This topic describes how to authorize temporary access to OSS by using STS or a signed URL.
Use STS to authorize temporary access
You can use Alibaba Cloud Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or your RAM user an access credential with a customized validity period and permissions. For more information about STS, see What is STS?
STS has the following benefits:
- You need only to generate an access token and send the access token to a third-party application, instead of exposing your long-term AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
- The access token automatically expires when the validity period ends.
For more information about how to access OSS by using STS, see Access OSS with a temporary access credential provided by STS in OSS Developer Guide.
The following code provides an example on how to create a request that contains signatures by using STS:
#include "oss_api.h"
#include "aos_http_io.h"
const char *endpoint = "<yourEndpoint>";
const char *access_key_id = "<yourAccessKeyId>";
const char *access_key_secret = "<yourAccessKeySecret>";
const char *sts_token = "<yourStsToken>";
const char *bucket_name = "<yourBucketName>";
const char *object_name = "<yourObjectName>";
const char *object_content = "More than just cloud.";
void init_options(oss_request_options_t *options)
{
options->config = oss_config_create(options->pool);
/* Use a char* string to initialize the aos_string_t data type. */
aos_str_set(&options->config->endpoint, endpoint);
aos_str_set(&options->config->access_key_id, access_key_id);
aos_str_set(&options->config->access_key_secret, access_key_secret);
aos_str_set(&options->config->sts_token, sts_token);
/* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */
options->config->is_cname = 0;
/* Configure network parameters such as the timeout period. */
options->ctl = aos_http_controller_create(options->pool, 0);
}
int main(int argc, char *argv[])
{
/* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */
if (aos_http_io_initialize(NULL, 0) ! = AOSE_OK) {
exit(1);
}
/* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */
aos_pool_t *pool;
/* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */
aos_pool_create(&pool, NULL);
/* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
oss_request_options_t *oss_client_options;
/* Allocate a memory chunk in the memory pool to options. */
oss_client_options = oss_request_options_create(pool);
/* Call oss_client_options to initialize the client options. */
init_options(oss_client_options);
/* Initialize the parameters. */
aos_string_t bucket;
aos_string_t object;
aos_list_t buffer;
aos_buf_t *content = NULL;
aos_table_t *headers = NULL;
aos_table_t *resp_headers = NULL;
aos_status_t *resp_status = NULL;
/* Assign the char* data to the bucket. */
aos_str_set(&bucket, bucket_name);
aos_str_set(&object, object_name);
aos_list_init(&buffer);
content = aos_buf_pack(oss_client_options->pool, object_content, strlen(object_content));
aos_list_add_tail(&content->node, &buffer);
/* Upload the object. */
resp_status = oss_put_object_from_buffer(oss_client_options, &bucket, &object, &buffer, headers, &resp_headers);
/* Determine whether the object is uploaded. */
if (aos_status_is_ok(resp_status)) {
printf("put object from buffer succeeded\n");
} else {
printf("put object from buffer failed\n");
}
/* Release the memory pool. The memory allocated to various resources used for the request is released. */
aos_pool_destroy(pool);
/* Release the allocated global resources. */
aos_http_io_deinitialize();
return 0;
}
Use a signed URL to authorize temporary access
You can generate a signed URL and provide it to a visitor to grant temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors.
This section provides examples on how to use a signed URL to authorize temporary access.
- Use a signed URL to upload an object
The following code provides an example on how to upload an object by using a signed URL:
#include "oss_api.h" #include "aos_http_io.h" const char *endpoint = "<yourEndpoint>"; const char *access_key_id = "<yourAccessKeyId>"; const char *access_key_secret = "<yourAccessKeySecret>"; const char *bucket_name = "<yourBucketName>"; const char *object_name = "<yourObjectName>"; const char *local_filename = "<yourLocalFilename>"; void init_options(oss_request_options_t *options) { options->config = oss_config_create(options->pool); /* Use a char* string to initialize the aos_string_t data type. */ aos_str_set(&options->config->endpoint, endpoint); aos_str_set(&options->config->access_key_id, access_key_id); aos_str_set(&options->config->access_key_secret, access_key_secret); /* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */ options->config->is_cname = 0; /* Configure network parameters such as the timeout period. */ options->ctl = aos_http_controller_create(options->pool, 0); } int main(int argc, char *argv[]) { /* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */ if (aos_http_io_initialize(NULL, 0) ! = AOSE_OK) { exit(1); } /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */ aos_pool_t *pool; /* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */ aos_pool_create(&pool, NULL); /* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */ oss_request_options_t *oss_client_options; /* Allocate a memory chunk in the memory pool to options. */ oss_client_options = oss_request_options_create(pool); /* Call oss_client_options to initialize the client options. */ init_options(oss_client_options); /* Initialize the parameters. */ aos_string_t bucket; aos_string_t object; aos_string_t file; aos_table_t *headers = NULL; aos_table_t *resp_headers = NULL; aos_status_t *resp_status = NULL; aos_http_request_t *req; apr_time_t now; char *url_str; aos_string_t url; int64_t expire_time; int one_hour = 3600; aos_str_set(&bucket, bucket_name); aos_str_set(&object, object_name); aos_str_set(&file, local_filename); expire_time = now / 1000000 + one_hour; headers = aos_table_make(pool, 0); req = aos_http_request_create(pool); req->method = HTTP_PUT; now = apr_time_now(); /* Unit: microseconds */ expire_time = now / 1000000 + one_hour; /* Generate a signed URL. */ url_str = oss_gen_signed_url(oss_client_options, &bucket, &object, expire_time, req); aos_str_set(&url, url_str); printf("Temporary upload URL: %s\n", url_str); /* Use the signed URL to upload an object. */ resp_status = oss_put_object_from_file_by_url(oss_client_options, &url, &file, headers, &resp_headers); if (aos_status_is_ok(resp_status)) { printf("put objects by signed url succeeded\n"); } else { printf("put objects by signed url failed\n"); } /* Release the memory pool. The memory allocated to various resources used for the request is released. */ aos_pool_destroy(pool); /* Release the allocated global resources. */ aos_http_io_deinitialize(); return 0; }
- Use a signed URL to download an object
The following code provides an example on how to download a specified object by using a signed URL:
#include "oss_api.h" #include "aos_http_io.h" const char *endpoint = "<yourEndpoint>"; const char *access_key_id = "<yourAccessKeyId>"; const char *access_key_secret = "<yourAccessKeySecret>"; const char *bucket_name = "<yourBucketName>"; const char *object_name = "<yourObjectName>"; const char *local_filename = "<yourLocalFilename>"; void init_options(oss_request_options_t *options) { options->config = oss_config_create(options->pool); /* Use a char* string to initialize the aos_string_t data type. */ aos_str_set(&options->config->endpoint, endpoint); aos_str_set(&options->config->access_key_id, access_key_id); aos_str_set(&options->config->access_key_secret, access_key_secret); /* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */ options->config->is_cname = 0; /* Configure network parameters such as the timeout period. */ options->ctl = aos_http_controller_create(options->pool, 0); } int main(int argc, char *argv[]) { /* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */ if (aos_http_io_initialize(NULL, 0) ! = AOSE_OK) { exit(1); } /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */ aos_pool_t *pool; /* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */ aos_pool_create(&pool, NULL); /* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */ oss_request_options_t *oss_client_options; /* Allocate a memory chunk in the memory pool to options. */ oss_client_options = oss_request_options_create(pool); /* Call oss_client_options to initialize the client options. */ init_options(oss_client_options); /* Initialize the parameters. */ aos_string_t bucket; aos_string_t object; aos_string_t file; aos_table_t *headers = NULL; aos_table_t *params = NULL; aos_table_t *resp_headers = NULL; aos_status_t *resp_status = NULL; aos_http_request_t *req; apr_time_t now; char *url_str; aos_string_t url; int64_t expire_time; int one_hour = 3600; aos_str_set(&bucket, bucket_name); aos_str_set(&object, object_name); aos_str_set(&file, local_filename); expire_time = now / 1000000 + one_hour; headers = aos_table_make(pool, 0); params = aos_table_make(pool, 0); req = aos_http_request_create(pool); req->method = HTTP_GET; now = apr_time_now(); /* Unit: microseconds */ expire_time = now / 1000000 + one_hour; /* Generate a signed URL. */ url_str = oss_gen_signed_url(oss_client_options, &bucket, &object, expire_time, req); aos_str_set(&url, url_str); /* Use the signed URL to download the object. */ resp_status = oss_get_object_to_file_by_url(oss_client_options, &url, headers, params, &file, &resp_headers); if (aos_status_is_ok(resp_status)) { printf("get object succeeded\n"); } else { printf("get object failed\n"); } /* Release the memory pool. The memory allocated to various resources used for the request is released. */ aos_pool_destroy(pool); /* Release the allocated global resources. */ aos_http_io_deinitialize(); return 0; }