Use a URL signature, or provide temporary access credentials, to grant third party authorization to download objects in a private bucket. These methods are recommended as they prevent directly giving the AccessKey to users requesting download permissions, which can weaken account security.
URL signature
A developer can add a signature into the URL and forward this URL to a third party to authorize access. The third-party user can then access this URL using an HTTP GET request to download the object.
- Implementation method
Example URL that includes a signature:
http://<bucket>.<region>.aliyuncs.com/<object>?OSSAccessKeyId=<user access_key_id>&Expires=<unix time>&Signature=<signature_string>The signature in the URL must include the following three parameters:
- OSSAccessKeyId, which is the developer’s AccessKeyId.
- Expires, which is the developer’s expected URL expiration time.
- Signature, which is the developer’s signature string. For more information, see Add a signature to a URL.
Note This link must undergo URL encoding.
- Reference
- API: Get Object
- SDK: Java SDK-Using URL Signature to Authorize Access
- Console: Get object URL
Note If the bucket permission is set to private read/write permission, the access URL provided on the console contains a signature.
Temporary access credentials
Security Token Service (STS) can be used to provide temporary credentials to third-party users. By adding a signature in the request header, users can then access the object. This authorization method is applicable to mobile scenario downloads. For more information on the implementation of temporary access credentials, see STS Java SDK.
Third-party users send a request to the application server to obtain an AccessKeyID, AccessKeySecret, and STS Token issued by STS. Upon receipt, the AccessKeyID, AccessKeySecret, and STS Token are used as a signature to request the developer’s object resource.
Reference
- API: Temporary Access Credentials
- SDK: Use STS temporary authorization in Java SDK-Object
- Console: Get object URL