In addition to including the Authorization header in the request, you can also add signature information to a URL so that you can forward the URL to a third party for authorized access.

Notice
  • If you generate a signed URL, the data that is authorized will be exposed to the Internet as long as the authorization is valid. We recommend that you assess the risks in advance.
  • A signature cannot be included in a URL and a header at the same time.
  • You can add a signature to a URL for a PUT or GET request.
  • You can generate a presigned URL for a PUT operation. The presigned URL checks whether the user uploads valid content. OSS SDK calculates the checksum of the request body and generates an MD5 checksum before OSS SDK generates a presigned URL for the request. The MD5 checksum is included in the presigned URL. The user must upload content that has the same checksum as the MD5 checksum generated by OSS SDK. Otherwise, the operation fails. To verify the MD5 checksum, add the Content-MD5 header to the request.

Sample codes

The following code provides an example on how to generate a signed URL in Python:

import base64
import hmac
import hashlib
import urllib
h = hmac.new("OtxrzxIsfpFjA7SwPzILwy8Bw21TLhquhboDYROV",
             "GET\n\n\n1141889120\n/oss-example/oss-api.pdf",
             hashlib.sha1)
urllib.quote (base64.encodestring(h.digest()).strip())

OSS SDKs provide methods on how to generate a signed URL. For more information, see SDK reference.

The following table describes how to generate a signed URL by using OSS SDKs.

SDK URL signature method Implementation file
Java SDK OSSClient.generatePresignedUrl OSSClient.java
Python SDK Bucket.sign_url api.py
.Net SDK OssClient.GeneratePresignedUri OssClient.cs
PHP SDK OssClient.signUrl OssClient.php
JavaScript SDK signatureUrl Object.js
C SDK oss_gen_signed_url oss_object.c
C++ SDK OssClient::GeneratePresignedUrl OssClient.cc

Implementation method

The following code provides an example on how to generate a signed URL:

http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D

A signed URL must include the following three parameters: Signature, Expires, and OSSAccessKeyId. When you generate the signature string, replace Date with Expires, but include the headers such as content-type and content-md5 defined in Add signatures to headers. (Although Date still exists in the request header, you do not need to add it to the signature string.)

  • Expires specifies the expire date of the URL. The value of this parameter is in UNIX time format. The value is the number of seconds that elapsed since January 1, 1970 UTC. If the time OSS receives the URL request is later than the value of Expires that is included in the signature, a request timeout error is returned. For example, the current time is 1141889060. To create a URL that expires in 60 seconds, you can set the value of Expires to 1141889120.
    Note For security reasons, the default validity period of a URL is 3,600 seconds. The maximum validity period of a URL is 32,400 seconds.
  • OSSAccessKeyId specifies the AccessKey ID of a key.
  • Signature specifies the signature information. For all requests and headers that OSS supports, the signature algorithm for a URL is basically the same as that for a header in Add signatures to headers.
    Signature = urlencode(base64(hmac-sha1(AccessKeySecret,
              VERB + "\n" 
              + CONTENT-MD5 + "\n" 
              + CONTENT-TYPE + "\n" 
              + EXPIRES + "\n" 
              + CanonicalizedOSSHeaders
              + CanonicalizedResource)))

    For more information about values of the CONTENT-MD5, CanonicalizedOSSHeaders, and CONTENT-TYPE headers, see Add signatures to headers.

    Note The signature algorithm for a URL and the signature algorithm for a header have the following differences:
    • When a signed URL is created, the Expires parameter replaces the Date parameter.
    • If more than one Signature, Expires, or OSSAccessKeyId value is imported, the first input value is used.
    • Before the signature of a request is verified, OSS checks the request time to determine whether it is later than the time specified in Expires.
    • When you add a signature string to a URL, you must encode the URL.
  • When you add a signature to a temporary user URL, you must include security-token in the following format:
    http://oss-example.oss-cn-hangzhou.aliyuncs.com/oss-api.pdf?OSSAccessKeyId=nz2pc56s936**9l&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D&security-token=SecurityToken

Error codes

Error code Error message Description
AccessDenied 403 Forbidden The error message returned because one or more of the Signature, Expires, and OSSAccessKeyId parameters are missing. When a signature is added to a URL, the sequence of the Signature, Expires, and OSSAccessKeyId parameters can be swapped.
AccessDenied 403 Forbidden The error message returned because the current access time is later than the Expires value set in the request, or the time is incorrectly formatted.
InvalidArgument 400 Bad Request The error message returned because a URL includes one or more of the Signature, Expires, and OSSAccessKeyId parameters and the header also includes the signature information.