Authorized access

Last Updated: Nov 03, 2017

Use STS temporary authorization

OSS can temporarily grant authorization for access through the Alibaba Cloud STS service. To use the STS follow the steps:

  1. Create a subaccount in the console of the official website. For more information, see Overview.

  2. Create an STS role in the console and grant permission to the role of the subaccount. For more information, see Overview.

  3. Use the subaccount’s AccessKeyID/AccessKeySecret to apply for a temporary token from STS.

  4. Use the authentication information in the temporary token to create an OSS client.

  5. Use the OSS client to access the OSS service.

Use STS credentials to construct signature requests

After obtaining the STS temporary credential, the user’s client generates an oss_request_options using the contained Security Token and temporary AccessKey (AccessKeyId and AccessKeySecret). Let’s take object upload as an example:

  1. aos_pool_t *p;
  2. oss_request_options_t *options;
  3. aos_status_t *s;
  4. aos_table_t *headers;
  5. aos_table_t *resp_headers;
  6. char *bucket_name = "<Name of your bucket>";
  7. char *object_name = "<Name of your object>";
  8. aos_string_t bucket;
  9. aos_string_t object;
  10. char *data = "<object content>";
  11. aos_list_t buffer;
  12. aos_buf_t *content;
  13. aos_pool_create(&p, NULL);
  14. // init_oss_request_options using sts_token
  15. /* Create and use the STS token to initialize options */
  16. options = oss_request_options_create(p);
  17. options->config = oss_config_create(options->pool);
  18. aos_str_set(&options->config->endpoint, "<Your endpoint>");
  19. aos_str_set(&options->config->id, "<Your temporary AccessKeyID>");
  20. aos_str_set(&options->config->key, "<Your temporary AccessKeySecret>");
  21. aos_str_set(&options->config->sts_token, "<Your STS token>");
  22. options->config->is_cname = 0;
  23. options->ctl = aos_http_controller_create(options->pool, 0);
  24. /* Initialize parameters */
  25. aos_str_set(&bucket, bucket_name);
  26. aos_str_set(&object, object_name);
  27. headers = aos_table_make(p, 0);
  28. aos_list_init(&buffer);
  29. content = aos_buf_pack(options->pool, data, strlen(data));
  30. aos_list_add_tail(&content->node, &buffer);
  31. /* Upload the object */
  32. s = oss_put_object_from_buffer_s(options, &bucket, &object, &buffer, headers, &resp_headers);
  33. if (aos_status_is_ok(s)) {
  34. printf("put object succeeded\n");
  35. } else {
  36. printf("put object failed\n");
  37. }
  38. aos_pool_destroy(p);

URL signature authorization

You can provide users with a temporary access URL by generating a signed URL. During URL generation, you can specify the URL expiration time to limit the duration of the user’s access.

Generate a signed URL

Use the oss_gen_signed_url interface to generate a signed URL.

Generate a signed URL for a download request

  1. aos_pool_t *p;
  2. oss_request_options_t *options;
  3. aos_http_request_t *req;
  4. char *url_str;
  5. char *bucket_name = "<Name of your bucket>";
  6. char *object_name = "<Name of your object>";
  7. aos_string_t bucket;
  8. aos_string_t object;
  9. apr_time_t now;
  10. int64_t expire_time;
  11. int one_hour = 3600; /* Unit: seconds*/
  12. aos_pool_create(&p, NULL);
  13. /* Create and initialize options */
  14. options = oss_request_options_create(p);
  15. init_options(options);
  16. /* Initialize parameters */
  17. aos_str_set(&bucket, bucket_name);
  18. aos_str_set(&object, object_name);
  19. req = aos_http_request_create(p);
  20. req->method = HTTP_GET;
  21. now = apr_time_now(); //millisecond
  22. expire_time = now / 1000000 + one_hour;
  23. /* Generate a signature URL */
  24. url_str = oss_gen_signed_url(options, &bucket, &object, expire_time, req);
  25. printf("Temporary download URL:%s\n", url_str);
  26. aos_pool_destroy(p);

Generate a signed URL for an object upload request

  1. aos_pool_t *p;
  2. oss_request_options_t *options;
  3. aos_http_request_t *req;
  4. char *bucket_name = "<Name of your bucket>";
  5. char *object_name = "<Name of your object>";
  6. aos_string_t bucket;
  7. aos_string_t object;
  8. apr_time_t now;
  9. int64_t expire_time;
  10. int one_hour = 3600;
  11. char *url_str = NULL;
  12. aos_pool_create(&p, NULL);
  13. /* Create and initialize options */
  14. options = oss_request_options_create(p);
  15. init_options(options);
  16. /* Initialize parameters */
  17. aos_str_set(&bucket, bucket_name);
  18. aos_str_set(&object, object_name);
  19. req = aos_http_request_create(p);
  20. req->method = HTTP_PUT;
  21. now = apr_time_now(); //millisecond
  22. expire_time = now / 1000000 + one_hour;
  23. /* Generate a signature URL */
  24. url_str = oss_gen_signed_url((options, &bucket, &object, expire_time, req);
  25. printf("Temporary upload URL:%s\n", url_str);
  26. aos_pool_destroy(p);

Use signed URLs to download objects

  1. aos_pool_t *p;
  2. oss_request_options_t *options;
  3. aos_http_request_t *req;
  4. aos_table_t *headers;
  5. aos_table_t *resp_headers;
  6. char *bucket_name = "<Name of your bucket>";
  7. char *object_name = "<Name of your object>";
  8. char *filepath = "<Path of the local file>";
  9. aos_string_t bucket;
  10. aos_string_t object;
  11. aos_string_t file;
  12. char *url_str;
  13. apr_time_t now;
  14. int64_t expire_time;
  15. int one_hour = 3600;
  16. aos_pool_create(&p, NULL);
  17. /* Create and initialize options */
  18. options = oss_request_options_create(p);
  19. init_options(options);
  20. /* Initialize parameters */
  21. aos_str_set(&bucket, bucket_name);
  22. aos_str_set(&object, object_name);
  23. aos_str_set(&file, filepath);
  24. headers = aos_table_make(p, 0);
  25. req = aos_http_request_create(p);
  26. req->method = HTTP_GET;
  27. now = apr_time_now(); /* Unit: milliseconds */
  28. expire_time = now / 1000000 + one_hour;
  29. /* Generate a signature URL */
  30. url_str = oss_gen_signed_url(options, &bucket, &object, expire_time, req);
  31. /* Use the signed URL to download the object */
  32. s = oss_get_object_to_file_by_url(options, url_str, headers, &file, &resp_headers);
  33. if (aos_status_is_ok(s)) {
  34. printf("get object succeeded\n");
  35. } else {
  36. printf("get object failed\n");
  37. }
  38. aos_pool_destroy(p);

Use signed URLs to upload objects

  1. aos_pool_t *p;
  2. int is_oss_domain = 1;//Whether a third-level domain is used
  3. oss_request_options_t *options;
  4. aos_http_request_t *req;
  5. aos_table_t *headers;
  6. aos_table_t *resp_headers;
  7. char *bucket_name = "<Name of your bucket>";
  8. char *object_name = "<Name of your object>";
  9. char *filepath = "<Path of the local file>";
  10. aos_string_t bucket;
  11. aos_string_t object;
  12. aos_string_t file;
  13. char *url_str;
  14. apr_time_t now;
  15. int64_t expire_time;
  16. int one_hour = 3600;
  17. aos_pool_create(&p, NULL);
  18. /* Create and initialize options */
  19. options = oss_request_options_create(p);
  20. init_options(options);
  21. /* Initialize parameters */
  22. aos_str_set(&bucket, bucket_name);
  23. aos_str_set(&object, object_name);
  24. aos_str_set(&file, filepath);
  25. headers = aos_table_make(p, 0);
  26. req = aos_http_request_create(p);
  27. req->method = HTTP_PUT;
  28. now = apr_time_now(); /* Unit: milliseconds*/
  29. expire_time = now / 1000000 + one_hour;
  30. /* Generate a signature URL */
  31. url_str = oss_gen_signed_url(options, &bucket, &object, expire_time, req);
  32. /* Use the signed URL to upload the object */
  33. s = oss_put_object_from_file_by_url(options, url_str, &file, headers, &resp_headers);
  34. if (aos_status_is_ok(s)) {
  35. printf("put objects by signed url succeeded\n");
  36. } else {
  37. printf("put objects by signed url failed\n");
  38. }
  39. aos_pool_destroy(p);
Thank you! We've received your feedback.