This topic describes how to authorize access to OSS.

Use STS for temporary access authorization

You can use Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or a RAM user (whose user ID is managed by you) an access credential with a customized validity period and permissions. For more information about STS, see What is STS?

STS has the following benefits:

  • You only need to generate an access token and send the access token to a third-party application, rather than exposing your long-term key (AccessKey) to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period.

For more information about the process of accessing OSS with STS, see Access OSS with a temporary access token provided by STS in OSS Developer Guide.

Use the following code to upload an object by using STS for temporary access authorization:

<? php
if (is_file(__DIR__ . '/../autoload.php')) {
    require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
    require_once __DIR__ . '/../vendor/autoload.php';
}

use OSS\OssClient;
use OSS\Core\OssException;

// Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use a RAM user account to call API operations or perform routine operations and maintenance. To create a RAM user account, log on to https://ram.console.aliyun.com.
$accessKeyId = "<yourAccessKeyId>";
$accessKeySecret = "<yourAccessKeySecret>";
// This example uses the endpoint of the China (Hangzhou) region. Specify the actual endpoint based on your requirements.
$endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
$bucket= "<yourBucketName>";
$object = "<yourObjectName>";
$securityToken = "<yourSecurityToken>";

$content = "Hi, OSS.";

try {
    $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken);

    $ossClient->putObject($bucket, $object, $content);
} catch (OssException $e) {
    print $e->getMessage();
}
			

Use a signed URL for temporary access authorization

You can provide the signed URL that is generated to a visitor to grant the visitor temporary access. When generating a signed URL, you can specify the validity period of the URL to restrict the period of access from visitors.

For the complete code of authorized access, see GitHub.

  • Generate a signed URL to download an object

    Use the following code to generate a signed URL to download an object:

    <? php
    if (is_file(__DIR__ . '/../autoload.php')) {
        require_once __DIR__ . '/../autoload.php';
    }
    if (is_file(__DIR__ . '/../vendor/autoload.php')) {
        require_once __DIR__ . '/../vendor/autoload.php';
    }
    
    use OSS\OssClient;
    use OSS\Core\OssException;
    use OSS\Http\RequestCore;
    use OSS\Http\ResponseCore;
    
    // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use a RAM user account to call API operations or perform routine operations and maintenance. To create a RAM user account, log on to https://ram.console.aliyun.com.
    $accessKeyId = "<yourAccessKeyId>";
    $accessKeySecret = "<yourAccessKeySecret>";
    // This example uses the endpoint of the China (Hangzhou) region. Specify the actual endpoint based on your requirements.
    $endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
    $bucket= "<yourBucketName>";
    $object = "<yourObjectName>";
    $securityToken = "<yourSecurityToken>";
    
    // Set the expiration time of a URL to 3600 seconds.
    $timeout = 3600;
    try {
        $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken);
    
        // Generate the signed URL for GetObject.
        $signedUrl = $ossClient->signUrl($bucket, $object, $timeout);
    } catch (OssException $e) {
        printf(__FUNCTION__ . ": FAILED\n");
        printf($e->getMessage() . "\n");
        return;
    }
    print(__FUNCTION__ . ": signedUrl: " . $signedUrl . "\n");
    
    // You can run code to access the signed URL, or access the signed URL in a browser.
    $request = new RequestCore($signedUrl);
    // Set GET as the default method to access the singed URL.
    $request->set_method('GET');
    $request->add_header('Content-Type', '');
    $request->send_request();
    $res = new ResponseCore($request->get_response_header(), $request->get_response_body(), $request->get_response_code());
    if ($res->isOK()) {
        print(__FUNCTION__ . ": OK" . "\n");
    } else {
        print(__FUNCTION__ . ": FAILED" . "\n");
    };
    					
  • Generate a signed URL to upload an object

    Use the following code to generate a signed URL to upload an object:

    <? php
    if (is_file(__DIR__ . '/../autoload.php')) {
        require_once __DIR__ . '/../autoload.php';
    }
    if (is_file(__DIR__ . '/../vendor/autoload.php')) {
        require_once __DIR__ . '/../vendor/autoload.php';
    }
    
    use OSS\OssClient;
    use OSS\Core\OssException;
    use OSS\Http\RequestCore;
    use OSS\Http\ResponseCore;
    
    // Security risks may arise if you use the AccessKey pair of an Alibaba Cloud account to log on to OSS, because the account has permissions on all API operations. We recommend that you use a RAM user account to call API operations or perform routine operations and maintenance. To create a RAM user account, log on to https://ram.console.aliyun.com.
    $accessKeyId = "<yourAccessKeyId>";
    $accessKeySecret = "<yourAccessKeySecret>";
    // This example uses the endpoint of the China (Hangzhou) region. Specify the actual endpoint based on your requirements.
    $endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
    $bucket= "<yourBucketName>";
    $object = "<yourObjectName>";
    $securityToken = "<yourSecurityToken>";
    
    $timeout = 3600;
    try {
        $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken);
    
        // Generate the signed URL for PutObject.
        $signedUrl = $ossClient->signUrl($bucket, $object, $timeout, "PUT");
    } catch (OssException $e) {
        printf(__FUNCTION__ . ": FAILED\n");
        printf($e->getMessage() . "\n");
        return;
    }
    print(__FUNCTION__ . ": signedUrl: " . $signedUrl . "\n");
    
    $content = "Hello OSS.";
    $request = new RequestCore($signedUrl);
    // Set PUT as the default method to access the signed URL.
    $request->set_method('PUT');
    $request->add_header('Content-Type', '');
    $request->add_header('Content-Length', strlen($content));
    $request->set_body($content);
    $request->send_request();
    $res = new ResponseCore($request->get_response_header(),
        $request->get_response_body(), $request->get_response_code());
    if ($res->isOK()) {
        print(__FUNCTION__ . ": OK" . "\n");
    } else {
        print(__FUNCTION__ . ": FAILED" . "\n");
    };