This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) or a signed URL.

Use STS to authorize temporary access

You can use STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for users. You can use STS to grant an access credential that has a custom validity period and custom permissions for a third-party application or a Resource Access Management (RAM) user managed by you. For more information about STS, see What is STS?.

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period. Therefore, you do not need to manually revoke the permissions of an access token.
Note For more information about how to configure STS, see Use a temporary credential provided by STS to access OSS in OSS Developer Guide. You can call the AssumeRole operation or use STS SDKs for various programming languages to obtain a temporary access credential. The temporary access credential contains a security token and a temporary AccessKey pair that consists of an AccessKey ID and an AccessKey secret. The minimum validity period of a temporary access credential is 900 seconds. The maximum validity period of a temporary access credential is the maximum session duration specified by the current role. For more information, see Specify the maximum session duration for a RAM role.
The following code provides an example on how to use Security Token Service (STS) to create a signed request:
// Obtain a temporary access credential from the STS that you set up. 
fetch('http://your_sts_server/')
  .then(resp => resp.json())
  .then(result => {
    const store = new OSS({
      // Specify the temporary AccessKey pair obtained from STS, which consists of an AccessKey ID and an AccessKey secret. 
      accessKeyId: result.AccessKeyId,
      accessKeySecret: result.AccessKeySecret,
      // Specify the security token obtained from STS. 
      stsToken: result.SecurityToken,
      // Specify the region of the bucket. For example, if the requested bucket is located in the China (Hangzhou) region, set the region to oss-cn-hangzhou. 
      region: 'oss-cn-hangzhou',
      // Specify the name of the bucket in which the object you want to access is stored. Example: examplebucket. 
      bucket: 'examplebucket'
    });
    // Generate a signed URL. 
    // Specify the full path of the object that you want to access. Example: ossdemo.txt The full path of the object cannot contain bucket names. 
    const url = store.signatureUrl('ossdemo.txt');
    console.log(url);
  })

Use a signed URL to authorize temporary access

Notice To use a signed URL that contains custom parameters to access an object from a browser, make sure that the value of the Content-Type parameter contained in the URL is the same as the Content-Type value specified in the request. Otherwise, OSS may report the SignatureDoesNotMatch error. For more information about how to configure Content-Type, see How do I configure the Content-Type of objects?.
  • Generate a signed URL

    You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to impose a limit on the period of access from visitors. By default, the validity period of a signed URL is 1,800 seconds. The maximum validity period of a signed URL is 32,400 seconds.

    • Generate a signed URL for an object
      Note name {String} specifies the name of the object stored in OSS. [expires] {Number} specifies the validity period of the URL. Unit: seconds. Default value: 1800. For more information about other parameters, visit GitHub.
      The following code provides an example on how to generate a signed URL for an object:
      const url = store.signatureUrl('ossdemo.txt');
      console.log(url);
      // --------------------------------------------------
      const url = store.signatureUrl('ossdemo.txt', {
        expires: 3600,
        method: 'PUT'
      });
      console.log(url);
      
      //  put object with signatureUrl
      // -------------------------------------------------
      
      const url = store.signatureUrl('ossdemo.txt', {
        expires: 3600,
        method: 'PUT',
        'Content-Type': 'text/plain; charset=UTF-8',
      });
      console.log(url);
      
      // --------------------------------------------------
      const url = store.signatureUrl('ossdemo.txt', {
        expires: 3600,
        response: {
          'content-type': 'text/custom',
          'content-disposition': 'attachment'
        }
      });
      console.log(url);
      
      // put operation
    • Generate a signed object URL that includes Image Processing (IMG) parameters
      const url = store.signatureUrl('ossdemo.png', {
        process: 'image/resize,w_200'
      });
      console.log(url);
      // --------------------------------------------------
      const url = store.signatureUrl('ossdemo.png', {
        expires: 3600,
        process: 'image/resize,w_200'
      });
      console.log(url);
  • Use a signed URL

    After a signed URL is generated, you can use the URL to upload, preview, or download an object.

    • Use a signed URL to upload an object
      // Specify the generated signed URL in the signatureUrl parameter. 
      const url = 'signatureUrl'; 
      
      var xhr = new XMLHttpRequest();
      xhr.open('PUT', url, true);
      
      xhr.onload = function () {
         // Add code for further operations. 
      };
      
      xhr.send(null);
      // xhr.send('string');
      // xhr.send(new Blob());
      // xhr.send(new Int8Array());
      // xhr.send({ form: 'data' });
      // xhr.send(document);
    • Use a signed URL to preview or download an object

      You can also use the download attribute in the <a> tag of an HTML page or window.open of a web API to obtain the URL of an object.