Object Storage Service (OSS) uses an AccessKey pair to implement symmetric encryption and verify the identities of requesters.

An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID is used to verify the identity of the user, while the AccessKey secret is used to encrypt and verify the signature string. You must keep your AccessKey secret strictly confidential. The permissions of AccessKey pairs vary based on the account types.

  • AccessKey pair of an Alibaba Cloud account: The AccessKey pair of an Alibaba Cloud account has full permissions on its resources.
  • AccessKey pair of a RAM user: A RAM user is created and authorized by an Alibaba Cloud account. The AccessKey pair of a RAM user has limited permissions on specified resources.
  • AccessKey pair of temporary access credentials from STS: Temporary access credentials generated by STS consist of a security token and a temporary AccessKey pair. The AccessKey pair of temporary access credentials from STS has limited permissions on specified resources within the validity period of the credentials. The AccessKey pair becomes invalid after temporary access credentials expire.

Before you send a request to OSS as an individual user, you must generate a signature string in the specified format for the request and use your AccessKey secret to encrypt the signature string and generate a verification code. After OSS receives the request, OSS finds the AccessKey secret based on your AccessKey ID, and uses the AccessKey secret to decrypt the signature string and verification code. Then, OSS calculates a verification code and compares it against the decrypted verification code. If the two verification codes are the same, OSS determines that the request is valid. Otherwise, OSS rejects the request and returns HTTP status code 403.

For more information, see Overview.