to a URL in PUT and GET requests.

Sample code

The following code provides an example on how to generate a signed URL in Python:

import base64
import hmac
import sha
import urllib
h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
             "GET\n\n\n1141889120\n/oss-example/oss-api.pdf",
             sha)
urllib.quote (base64.encodestring(h.digest()).strip())

OSS SDKs provide methods on how to generate a signed URL. For more information, see SDK reference.

For more information about how to generate a signed URL for OSS SDKs, see the following table.

SDK URL signature method Implementation file
Java SDK OSSClient.generatePresignedUrl OSSClient.java
Python SDK Bucket.sign_url api.py
.NET SDK OssClient.GeneratePresignedUri OssClient.cs
PHP SDK OssClient.signUrl OssClient.php
JavaScript SDK signatureUrl object.js
C SDK oss_gen_signed_url oss_object.c
C++ SDK OssClient::GeneratePresignedUrl OssClient.cc

Implementation

The following code provides an example on how to generate a signed URL:

http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D

A signed URL must include the following three parameters: Signature, Expires, and OSSAccessKeyId. When you generate the signature string, replace Date with Expires, but include the headers such as Content-Type and Content-MD5 defined in Add signatures to headers. (Although Date still exists in the request header, you do not need to add it to the signature string.)

  • Expires specifies the validity period of the URL. The value of this parameter is in UNIX time format. The value is the number of seconds that elapsed since January 1, 1970 UTC. If the time OSS receives the URL request is later than the value of Expires that is included in the signature, a request timeout error is returned. For example, the current time is 1141889060. To create a URL that is scheduled to expire in 60 seconds, you can set the value of Expires to 1141889120.
    Note For security reasons, the default validity period of a URL is 3,600 seconds. The maximum validity period of a URL is 32,400 seconds.
  • OSSAccessKeyId specifies the AccessKey ID of a key.
  • Signature specifies the signature information. For all requests and headers that OSS supports, the signature algorithm for a URL is basically the same as that for a header in Add signatures to headers.
    Signature = urlencode(base64(hmac-sha1(AccessKeySecret,
              VERB + "\n" 
              + CONTENT-MD5 + "\n" 
              + CONTENT-TYPE + "\n" 
              + EXPIRES + "\n" 
              + CanonicalizedOSSHeaders
              + CanonicalizedResource)))

    For more information about values of the CONTENT-MD5, CanonicalizedOSSHeaders, and CONTENT-TYPE headers, see Add signatures to headers.

    Note The difference is listed as follows:
    • When a signed URL is created, the Expires parameter replaces the Date parameter.
    • If more than one Signature, Expires, or OSSAccessKeyId value is imported, the first input value is used.
    • Before verifying the signature of a request, OSS checks the request time to determine whether it is later than the time specified in Expires.
    • When you add a signature string to a URL, you must encode the URL.
  • When you add a signature to a temporary user URL, you must include security-token. The format is as follows:
    http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D&security-token=SecurityToken

Error codes

Error code Error message Description
AccessDenied 403 Forbidden The error message returned because one or more of the Signature, Expires, and OSSAccessKeyId parameters are missing. When a signature is added to a URL, the sequence of the Signature, Expires, and OSSAccessKeyId parameters can be swapped.
AccessDenied 403 Forbidden The error message returned because the current access time is later than the Expires value set in the request, or the time is in a wrong format.
InvalidArgument 400 Bad Request The error message returned because a URL includes one or more of the Signature, Expires, and OSSAccessKeyId parameters and the header also includes the signature information.