Sign a URL to authorize temporary access

You can provide a signed URL to a visitor for temporary access. When you sign a URL, you can specify the expiration time for a URL to restrict the period of access from visitors.

For the complete code of signing a URL to authorize temporary access, see GitHub.

  • Use a signed URL to upload a file

    Run the following code to upload a file with a signed URL:

    package main
    
    import (
    	"fmt"
    	"os"
    	"strings"
    
    	"github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
    	fmt.Println("Error:", err)
    	os.Exit(-1)
    }
    
    func main() {
    	client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	bucketName := "<yourBucketName>"
    	objectName := "<yourObjectName>"
    	localFilename := "<yourLocalFilename>"
    
    	// Obtain the bucket.
    	bucket, err := client.Bucket(bucketName)
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	// Directly upload the file after the the URL is signed.
    	signedURL, err := bucket.SignURL(objectName, oss.HTTPPut, 60)
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	var val = "Choose Alibaba Cloud"
    	err = bucket.PutObjectWithURL(signedURL, strings.NewReader(val))
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	// Directly upload the file after the the URL is signed, in which you can configure optional parameters.
    	options := []oss.Option{
    		oss.Meta("myprop", "mypropval"),
    		oss.ContentType("image/tiff"),
    	}
    
    	signedURL, err = bucket.SignURL(objectName, oss.HTTPPut, 60, options...)
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	err = bucket.PutObjectFromFileWithURL(signedURL, localFilename, options...)
    	if err ! = nil {
    		HandleError(err)
    	}
    }
    
    Note For more information about the optional parameters, see Manage Object Meta in Manage objects.
  • Use a signed URL to download an object

    Run the following code to use a signed URL to download an object:

    package main
    
    import (
    	"fmt"
    	"os"
    	"io/ioutil"
    
    	"github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
    	fmt.Println("Error:", err)
    	os.Exit(-1)
    }
    
    func main() {
    	client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	bucketName := "<yourBucketName>"
    	objectName := "<yourObjectName>"
    	localDownloadedFilename := "<yourDownloadedFilename>"
    
    	// Obtain the bucket.
    	bucket, err := client.Bucket(bucketName)
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	// Directly download the object to the stream after the URL is signed.
    	signedURL, err := bucket.SignURL(objectName, oss.HTTPGet, 60)
    	if err ! = nil {
    		HandleError(err)
    	}
    
    	body, err := bucket.GetObjectWithURL(signedURL)
    	if err ! = nil {
    		HandleError(err)
    	}
    	// Read the object content.
    	data, err := ioutil.ReadAll(body)
    	body.Close()
    	data = data // use data
    
    	// Directly download the object to a local file after the URL is signed.
    	err = bucket.GetObjectToFileWithURL(signedURL, localDownloadedFilename)
    	if err ! = nil {
    		HandleError(err)
    	}
    }
    

Use STS for temporary access authorization

OSS supports Alibaba Cloud Security Token Service (STS) for temporary access authorization. STS is a web service that provides a temporary access token to a cloud computing user. Through the STS, you can assign a third-party application or a RAM user (you can manage the user ID) an access credential with a custom validity period and permissions. For more information about STS, see STS introduction.

STS advantages:

  • Your long-term key (AccessKey) is not exposed to a third-party application. You only need to generate an access token and send the access token to the third-party application. You can customize access permissions and the validity of this token.

  • You do not need to keep track of permission revocation issues. The access token automatically becomes invalid when it expires.

For more information about the process of access to OSS with STS, see RAM and STS scenario practices in OSS Developer Guide.

Run the following code to create a signature request with STS:

import "github.com/aliyun/aliyun-oss-go-sdk/oss"

// After a user obtains a temporary STS credential, the OSSClient is generated with the security token and temporary access key (AccessKeyId and AccessKeySecre).
// Create an OSSClient instance.
client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>", oss.SecurityToken("<yourSecurityToken>"))
if err ! = nil {
	fmt.Println("Error:", err)
	os.Exit(-1)

// Perform operations on OSS.
}