To authorize a third-party user to download objects from a private bucket, you must use a signed URL or a temporary access credential. You cannot directly provide the AccessKey.
Signed URL
OSS allows users to use a signed URL to download data. You can add a signed URL and forward the URL to a third-party user to authorize access. The third-party user can then send an HTTP GET request and use the URL to download objects.
- Implementation method
The following example shows how to generate a signed URL.
http://<bucket>.<region>.aliyuncs.com/<object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>A signed URL must include at least the following three parameters: Signature, Expires, and OSSAccessKeyId.
- OSSAccessKeyId: The AccessKey ID of your Alibaba Cloud account.
- Expires: The expected expiration time of the URL.
- Signature: The signature string. For more information, see Add a signature to a URL.
Note This link must be URL-encoded.
- Operating methods
Operating method Description Console Web application, which is intuitive and easy to use Java SDK SDK demos in various languages Python SDK PHP SDK Go SDK C SDK .NET SDK
Temporary access credential
OSS uses Security Token Service (STS) to provide temporary credentials for third-party users. By adding a signature to the request header, a third-party user can access objects. This authorization method is applicable to object download in mobile scenarios. For more information about how to implement temporary access credentials, see STS Java SDK.
- Implementation method
A third-party user sends a request to the application server to obtain the AccessKey ID, AccessKey Secret, and STS Token issued by STS. The user then uses the obtained AccessKey ID, AccessKey Secret, and STS Token to request the developer's object resources.
- Operating methods
Operating method Description Console Web application, which is intuitive and easy to use Java SDK SDK demos in various languages Python SDK PHP SDK Go SDK C SDK .NET SDK Android SDK iOS SDK