This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) or a signed URL.

Use STS to authorize temporary access

You can use STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant an access credential with a custom validity period and custom permissions for a third-party application or a RAM user managed by you. For more information about STS, see What is STS?

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period. Therefore, you do not need to manually revoke the permissions of an access token.
The following code provides an example on how to use STS to create a signed request:
// Obtain a temporary access credential from the STS you set up. 
fetch('http://your_sts_server/')
  .then(resp => resp.json())
  .then(result => {
    const store = new OSS({
      // Specify the temporary AccessKey pair obtained from STS. 
      accessKeyId: result.AccessKeyId,
      accessKeySecret: result.AccessKeySecret,
      // Specify the security token obtained from STS. 
      stsToken: result.SecurityToken,
      // Specify the region of the bucket. For example, if the requested bucket is located in the China (Hangzhou) region, set region to oss-cn-hangzhou. 
      region: 'oss-cn-hangzhou',
      // Specify the name of the bucket in which the object you want to access is stored. Example: examplebucket. 
      bucket: 'examplebucket'
    });
    // Generate a signed URL. 
    // Specify the full path of the object that you want to access. Example: ossdemo.txt The full path of the object cannot contain bucket names. 
    const url = store.signatureUrl('ossdemo.txt');
    console.log(url);
  })

Use a signed URL to authorize temporary access

Notice To use a signed URL that contains custom parameters to access an object in a browser, make sure that the value of the Content-Type parameter contained in the URL is the same as the Content-Type specified in the browser. Otherwise, OSS may report the SignatureDoesNotMatch error. For more information about how to configure Content-Type, see How do I configure the Content-Type of objects?.
  • Generate a signed URL

    You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors. By default, the validity period of a signed URL is 1,800 seconds. The maximum validity period of a signed URL is 32,400 seconds.

  • Generate a signed URL for an object
    Note name {String} specifies the name of the object stored in OSS. [expires] {Number} specifies the validity period of the URL. Unit: seconds. Default value: 1800. For more information about other parameters, visit GitHub.
    The following code provides an example on how to generate a signed URL for an object:
    const url = store.signatureUrl('ossdemo.txt');
    console.log(url);
    // --------------------------------------------------
    const url = store.signatureUrl('ossdemo.txt', {
      expires: 3600,
      method: 'PUT'
    });
    console.log(url);
    
    //  put object with signatureUrl
    // -------------------------------------------------
    
    const url = store.signatureUrl('ossdemo.txt', {
      expires: 3600,
      method: 'PUT',
      'Content-Type': 'text/plain; charset=UTF-8',
    });
    console.log(url);
    
    // --------------------------------------------------
    const url = store.signatureUrl('ossdemo.txt', {
      expires: 3600,
      response: {
        'content-type': 'text/custom',
        'content-disposition': 'attachment'
      }
    });
    console.log(url);
    
    // put operation
  • Generate a signed URL that contains Image Processing (IMG) parameters
    const url = store.signatureUrl('ossdemo.png', {
      process: 'image/resize,w_200'
    });
    console.log(url);
    // --------------------------------------------------
    const url = store.signatureUrl('ossdemo.png', {
      expires: 3600,
      process: 'image/resize,w_200'
    });
    console.log(url);