HTTP requests sent to Object Storage Service (OSS) are divided into two types based on whether authentication information is included: requests with authentication information and anonymous requests without authentication information. Compared with anonymous requests that do not include authentication information, a request with authentication information includes signature information in the request header or the request URL, which complies with OSS API Reference.

Use anonymous requests to access OSS

  1. A user request is sent to the HTTP server of OSS.
  2. OSS parses the URL of the request to obtain the requested bucket and object.
  3. OSS checks whether the access control list (ACL) of the object is set to allow anonymous access.
    • If anonymous access is allowed, the object is returned to the user.
    • If anonymous access is not allowed, the request is denied.

Use requests with authentication information to access OSS

  1. A user request is sent to the HTTP server of OSS.
  2. OSS parses the URL of the request to obtain the requested bucket and object.
  3. OSS obtains the identity information about the requester for authentication based on the AccessKey ID of the requester.
    • If the identity information is not obtained, the request is denied.
    • If the identity information is obtained, but the requester is not allowed to access the requested object, the request is denied.
    • If the identity information is obtained, but the signature calculated based on the HTTP parameters in the request does not match the signature contained in the request, the request is denied.
    • If the authentication succeeds, the object is returned to the user.

AccessKey pair types

Currently, the following three types of OSS AccessKey pairs are used to access OSS:

  • The AccessKey pair of an Alibaba Cloud account

    The AccessKey pair of an Alibaba Cloud account indicates the AccessKey pair of the bucket owner. The AccessKey pair of an Alibaba Cloud account has full access to all resources in the account. Each Alibaba Cloud account can have up to five AccessKey pairs (AccessKey ID and AccessKey secret), and each AccessKey pair can be in either an active or inactive state.

    You can request to add or delete your AccessKey pairs in the Alibaba Cloud Management Console.

    Each AccessKey pair can be in either an active or inactive state.

    • Active: indicates that the AccessKey pair can be used for authentication.
    • Inactive: indicates that the AccessKey pair cannot be used for authentication.
    Notice We recommend that you do not use the AccessKey pair of your Alibaba Cloud account to manage your OSS resources for data security reasons. However, you can create an AccessKey pair for a Resource Access Management (RAM) user and grant permissions to the RAM user.
  • The AccessKey pair of a RAM user

    Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage access permissions on resources. The AccessKey pairs of RAM users are authorized in the RAM console. They can be used to access bucket resources only based on the rules that are defined in RAM. You can use RAM to manage users such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can create a RAM policy to grant users read-only permissions on one of your buckets. A RAM user belongs to the Alibaba Cloud account under which the RAM user was created. In addition, the RAM user does not actually own resources. All resources belong to the corresponding Alibaba Cloud account.

  • The AccessKey pair of an STS account

    Security Token Service (STS) is an Alibaba Cloud service that provides temporary access credentials. An STS temporary AccessKey pair is issued by STS. The AccessKey pair can be used only to access OSS buckets in accordance with the rules defined in STS.

Authentication implementation methods

Currently, authentication is implemented in the following three methods:

  • AccessKey pair authentication
  • RAM authentication
  • STS authentication

When a user sends a request to OSS as an individual identity, authentication is performed in the following procedure:

  1. A signature string is generated in the format specified by OSS based on the request.
  2. Use your AccessKey secret to encrypt the signature string so that a verification code is generated.
  3. After OSS receives the request, OSS finds the AccessKey secret based on your AccessKey ID, and uses the AccessKey secret to extract the signature string and verification code.
    • If the verification code calculated by OSS is identical to the provided one, OSS considers the request valid.
    • Otherwise, OSS denies the request and returns the HTTP 403 error code.

How to access OSS when you use requests with authentication information

  • Use the OSS console to access OSS: The authentication process runs in the background, and users do not need to worry about authentication configurations when they access OSS in the console. For more information, see Download objects.
  • Use OSS SDKs to access OSS: OSS provides SDKs for multiple programming languages in which the signature algorithm is implemented. Therefore, users need only to input the AccessKey pair information to access OSS by using SDKs. For more information, see:
  • Use OSS API operations to access OSS: To encapsulate and call RESTful API operations by using a specific programming language, you must implement a signature algorithm to calculate the signature. For more information, see Add signatures to the Authorization header and Add signatures to a URL in OSS API Reference.