This topic describes how to authorize temporary access to OSS by using STS or a signed URL.

Use STS to authorize temporary access

You can use Alibaba Cloud Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or your RAM user an access credential with a customized validity period and permissions. For more information about STS, see What is STS?

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your long-term AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires when the validity period ends.

For more information about how to access OSS by using STS, see Access OSS with a temporary access credential provided by STS in OSS Developer Guide.

The following code provides an example on how to create a request that contains signatures by using STS:

import "github.com/aliyun/aliyun-oss-go-sdk/oss"

// After you obtain a temporary STS credential for your OSSClient, an OSSClient instance is created based on the security token and temporary AccessKey pair (AccessKey ID and AccessKey secret) contained in the credential.
// Create an OSSClient instance.
client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>", oss.SecurityToken("<yourSecurityToken>"))
if err ! = nil {
    fmt.Println("Error:", err)
    os.Exit(-1)

// Perform an operation in OSS.
}
            
Note The validity period must be set for both an STS temporary account and a signed URL. When you use an STS temporary account to generate a signed URL to perform operations such as object upload and download, the minimum validity period takes precedence. For example, you can set the validity period of your STS temporary account to 1200 seconds, and that of the signed URL to 3600 seconds. After 1200 seconds, you cannot use the signed URL generated by the STS temporary account to upload objects.

Use a signed URL to authorize temporary access

You can generate a signed URL and provide it to a visitor to grant temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors.

For information about how to add signature information to a URL so that you can forward the URL to a third party for authorized access, see Generate a signed URL.

For the complete code of using a signed URL to authorize temporary access, visit GitHub.

  • Use a signed URL to upload an object

    The following code provides an example on how to upload an object by using a signed URL:

    package main
    
    import (
        "fmt"
        "os"
        "strings"
    
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    
    func main() {
        client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
        if err ! = nil {
            HandleError(err)
        }
    
        bucketName := "<yourBucketName>"
        objectName := "<yourObjectName>"
        localFilename := "<yourLocalFilename>"
    
        // Specify the name of the bucket to which to upload the object.
        bucket, err := client.Bucket(bucketName)
        if err ! = nil {
            HandleError(err)
        }
    
        // Upload the object by using the signed URL.
        signedURL, err := bucket.SignURL(objectName, oss.HTTPPut, 60)
        if err ! = nil {
            HandleError(err)
        }
    
        var val = "Go with Alibaba Cloud"
        err = bucket.PutObjectWithURL(signedURL, strings.NewReader(val))
        if err ! = nil {
            HandleError(err)
        }
    
        // Upload the object by using the signed URL that has optional parameters configured.
        options := []oss.Option{
            oss.Meta("myprop", "mypropval"),
            oss.ContentType("image/tiff"),
        }
    
        signedURL, err = bucket.SignURL(objectName, oss.HTTPPut, 60, options...)
        if err ! = nil {
            HandleError(err)
        }
    
        err = bucket.PutObjectFromFileWithURL(signedURL, localFilename, options...)
        if err ! = nil {
            HandleError(err)
        }
    }
                        
    Note For more information about the optional parameters, see the Manage object metadata topic in Manage objects.
  • Use a signed URL to download an object

    The following code provides an example on how to download a specified object by using a signed URL:

    package main
    
    import (
        "fmt"
        "os"
        "io/ioutil"
    
        "github.com/aliyun/aliyun-oss-go-sdk/oss"
    )
    
    func HandleError(err error) {
        fmt.Println("Error:", err)
        os.Exit(-1)
    }
    
    func main() {
        client, err := oss.New("<yourEndpoint>", "<yourAccessKeyId>", "<yourAccessKeySecret>")
        if err ! = nil {
            HandleError(err)
        }
    
        bucketName := "<yourBucketName>"
        objectName := "<yourObjectName>"
        localDownloadedFilename := "<yourDownloadedFilename>"
    
        // Specify the name of the bucket to download the object from.
        bucket, err := client.Bucket(bucketName)
        if err ! = nil {
            HandleError(err)
        }
    
        // Download the object to a stream by using the signed URL.
        signedURL, err := bucket.SignURL(objectName, oss.HTTPGet, 60)
        if err ! = nil {
            HandleError(err)
        }
    
        body, err := bucket.GetObjectWithURL(signedURL)
        if err ! = nil {
            HandleError(err)
        }
        // Read the object content.
        data, err := ioutil.ReadAll(body)
        body.Close()
        data = data // use data
    
        // Download the object to a local file by using the signed URL.
        err = bucket.GetObjectToFileWithURL(signedURL, localDownloadedFilename)
        if err ! = nil {
            HandleError(err)
        }
    }