OSS verifies the identity of a request sender by using the AccessKeyId/AccessKeySecret symmetric encryption method. The AccessKeyId is used to identify a user. The AccessKeySecret is used by the user to encrypt the signature and used by OSS to verify the signature. The AccessKeySecret must be kept confidential. Based on the account types, AccessKeys can be categorized as follows:

  • AccessKey of an Alibaba Cloud account: The AccessKey of a Alibaba Cloud account has full permissions on its resources.
  • AccessKey of a RAM user: A RAM user is generated under the authorization of an Alibaba Cloud account. The AccessKey of a RAM user has limited permissions on specified resources.
  • STS temporary access credential: The STS access credential is a temporary credential generated by an Alibaba Cloud account or a RAM user. The AccessKey of the temporary credential has limited permissions on specified resources for a specified period of time. The permissions of the credential are withdrawn once the credential expires.

For more information, see Access control.

Before sending a request to OSS as an individual user, you must first generate a signature string in the specified format for the request. Then you must encrypt the signature string using your AccessKeySecret to generate a verification code. After receiving the request, OSS finds the AccessKeySecret based on the AccessKeyID, and extracts the signature string and verification code in the same way. If the calculated verification code is the same as the verification code provided, OSS determines that the request is valid. Otherwise, OSS rejects the request and returns an 403 HTTP status code.