Use a URL signature, or provide temporary access credentials, to grant third party authorization to download objects in a private bucket. These methods are recommended as they prevent directly giving the AccessKey to users requesting download permissions, which can weaken account security.

URL signature

A developer can add a signature into the URL and forward this URL to a third party to authorize access. The third-party user can then access this URL using an HTTP GET request to download the object.

  • Implementation method

    Example URL that includes a signature:

    http://<bucket>.<region><object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>

    The signature in the URL must include the following three parameters:

    • OSSAccessKeyId, which is the developer’s AccessKeyId.
    • Expires, which is the developer’s expected URL expiration time.
    • Signature, which is the developer’s signature string. For more information, see Add a signature to a URL.
      This link must undergo URL encoding.
  • Reference

Temporary access credentials

Security Token Service (STS) can be used to provide temporary credentials to third-party users. By adding a signature in the request header, users can then access the object. This authorization method is applicable to mobile scenario downloads.  For more information on the implementation of temporary access credentials, see STS Java SDK.

Implementation method

Third-party users send a request to the application server to obtain an AccessKeyID, AccessKeySecret, and STS Token issued by STS. Upon receipt, the AccessKeyID, AccessKeySecret, and STS Token are used as a signature to request the developer’s object resource.


Best practices