This topic describes how to authorize temporary access to OSS by using STS or a signed URL.

Use STS to authorize temporary access

You can use Alibaba Cloud Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or your RAM user an access credential with a customized validity period and permissions. For more information about STS, see What is STS?

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your long-term AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires when the validity period ends.

For more information about how to access OSS by using STS, see Access OSS with a temporary access credential provided by STS in OSS Developer Guide.

The following code provides an example on how to create a request that contains signatures by using STS:

// The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
String accessKeyId = "<yourAccessKeyId>";
String accessKeySecret = "<yourAccessKeySecret>";
String securityToken = "<yourSecurityToken>";

// After you obtain a temporary STS credential for your OSSClient, an OSSClient instance is created based on the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) that are contained in the credential.
// Create an OSSClient instance.
OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret, securityToken);

// Perform corresponding operations. For example, you can upload or download an object.
// Upload an object to OSS.
// ossClient.putObject(putObjectRequest);

// Download an object to a local file. If the name of the object is the same as that of the local file, the object replaces the local file. If the name of the object is different from that of the local file, the object is downloaded.
// ossClient.getObject(new GetObjectRequest(bucketName, objectName), new File("<yourLocalFile>"));

// Shut down the OSSClient instance.
ossClient.shutdown();
Note The validity period must be set for both an STS temporary account and a signed URL. When you use an STS temporary account to generate a signed URL to perform operations such as object upload and download, the minimum validity period takes precedence. For example, you can set the validity period of your STS temporary account to 1200 seconds, and that of the signed URL to 3600 seconds. After 1200 seconds, you cannot use the signed URL generated by the STS temporary account to upload objects.

Use a signed URL to authorize temporary access

This section provides examples on how to use a signed URL to authorize temporary access.

  • Generate a signed URL

    You can generate a signed URL and provide it to a visitor to grant temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors.

    For information about how to add signature information to a URL so that you can forward the URL to a third party for authorized access, see Generate a signed URL.

  • Generate a signed URL to allow HTTP GET requests

    The following code provides an example on how to generate a signed URL to allow HTTP GET requests:

    // The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
    String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
    // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
    String accessKeyId = "<yourAccessKeyId>";
    String accessKeySecret = "<yourAccessKeySecret>";
    String bucketName = "<yourBucketName>";
    String objectName = "<yourObjectName>";
    
    // Create an OSSClient instance.
    OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
    
    // Set the validity period of the URL to one hour.
    Date expiration = new Date(new Date().getTime() + 3600 * 1000);
    // Generate a signed URL to allow HTTP GET requests. Visitors can use a browser for access.
    URL url = ossClient.generatePresignedUrl(bucketName, objectName, expiration);
    
    // Shut down the OSSClient instance.
    ossClient.shutdown();
                        
  • Generate a signed URL to allow other HTTP methods

    If you want to grant a visitor temporary permissions to perform operations such as upload or delete objects, you must generate a corresponding signed URL. The following code provides an example on how to upload an object by using a signed URL that is generated to allow HTTP PUT requests:

    // The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
    String endpoint = "oss-cn-hangzhou.aliyuncs.com";
    // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
    String accessKeyId = "<yourAccessKeyId>";
    String accessKeySecret = "<yourAccessKeySecret>";
    String securityToken = "<yourSecurityToken>";
    String bucketName = "<yourBucketName>";
    String objectName = "<yourObjectName>";
    
    // After you obtain a temporary STS credential for your OSSClient, an OSSClient instance is created based on the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) that are contained in the credential.
    OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret, securityToken);
    
    GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);
    // Set the validity period of the URL to one hour.
    Date expiration = new Date(new Date().getTime() + 3600 * 1000);
    request.setExpiration(expiration);
    // Set ContentType.
    request.setContentType(DEFAULT_OBJECT_CONTENT_TYPE);
    // Set user metadata.
    request.addUserMetadata("author", "aliy");
    
    // Generate a signed URL.
    URL signedUrl = ossClient.generatePresignedUrl(request);
    
    Map<String, String> requestHeaders = new HashMap<String, String>();
    requestHeaders.put(HttpHeaders.CONTENT_TYPE, DEFAULT_OBJECT_CONTENT_TYPE);
    requestHeaders.put(OSS_USER_METADATA_PREFIX + "author", "aliy");
    
    // Use the signed URL to upload an object.
    ossClient.putObject(signedUrl, new ByteArrayInputStream("Hello OSS".getBytes()), -1, requestHeaders, true);
    
    // Shut down the OSSClient instance.
    ossClient.shutdown();
                        

    Visitors can specify the HttpMethod.PUT parameter and use the signed URL to upload objects.

  • Generate a signed URL by using specified parameters

    The following code provides an example on how to generate a signed URL by using specified parameters:

    // The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
    String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
    // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
    String accessKeyId = "<yourAccessKeyId>";
    String accessKeySecret = "<yourAccessKeySecret>";
    String bucketName = "<yourBucketName>";
    String objectName = "<yourObjectName>";
    
    // Create an OSSClient instance.
    OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
    
    // Create a request.
    GeneratePresignedUrlRequest generatePresignedUrlRequest = new GeneratePresignedUrlRequest(bucketName, objectName);
    // Set HttpMethod to PUT.
    generatePresignedUrlRequest.setMethod(HttpMethod.PUT);
    // Add user metadata.
    generatePresignedUrlRequest.addUserMetadata("author", "baymax");
    // Set ContentType.
    generatePresignedUrlRequest.setContentType("application/octet-stream");
    // Set the validity period of the URL to one hour.
    Date expiration = new Date(new Date().getTime() + 3600 * 1000);
    generatePresignedUrlRequest.setExpiration(expiration);
    // Generate a signed URL.
    URL url = ossClient.generatePresignedUrl(generatePresignedUrlRequest);
    
    // Shut down the OSSClient instance.
    ossClient.shutdown();
                        
  • Use a signed URL to upload or obtain an object
    • Use a signed URL to upload an object

      The following code provides an example on how to upload an object by using a signed URL:

      // The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
      String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
      // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
      String accessKeyId = "<yourAccessKeyId>";
      String accessKeySecret = "<yourAccessKeySecret>";
      String bucketName = "<yourBucketName>";
      String objectName = "<yourObjectName>";
      
      // Create an OSSClient instance.
      OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
      
      // Generate a signed URL.
      Date expiration = DateUtil.parseRfc822Date("Thu, 19 Mar 2019 18:00:00 GMT");
      GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.PUT);
      // Set the validity period.
      request.setExpiration(expiration);
      // Set ContentType.
      request.setContentType("application/octet-stream");
      // Add user metadata.
      request.addUserMetadata("author", "aliy");
      // Generate a signed URL to allow HTTP PUT requests.
      URL signedUrl = ossClient.generatePresignedUrl(request);
      System.out.println("signed url for putObject: " + signedUrl);
      
      // Use the signed URL to send a request.
      File f = new File("<yourLocalFile>");
      FileInputStream fin = new FileInputStream(f);
      // Specify the request headers of PutObject.
      Map<String, String> customHeaders = new HashMap<String, String>();
      customHeaders.put("Content-Type", "application/octet-stream");
      customHeaders.put("x-oss-meta-author", "aliy");
      
      PutObjectResult result = ossClient.putObject(signedUrl, fin, f.length(), customHeaders);
      
      // Shut down the OSSClient instance.
      ossClient.shutdown();
                                  
    • Use a signed URL to obtain an object

      The following code provides an example on how to obtain a specified object by using a signed URL:

      // The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
      String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
      // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
      String accessKeyId = "<yourAccessKeyId>";
      String accessKeySecret = "<yourAccessKeySecret>";
      String bucketName = "<yourBucketName>";
      String objectName = "<yourObjectName>";
      
      // Create an OSSClient instance.
      OSS ossClient = new OSSClientBuilder().build(endpoint, accessKeyId, accessKeySecret);
      
      Date expiration = DateUtil.parseRfc822Date("Wed, 18 Mar 2022 14:20:00 GMT");
      GeneratePresignedUrlRequest request = new GeneratePresignedUrlRequest(bucketName, objectName, HttpMethod.GET);
      // Set the validity period.
      request.setExpiration(expiration);
      // Generate a signed URL to allow HTTP GET requests.
      URL signedUrl = ossClient .generatePresignedUrl(request);
      System.out.println("signed url for getObject: " + signedUrl);
      
      // Use the signed URL to send a request.
      Map<String, String> customHeaders = new HashMap<String, String>();
      // Specify the request headers of GetObject.
      customHeaders.put("Range", "bytes=100-1000");
      OSSObject object = ossClient.getObject(signedUrl,customHeaders);
      
      // Shut down the OSSClient instance.
      ossClient.shutdown();