To authorize a third-party user to download objects from a private bucket, you can provide a signed URL or a temporary access credential instead of your AccessKey pair to the user.
Signed URL
OSS allows users to use a signed URL to download data. You can add signature information to a URL and provide the URL to a third-party user for authorized access. The third-party user can access the URL by sending a GET request to download objects.
- Examples
http://<bucket>.<region>.aliyuncs.com/<object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>
This link must be URL-encoded. At least the following parameters must be included to sign the request: OSSAccessKeyId, Expires, and Signature.- OSSAccessKeyId: The AccessKey ID of your Alibaba Cloud account.
- Expires: The expected expiration time of the URL.
- Signature: The signature string. For more information, see Add a signature to a URL.
- Implementation modes
Temporary access credential
OSS allows you to use Alibaba Cloud Security Token Service (STS) to authorize temporary access. You can use STS to grant a third-party application or your RAM user an access credential that specifies the custom validity period and permissions. This authorization method is applicable to object download in mobile scenarios. For more information, see Access OSS with a temporary access credential provided by STS.
- Implementation
A third-party user sends a request to the application server to obtain the AccessKey ID, AccessKey secret, and STS token. The user then uses the access credential to request objects of developers.
- Implementation modes