This topic describes how to authorize a third-party user to upload objects directly to OSS without the need to forward objects through the server.


In a standard client/server system architecture, the server is responsible for receiving and processing requests from the client. If OSS is used as a back-end storage service, the client sends objects to be uploaded to the application server, which then forwards them to OSS. In this process, the data needs to be transmitted twice, once from the client to the server and once from the server to OSS. In the case of bursts of access requests, the server must provide sufficient bandwidth resources for multiple clients to upload objects simultaneously. This presents a challenge to the architecture scalability.

To resolve this issue, OSS provides authorized third-party upload. By using this feature, each client can upload objects directly to OSS without transmitting them to the server. This reduces the cost for application servers and maximizes the OSS capability to process large amounts of data. In this case, you can focus on your business, without worrying about the bandwidth and concurrency limits.

Currently, OSS supports two methods to grant upload permissions: signed URL and temporary access credential.

Signed URL

In this method, you can use a request URL that contains the OSSAccessKeyId and Signature fields to directly upload objects. Each signed URL has expiration time to ensure security.

Temporary access credential

Alibaba Cloud uses Security Token Service (STS) to grant temporary access credentials to authorize users. STS is a Web service that provides temporary access tokens for cloud computing users. Through STS, you can grant a third-party application or a RAM user (who you can manage its user identity) an access credential with a custom validity period and permissions.