Authorized access

Last Updated: Nov 01, 2017

Use URL signature to authorize access

You can provide users with a temporary access URL by generating a signed URL. During URL generation, you can specify the URL expiration time to limit the duration of the user’s access.

Note: For complete code, see GitHub.

An example of generating the signed URL for GetObject is shown as follows:

  1. <?php
  2. /**
  3. * Generate a signed URL for GetObject for read access control when the private permission is assigned
  4. *
  5. * @param $ossClient OssClient OSSClient instance
  6. * @param $bucket string Bucket name
  7. * @return null
  8. */
  9. function getSignedUrlForGettingObject($ossClient, $bucket)
  10. {
  11. $object = "test/test-signature-test-upload-and-download.txt";
  12. $timeout = 3600; // The validity period for the URL is 3,600 seconds
  13. try{
  14. $signedUrl = $ossClient->signUrl($bucket, $object, $timeout);
  15. } catch(OssException $e) {
  16. printf(__FUNCTION__ . ": FAILED\n");
  17. printf($e->getMessage() . "\n");
  18. return;
  19. }
  20. print(__FUNCTION__ . ": signedUrl: " . $signedUrl. "\n");
  21. /**
  22. * You can use similar code to access the signed URL, or access the signed URL in a browser
  23. */
  24. $request = new RequestCore($signedUrl);
  25. $request->set_method('GET');
  26. $request->send_request();
  27. $res = new ResponseCore($request->get_response_header(), $request->get_response_body(), $request->get_response_code());
  28. if ($res->isOK()) {
  29. print(__FUNCTION__ . ": OK" . "\n");
  30. } else {
  31. print(__FUNCTION__ . ": FAILED" . "\n");
  32. };
  33. }

Note: By default, the generated URL supports GET access, which grants users direct access to related content through a browser.

If you want to allow users to perform other temporary operations (such as object upload and deletion), you may require to sign a URL of another method. The following code signs a URL for the PUT method:

  1. <?php
  2. /**
  3. * Generate a signed URL for PutObject for write access control when the private permission is assigned
  4. *
  5. * @param OssClient $ossClient OSSClient instance
  6. * @param string $bucket Bucket name
  7. * @return null
  8. * @throws OssException
  9. */
  10. function getSignedUrlForPuttingObject($ossClient, $bucket)
  11. {
  12. $object = "test/test-signature-test-upload-and-download.txt";
  13. $timeout = 3600;
  14. $options = NULL;
  15. try{
  16. $signedUrl = $ossClient->signUrl($bucket, $object, $timeout, "PUT");
  17. } catch(OssException $e) {
  18. printf(__FUNCTION__ . ": FAILED\n");
  19. printf($e->getMessage() . "\n");
  20. return;
  21. }
  22. print(__FUNCTION__ . ": signedUrl: " . $signedUrl. "\n");
  23. $content = file_get_contents(__FILE__);
  24. $request = new RequestCore($signedUrl);
  25. $request->set_method('PUT');
  26. $request->add_header('Content-Type', '');
  27. $request->add_header('Content-Length', strlen($content));
  28. $request->set_body($content);
  29. $request->send_request();
  30. $res = new ResponseCore($request->get_response_header(),
  31. $request->get_response_body(), $request->get_response_code());
  32. if ($res->isOK()) {
  33. print(__FUNCTION__ . ": OK" . "\n");
  34. } else {
  35. print(__FUNCTION__ . ": FAILED" . "\n");
  36. };
  37. }

Upload and download with a temporary credential (STS)

Introduction

OSS can temporarily grant authorization for access through the Alibaba Cloud STS service. Alibaba Cloud STS (Security Token Service) is a web service that provides a temporary access token to a cloud computing user. Bu using STS, you can assign a third-party application or federated user (you can manage the user ID) an access credential with a custom validity period and permissions. For more information about STS, see STS introduction.

Use an STS credential to create an OSSClient

After obtaining the STS temporary credential, the user’s client generates an OSSClient using the contained security token (SecurityToken) and temporary accessKey (AccessKeyId, AccessKeySecret).

The following code uses a temporary STS credential to create an OSSClient:

  1. <?php
  2. $accessKeyId = "<accessKeyId>";
  3. $accessKeySecret = "<accessKeySecret>";
  4. $securityToken = "<securityToken>";
  5. $endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
  6. $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken);
Thank you! We've received your feedback.