You can generate a private link (also known as signed URL), to access a private bucket:
# -*- coding: utf-8 -*-
auth = oss2.Auth ('Your AccessKeyID', 'Your AccessKeySecret')
bucket = oss2.Bucket (auth, 'Your endpoint', 'your bucket name')
print(bucket.sign_url('GET', 'object-in-bucket.txt', 60))
The preceding code generates a private link. You can share the link with other users to download the object directly in a browser or using tools such as wget. The link is only valid for 60 seconds after generation.
Note: For authorized access methods with image processing, see Image processing.
OSS users can temporarily authorize access through Alibaba Cloud STS service (Security Token Service). For more information about STS, see Alibaba Cloud STS.
To use STS, follow these steps:
Create a subaccount in the console of the official website. For more information, see OSS STS.
Create an STS role in the console and grant permission to the role of the subaccount. For more information, see OSS STS.
Use the subaccount’s AccessKeyID/AccessKeySecret to apply for a temporary token from STS.
Use the authentication information in the temporary token to create an
StsAuthclass instance to initialize the
For example, to begin with, install the official Python STS client:
$ pip install aliyun-python-sdk-sts
Next, get the temporary authorization through the STS service. The
role_arn in the following code must be filled in according to your actual situation. We assume that the respective user has the permission to upload files.
role_arn is the resource descriptor of the role. See the section about role creation and usage in STS authorized access.
# -*- coding: utf-8 -*-
from aliyunsdkcore import client
from aliyunsdksts.request.v20150401 import AssumeRoleRequest
endpoint = 'oss-cn-hangzhou.aliyuncs.com'
bucket_name = '<Name of the bucket to be accessed>'
access_key_id = '<AccessKeyId of the sub-account>'
access_key_secret = '<AccessKeySecret of the sub-account>'
role_arn = '<The role's resource descriptor>'
clt = client.AcsClient(access_key_id, access_key_secret, 'cn-hangzhou')
req = AssumeRoleRequest.AssumeRoleRequest()
# For simplicity, Duration and Policy are not set here. For more information, see related documentation about the RAM and STS.
req.set_accept_format('json') # Set the returned value to be in the JSON format
body = clt.do_action(req)
# For simplicity, no error check is performed here.
token = json.loads(body)
# Initialize the StsAuth instance
auth = oss2.StsAuth(token['Credentials']['AccessKeyId'],
# Initialize the bucket instance
bucket = oss2.Bucket(auth, endpoint, bucket_name)
# Upload a string
bucket.put_object('object-name.txt', b'hello world')
The temporary token expires after a period of time. In this case, you must re-obtain the token as appropriate and set the
authmember variable in
oss2.Bucketto the new
2.0.6 or a later version is required.
Complete example code for STS application can be found at GitHub.