Object Storage Service (OSS) provides RESTful APIs. You can use the RESTful APIs or an Alibaba Cloud SDK that is encapsulated with the RESTful APIs to initiate a request to OSS. After the authentication system receives the request, the authentication system verifies the identity of the requester based on the credentials. After the identity is verified, you can perform operations on OSS resources.
Initiate a request
You can use one of the following methods to initiate a request to OSS:
Alibaba Cloud SDK: You can use an Alibaba Cloud SDK to initiate a request to OSS. If you use this method, the SDK automatically generates a signature for the request. In most cases, we recommend that you use Alibaba Cloud SDKs to initiate requests. For more information, see Overview.
RESTful APIs: You can initiate RESTful API requests to OSS. If you use this method, you must write code to calculate a signature and add the signature to the request. If your business requires a high level of customization, you can use this method. For more information, see Overview.
Authentication
When a user sends a request to OSS as an individual identity, authentication is performed in the following procedure:
A signature string is generated in a specified format based on the request.
An AccessKey secret is used to encrypt the signature string and then a verification code is generated.
After the authentication system receives the request, the authentication system finds the AccessKey secret based on your AccessKey ID, and uses the AccessKey secret to decrypt the signature string and verification code. Then, the authentication system calculates a verification code and compares it against the decrypted verification code.
If the verification code that is calculated by the authentication system is the same as the verification code that is provided in the request, OSS considers the request valid.
If the calculated verification code is different from the code provided in the request, OSS denies the request and returns an HTTP 403 error.
AccessKey pair
An AccessKey pair is used to verify user identities. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. An AccessKey ID is used together with an AccessKey secret. The AccessKey ID is used to identify a user, and the AccessKey secret is used to authenticate the key of the user. You can use an AccessKey pair to create a RESTful API request. OSS uses symmetric encryption based on the AccessKey pair to verify the identity of the requester. After the identity is verified, you can perform operations on OSS resources.
The AccessKey secret of a RAM user is displayed only when you create the AccessKey pair for the RAM user. You cannot query the AccessKey secret after the AccessKey pair is created. Keep your AccessKey secret confidential.
AccessKey pair of an Alibaba Cloud account
Before you use Alibaba Cloud services, you must create an Alibaba Cloud account. The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for all the resources that it owns. The Alibaba Cloud account has full control over the resources.
By default, only the Alibaba Cloud account can access Alibaba Cloud resources. Other users can access resources only after being explicitly authorized by the Alibaba Cloud account. The Alibaba Cloud account is similar to the administrator or root user of an operating system.
If you use the AccessKey pair of your Alibaba Cloud account to access OSS, high security risks may arise because the account has permissions to access all resources. Each Alibaba Cloud account can have up to five AccessKey pairs at the same time. Each AccessKey pair can be in one of the following states:
Active: indicates that the AccessKey pair can be used for authentication.
Inactive: indicates that the AccessKey pair cannot be used for authentication.
We recommend that you use the AccessKey pair of a Resource Access Management (RAM) user instead of an Alibaba Cloud account to access OSS.
AccessKey pair of a RAM user
A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:
An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.
RAM users do not own resources. Fees that are generated by RAM users are billed to the Alibaba Cloud accounts to which the RAM users belong. RAM users do not receive individual bills and cannot make payments.
RAM users are visible only to the Alibaba Cloud account to which they belong.
Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After authorization, RAM users can manage resources that are owned by the Alibaba Cloud accounts.
The AccessKey pair of a RAM user is used to access resources in a bucket only based on the rules defined by RAM. You can use the AccessKey pair of a RAM user to manage users such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can use the AccessKey pair of a RAM user to grant users read-only permissions on one of your buckets.
Temporary access credentials
Alibaba Cloud provides permanent access credentials for RAM users and temporary access credentials for RAM roles. A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity. The trusted entity can be a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the trusted entity can obtain and use a Security Token Service (STS) token of the RAM role to access the resources on which the RAM role has permissions.
The temporary access credentials of the RAM role can be used to access the resources in a bucket only based on the rules defined by STS.
Domain names
You can send requests to the default domain name provided by OSS. For more information, see Regions and endpoints.
If you want to access OSS resources by using custom domain names, you must map the domain names to the buckets in which the resources that you want to access are stored. For more information, see Map custom domain names.