edit-icon download-icon

Authorized access

Last Updated: Oct 24, 2017

You can generate a private link (also known as signed URL), to access a private bucket:

  1. # -*- coding: utf-8 -*-
  2. import oss2
  3. auth = oss2.Auth ('Your AccessKeyID', 'Your AccessKeySecret')
  4. bucket = oss2.Bucket (auth, 'Your endpoint', 'your bucket name')
  5. print(bucket.sign_url('GET', 'object-in-bucket.txt', 60))

The preceding code generates a private link. You can share the link with other users to download the object directly in a browser or using tools such as wget. The link is only valid for 60 seconds after generation.

Note: For authorized access methods with image processing, see Image processing.

Use STS temporary authorization

OSS users can temporarily authorize access through Alibaba Cloud STS service (Security Token Service). For more information about STS, see Alibaba Cloud STS.

To use STS, follow these steps:

  1. Create a subaccount in the console of the official website. For more information, see OSS STS.

  2. Create an STS role in the console and grant permission to the role of the subaccount. For more information, see OSS STS.

  3. Use the subaccount’s AccessKeyID/AccessKeySecret to apply for a temporary token from STS.

  4. Use the authentication information in the temporary token to create an StsAuth class instance.

  5. Use the StsAuth class instance to initialize the Bucket class instance.

For example, to begin with, install the official Python STS client:

  1. $ pip install aliyun-python-sdk-sts

Next, get the temporary authorization through the STS service. The end_point, bucket_name, access_key_id, access_key_secret and role_arn in the following code must be filled in according to your actual situation. We assume that the respective user has the permission to upload files.

Specifically, role_arn is the resource descriptor of the role. See the section about role creation and usage in STS authorized access.

  1. # -*- coding: utf-8 -*-
  2. from aliyunsdkcore import client
  3. from aliyunsdksts.request.v20150401 import AssumeRoleRequest
  4. import json
  5. import oss2
  6. endpoint = 'oss-cn-hangzhou.aliyuncs.com'
  7. bucket_name = '<Name of the bucket to be accessed>'
  8. access_key_id = '<AccessKeyId of the sub-account>'
  9. access_key_secret = '<AccessKeySecret of the sub-account>'
  10. role_arn = '<The role's resource descriptor>'
  11. clt = client.AcsClient(access_key_id, access_key_secret, 'cn-hangzhou')
  12. req = AssumeRoleRequest.AssumeRoleRequest()
  13. # For simplicity, Duration and Policy are not set here. For more information, see related documentation about the RAM and STS.
  14. req.set_accept_format('json') # Set the returned value to be in the JSON format
  15. req.set_RoleArn(role_arn)
  16. req.set_RoleSessionName('session-name')
  17. body = clt.do_action(req)
  18. # For simplicity, no error check is performed here.
  19. token = json.loads(body)
  20. # Initialize the StsAuth instance
  21. auth = oss2.StsAuth(token['Credentials']['AccessKeyId'],
  22. token['Credentials']['AccessKeySecret'],
  23. token['Credentials']['SecurityToken'])
  24. # Initialize the bucket instance
  25. bucket = oss2.Bucket(auth, endpoint, bucket_name)
  26. # Upload a string
  27. bucket.put_object('object-name.txt', b'hello world')


  • The temporary token expires after a period of time. In this case, you must re-obtain the token as appropriate and set the auth member variable in oss2.Bucket to the new StsAuth.

  • 2.0.6 or a later version is required.

  • Complete example code for STS application can be found at GitHub.

Thank you! We've received your feedback.