edit-icon download-icon

Authorized access

Last Updated: Oct 27, 2017

Use URL signature to authorize access

Generate a signed URL

You can provide users with a temporary access URL by generating a signed URL. During URL generation, you can specify the URL expiration time to limit the duration of the user’s access.

Generate a signed URL

The code is as follows:

  1. var req = new GeneratePresignedUriRequest(bucketName, key, SignHttpMethod.Get)
  2. {
  3. Expiration = DateTime.Now.AddHours(1)
  4. };
  5. var uri = client.GeneratePresignedUri(req);

By default, the generated URL supports GET access, which grants users direct access to related content through a browser.

Generate URLs of other HTTP methods

If you want to allow users to perform other temporary operations (such as object upload and deletion), you may require to sign the URL by using another method. The following code signs the URL for the PUT method:

  1. // Generate the URL of the PUT method
  2. var req = new GeneratePresignedUriRequest(bucketName, key, SignHttpMethod.Put)
  3. {
  4. Expiration = DateTime.Now.AddHours(1),
  5. ContentType = "text/html"
  6. };
  7. var uri = client.GeneratePresignedUri(req);

Use a signed URL to send requests

Currently, the .NET SDK supports signing URLs by using the PutObject and GetObject methods.

Sign a URL for PutObject

  1. var generatePresignedUriRequest = new GeneratePresignedUriRequest(bucketName, key, SignHttpMethod.Put);
  2. var signedUrl = client.GeneratePresignedUri(generatePresignedUriRequest);
  3. var result = client.PutObject(signedUrl, fileToUpload);

Use STS temporary authorization


OSS can temporarily grant authorization to access the Alibaba Cloud STS service. Alibaba Cloud STS (Security Token Service) is a web service that provides temporary access token to a cloud computing user.

Through STS, you can assign a third-party application or federated user (you can manage the user ID) an access credential with a custom validity period and permissions.

Third-party applications or federated users can use these access credentials to directly call the Alibaba Cloud product APIs or use the SDKs provided by Alibaba Cloud products to access the cloud product APIs.

  • You do not require to expose your long-term key (AccessKey) to a third-party application. You only need to generate an access token and send the access token to the third-party application. You can customize the access permission and validity of this token.

  • The access token automatically becomes invalid when it expires.

The interaction process is as follows:


  1. Log on as the app user. App user IDs are managed by the customer. The customer can customize the ID management system or use an external web account or OpenID. For each valid app user, the AppServer can precisely define the minimum access permission.

  2. The AppServer requests a security token (SecurityToken) from the STS. Before calling STS, the AppServer needs to determine the minimum access permission (described in policy syntax) of the app user and the expiration time of the authorization. Then you can obtain the security token by calling the STS’ AssumeRole interface. For more information about roles and usage, see Role in the RAM User Guide.

  3. The STS returns a valid access credential to the AppServer. The access credential contains a security token, a temporary pair of accesskeys (an AccessKeyId and an AccessKeySecret), and the expiration time.

  4. The AppServer returns the access credential to the ClientApp. The ClientApp can cache this credential. When the credential becomes invalid, the ClientApp needs to request a new valid access credential from the AppServer. For example, if the access credential is valid for one hour, the ClientApp can request the AppServer to update the access credential every 30 minutes.

  5. The ClientApp uses the access credential cached locally to request Alibaba Cloud Service APIs. The cloud service perceives the STS access credential, relies on STS to verify the credential, and responds to the user request appropriately.

For more information about the STS security token, see Roles in the RAM User Guide. The key is to obtain a valid access credential by calling the STS interface AssumeRole. The method can also be called using the STS DSK. For more information, see Preface.

Use STS credentials to construct signature requests

After obtaining the STS temporary credential, the user’s client generates an OSSClient using the contained security token (SecurityToken) and temporary accessKey (AccessKeyId, AccessKeySecret). Take object upload as an example:

  1. string accessKeyId = "<accessKeyId>";
  2. string accessKeySecret = "<accessKeySecret>";
  3. string securityToken = "<securityToken>"
  4. // Take Hangzhou as an example
  5. string endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
  6. var ossClient = new OssClient(endpoint, accessKeyId, accessKeySecret, securityToken);
Thank you! We've received your feedback.