Use a URL signature, or provide temporary access credentials, to grant third party authorization to download objects in a private bucket. These methods are recommended as they prevent directly giving the AccessKey to users requesting download permissions, which can weaken account security.
A developer can add a signature into the URL and forward this URL to a third party to authorize access. The third-party user can then access this URL using an HTTP GET request to download the object.
Example URL that includes a signature:
http://<bucket>.<region>.aliyuncs.com/<object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>
The signature in the URL must include the following three parameters:
- OSSAccessKeyId, which is the developer’s AccessKeyId.
- Expires, which is the developer’s desired URL expiration time.
- Signature, which is the developer’s signature string. For details, refer to API Documentation - signature section.
NOTE: This link must undergo URL encoding.
NOTE: If the bucket permission is set to private read/write permission, the access URL provided on the console will contain a signature.
Security Token Service (STS) can be used to provide temporary credentials to third-party users. By adding a signature in the request header, users can then access the object. This authorization method is applicable to mobile scenario downloads. For more information on the implementation of temporary access credentials, refer to STS Java SDK.
- Third-party users send a request to the application server to obtain an AccessKeyID, AccessKeySecret, and STS Token issued by STS.
- Upon receipt, the AccessKeyID, AccessKeySecret, and STS Token are used as a signature to request the developer’s object resource.