This topic describes how to authorize temporary access to OSS by using STS or a signed URL.

Note The validity period must be set for both an STS temporary account and a signed URL. When you use an STS temporary account to generate a signed URL to perform operations such as object upload and download, the minimum validity period takes precedence. For example, you can set the validity period of your STS temporary account to 1200 seconds, and that of the signed URL to 3600 seconds. After 1200 seconds, you cannot use the signed URL generated by the STS temporary account to upload objects.

Use STS to authorize temporary access

You can use Alibaba Cloud Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or your RAM user an access credential with a customized validity period and permissions. For more information about STS, see What is STS?

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your long-term AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires when the validity period ends.

For more information about how to access OSS by using STS, see Access OSS with a temporary access credential provided by STS in OSS Developer Guide.

Run the pip install aliyun-python-sdk-sts command to install the official STS client for Python. For the complete sample code of STS usage, visit GitHub.

Ensure that you use OSS SDK for Python V2.0.6 and later. The following code provides an example on how to use STS to authorize temporary access to download an object:

# -*- coding: utf-8 -*-

from aliyunsdkcore import client
from aliyunsdksts.request.v20150401 import AssumeRoleRequest
import json
import oss2

# The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
endpoint = 'oss-cn-hangzhou.aliyuncs.com'
# Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
access_key_id = '<yourAccessKeyId>'
access_key_secret = '<yourAccessKeySecret>'
bucket_name = '<yourBucketName>'
object_name = '<yourObjectName>'
# The role_arn parameter specifies the resource descriptor of the role.
role_arn = '<yourRoleArn>'

# Specify the policy_text.
# The policy specifies that GetObject operations can be performed only on resources in the bucket named test-bucket1.
policy_text = '{"Version": "1", "Statement": [{"Action": ["oss:GetObject"], "Effect": "Allow", "Resource": ["acs:oss:*:*:test-bucket1/*"]}]}'

clt = client.AcsClient(access_key_id, access_key_secret, 'cn-hangzhou')
req = AssumeRoleRequest.AssumeRoleRequest()

# Set the format of the returned value to JSON.
req.set_accept_format('json')
req.set_RoleArn(role_arn)
req.set_RoleSessionName('session-name')
req.set_Policy(policy_text)
body = clt.do_action_with_exception(req)

# Use the AccessKey pair of the RAM user to apply for a temporary token from STS.
token = json.loads(oss2.to_unicode(body))

# Initialize an StsAuth instance based on the authentication information in the temporary token.
auth = oss2.StsAuth(token['Credentials']['AccessKeyId'],
                    token['Credentials']['AccessKeySecret'],
                    token['Credentials']['SecurityToken'])

# Initialize a bucket based on the StsAuth instance.
bucket = oss2.Bucket(auth, endpoint, bucket_name)

# Download an object from the bucket.
read_obj = bucket.get_object(object_name)
print(read_obj.read())
            

Use a signed URL to authorize temporary access

You can generate a signed URL and provide it to a visitor to grant temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors.

For more information about how to add signature information to a URL and forward the URL to a third party for authorized access, see Generate a signed URL.

  • Use a signed URL to authorize temporary access to upload an object

    The following code provides an example on how to use a signed URL to authorize temporary access to upload an object:

    # -*- coding: utf-8 -*-
    import oss2
    
    # Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
    auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
    # The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
    bucket = oss2.Bucket(auth, 'http://oss-cn-hangzhou.aliyuncs.com', '<yourBucketName>')
    
    # Generate a signed URL that can be used to upload the object. The valid period of the URL is 60 seconds.
    print(bucket.sign_url('PUT', '<yourObjectName>', 60))            
  • Use a signed URL to authorize temporary access to download an object

    The following code provides an example on how to use a signed URL to authorize temporary access to download an object:

    # -*- coding: utf-8 -*-
    import oss2
    
    # Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS because the account has permissions on all API operations. We recommend that you use your RAM user's credentials to call API operations or perform routine operations and maintenance. To create a RAM user, log on to the RAM console.
    auth = oss2.Auth('<yourAccessKeyId>', '<yourAccessKeySecret>')
    # The endpoint of the China (Hangzhou) region is used in this example. Specify the actual endpoint.
    bucket = oss2.Bucket(auth, 'http://oss-cn-hangzhou.aliyuncs.com', '<yourBucketName>')
    
    # Generate a signed URL that can be used to download the object. The valid period of the URL is 60 seconds.
    print(bucket.sign_url('GET', '<yourObjectName>', 60))