OSS verifies the identity of the sender of the request by using the AccessKeyID/AccessKeySecret symmetric encryption method. The AccessKeyID identifies the user. With the help of AccessKeySecret, you can encrypt the signature string and OSS can verify the AccessKey of the signature string. You must keep your AccessKeySecret confidential and secured. Based on the account types, the AccessKeys can be categorized as follows:

  • Alibaba Cloud account AccessKey: The AccessKey provided by each Alibaba Cloud account has full permissions on its resources.
  • RAM account AccessKey: A RAM account is generated under the authorization of an Alibaba Cloud account, and the AccessKey of the RAM account has a limited operation permissions on specified resources.
  • STS temporary access credential: A temporary credential generated by an Alibaba Cloud account or an RAM account. The AccessKey of the temporary credential has limited operation permissions on specified resources for a specific period of time. The permissions are withdrawn once this time period expires.

For more information, see Access control.

Before sending a request to OSS as an individual, you must first generate a signature string for the request to be sent according to the format specified by OSS. Then encrypt the signature string using the AccessKeySecret to generate a verification code. After receiving the request, OSS finds the corresponding AccessKeySecret based on the AccessKeyID, and extracts the signature string and verification code in the same way. If the calculated verification code is the same as the verification code provided, the request is deemed as valid. Otherwise, OSS rejects the request and return an HTTP 403 error.