OSS uses an AccessKey pair that includes an AccessKey ID and an AccessKey secret to implement symmetric encryption and verify the identity of a requester.

An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential. Based on the account types, AccessKey pairs can be categorized as follows:

  • AccessKey pair of an Alibaba Cloud account: The AccessKey pair of an Alibaba Cloud account has full permissions on its resources.
  • AccessKey pair of a RAM user: A RAM user is created and authorized by an Alibaba Cloud account. The AccessKey pair of a RAM user has limited permissions on specified resources.
  • AccessKey pair of an STS temporary access credential: A temporary access credential generated by STS consists of a security token and a temporary AccessKey pair that includes an AccessKey ID and an AccessKey secret. The AccessKey pair of an STS temporary access credential has limited permissions on specified resources within the validity period of the credential. The AccessKey pair becomes invalid after the temporary access credential expires.

Before you send a request to OSS as an individual user, you must generate a signature string in the specified format for the request and use your AccessKey secret to encrypt the signature string and generate a verification code. After OSS receives the request, OSS finds the AccessKey secret based on your AccessKey ID, and uses the AccessKey secret to decrypt the signature string and verification code. Then, OSS calculates a verification code and compares it against the decrypted verification code. If the two verification codes are the same, OSS determines that the request is valid. Otherwise, OSS rejects the request and returns HTTP status code 403.

For more information, see Overview.