To authorize a third-party user to download objects from a private bucket, you can provide a signed URL or a temporary access credential instead of your AccessKey pair to the user.

Signed URL

OSS allows users to use a signed URL to download data. You can add signature information to a URL and provide the URL to a third-party user for authorized access. The third-party user can access the URL by sending a GET request to download objects.

  • Examples
    http://<bucket>.<region><object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>
    This link must be URL-encoded. At least the following parameters must be included to sign the request: OSSAccessKeyId, Expires, and Signature.
    • OSSAccessKeyId: The AccessKey ID of your Alibaba Cloud account.
    • Expires: The expected expiration time of the URL.
    • Signature: The signature string. For more information, see Add a signature to a URL.
  • Implementation modes

Temporary access credential

OSS allows you to use Alibaba Cloud Security Token Service (STS) to authorize temporary access. You can use STS to grant a third-party application or your RAM user an access credential that specifies the custom validity period and permissions. This authorization method is applicable to object download in mobile scenarios. For more information, see Access OSS with a temporary access credential provided by STS.