The OSS verifies the identity of a request sender by using the AccessKeyId/AccessKeySecret symmetric encryption method. The AccessKeyId identifies a user. With the AccessKeySecret, you can encrypt the signature string and the OSS to verify the AccessKey of the signature string. The AccessKeySecret must be kept only known to the user and the OSS. The AccessKeys can be categorized into the following types based on the account types:
- Alibaba Cloud account AccessKey: The AccessKey provided by each Alibaba Cloud account has full permissions on its resources.
- RAM account AccessKey: A RAM account is generated under the authorization of an Alibaba Cloud account, and the AccessKey of the RAM account has limited operation permissions on specified resources.
- STS temporary access credential: A temporary credential generated by an Alibaba Cloud account or a RAM account. The AccessKey of the temporary credential has limited operation permissions on specified resources for a specific period of time. The permissions are withdrawn after the period of time expires.
For more information, see Access control.
Before sending a request to the OSS as an individual identity, you first need to generate a signature string for the request to be sent according to the format specified by the OSS and then encrypt the signature string using the AccessKeySecret to generate a verification code. After receiving the request, the OSS finds the corresponding AccessKeySecret based on the AccessKeyID, and extracts the signature string and verification code in the same way. If the calculated verification code is the same as the provided verification code, the request is deemed as valid. Otherwise, the OSS rejects the request and return an HTTP 403 error.