This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) or a signed URL.

Use STS to authorize temporary access

You can use STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant an access credential with a custom validity period and custom permissions for a third-party application or a RAM user managed by you. For more information about STS, see What is STS?

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period. Therefore, you do not need to manually revoke the permissions of an access token.
Note For more information about how to configure STS, see Use a temporary credential provided by STS to access OSS in OSS Developer Guide. You can call the AssumeRole operation or use STS SDKs for various programming languages to obtain a temporary access credential. The temporary access credential contains a security token and a temporary AccessKey pair that consists of an AccessKey ID and an AccessKey secret.

The following code provides an example on how to generate a signed request by using an STS credential:

import "github.com/aliyun/aliyun-oss-go-sdk/oss"

// After you obtain a temporary STS credential, you can use the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) that are contained in the credential to create an OSSClient. 
// Create an OSSClient instance. 
client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret", oss.SecurityToken("yourSecurityToken"))
if err != nil {
    fmt.Println("Error:", err)
    os.Exit(-1)

// Perform operations in OSS. 
}          

Use a signed URL to authorize temporary access

This section provides examples on how to use a signed URL to authorize temporary access. For the complete code of using a signed URL to authorize temporary access, visit GitHub.

Note The validity period must be set for an STS temporary account and a signed URL. When you use an STS temporary account to generate a signed URL that is used to perform operations such as object upload and download, the minimum validity period takes precedence. For example, you can set the validity period of your STS temporary account to 1200 seconds, and that of the signed URL to 3600 seconds. You cannot use the signed URL generated by the STS temporary account to upload objects 1200 seconds after the account is generated.
  • Generate a signed URL

    You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors.

    You can add signature information to a URL and provide the URL to a third-party user for authorized access. For more information, see Add signatures to a URL.

  • Use a signed URL to upload an object

    The following code provides an example on how to use a signed URL to upload a local file named examplefile.txt from a local directory named D:\\localpath to the exampledir directory of a bucket named examplebucket. The uploaded file is stored in OSS as an object named exampleobject.txt.

    Notice To use a signed URL that contains custom parameters to access an object in a browser, make sure that the value of the ContentType parameter contained in the URL is the same as the content type specified in the browser.
    package main
    
    import (
        "fmt"
        "os"
        "strings"
    
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    
    func main() {
        // After you obtain a temporary STS credential, you can use the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) that are contained in the credential to create an OSSClient. 
        client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret", oss.SecurityToken("yourSecurityToken"))
        if err != nil {
            HandleError(err)
        }
        // Specify the name of the bucket to which the local file is uploaded. Example: examplebucket. 
        bucketName := "examplebucket"
        // Specify the full path of the object to which the uploaded file is stored. Example: exampledir/exampleobject.txt. The full path of the object cannot contain bucket names. 
        objectName := "exampledir/exampleobject.txt"
        // Specify the full path of the local file to upload. Example: D:\\localpath\\examplefile.txt, in which localpath indicates the local path in which the file is stored. 
        localFilename := "D:\\localpath\\examplefile.txt"
    
        // Obtain the bucket. 
        bucket, err := client.Bucket(bucketName)
        if err != nil {
            HandleError(err)
        }
    
        // Generate a signed URL to upload the object. 
        signedURL, err := bucket.SignURL(objectName, oss.HTTPPut, 60)
        if err != nil {
            HandleError(err)
        }
    
        var val = "Go with Alibaba Cloud"
        err = bucket.PutObjectWithURL(signedURL, strings.NewReader(val))
        if err != nil {
            HandleError(err)
        }
    
        // Generate a signed URL that contains custom parameters to upload the object. Make sure that the value of the ContentType parameter contained in the URL is the same as the content type specified in the browser. 
        options := []oss.Option{
            oss.Meta("myprop", "mypropval"),
            oss.ContentType("text/plain"),
        }
    
        signedURL, err = bucket.SignURL(objectName, oss.HTTPPut, 60, options...)
        if err != nil {
            HandleError(err)
        }
    
        err = bucket.PutObjectFromFileWithURL(signedURL, localFilename, options...)
        if err != nil {
            HandleError(err)
        }
    }
                        
    Note For more information about the custom parameters that you can configure in a signed URL, see Manage object metadata.
  • Use a signed URL to download an object

    The following code provides an example on how to use a signed URL to download an object named exampleobject.txt from the exampledir directory of a bucket named examplebucket to a local directory named D:\\localpath. The downloaded object is stored as a local file named examplefile.txt.

    package main
    
    import (
        "fmt"
        "os"
        "io/ioutil"
    
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    
    func main() {
        // After you obtain a temporary STS credential, you can use the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) that are contained in the credential to create an OSSClient. 
        client, err := oss.New("yourEndpoint", "yourAccessKeyId", "yourAccessKeySecret", oss.SecurityToken("yourSecurityToken"))
        if err != nil {
            HandleError(err)
        }
    
        // Specify the name of the bucket in which the object you want to download is stored. 
        bucketName := "examplebucket"
        // Specify the full path of the object that you want to download. Example: exampledir/exampleobject.txt. The full path of the object cannot contain bucket names. 
        objectName := "exampledir/exampleobject.txt"
        // Download the object to the local directory and store the object as a local file. If the specified local file exists, it is overwritten by the downloaded object. Otherwise, the local file is created. 
        // If the path of the local file is not specified, the downloaded object is saved to the path of the project to which the sample program belongs. 
        localDownloadedFilename := "D:\\localpath\\examplefile.txt"
    
        // Obtain the bucket. 
        bucket, err := client.Bucket(bucketName)
        if err != nil {
            HandleError(err)
        }
    
        // Generate a signed URL to download the object to a stream. 
        signedURL, err := bucket.SignURL(objectName, oss.HTTPGet, 60)
        if err != nil {
            HandleError(err)
        }
    
        body, err := bucket.GetObjectWithURL(signedURL)
        if err != nil {
            HandleError(err)
        }
        // Read the object content from the stream. 
        data, err := ioutil.ReadAll(body)
        body.Close()
        data = data // Use the downloaded data. 
    
        // Generate a signed URL to download the object and store the object as a local file. 
        err = bucket.GetObjectToFileWithURL(signedURL, localDownloadedFilename)
        if err != nil {
            HandleError(err)
        }
    }