All Products
Search

This Product

    Object Storage Service:sign

    Document Center

    Object Storage Service:sign

    Last Updated:Apr 11, 2024

    By default, the access control list (ACL) of an object in an Object Storage Service (OSS) bucket is private. Only the object owner has the permissions to access the object. However, the object owner can run the sign command to generate and share the signed URL of the object with third-party users. Access credentials are used to generate a signed URL and authorize third-party users to download or preview the object within a specific period of time.

    Important

    • Third-party users can use the signed URL to access the object, regardless of whether the ACL of the object is public-read or private and whether a bucket policy or RAM policy is configured to authorize the third-party users to access the object.

    • This topic provides sample command lines that are based on the 64-bit Linux system. For other systems, replace ./ossutil64 in the commands with the specific binary name. For more information, see ossutil command reference.

    Command syntax

    ./ossutil64 sign cloud_url
[--timeout <value>] 
[--version-id <value>] 
[--trafic-limit <value>] 
[--disable-encode-slash] 
[--payer <value>]
[--query-param <value>]

    The following table describes the parameters that you can configure to run the sign command.

    Parameter

    Description

    cloud_url

    The full path of the object.

    --timeout

    The validity period of the signed URL. Unit: seconds. Default value: 60.

    Important

    The sum of the current timestamp and the validity period of the signed URL cannot exceed 9223372036854775807. If the sum exceeds the preceding value, an error is reported. For example, if the current timestamp is 1643341269, the validity period of the signed URL cannot exceed 9223372035211434538.

    --version-id

    The version ID of the object for which you want to generate a signed URL. This parameter applies only to objects in buckets for which versioning is enabled or suspended.

    --trafic-limit

    The maximum speed to access the object over HTTP by using the signed URL. Unit: bit/s. The default value of this parameter is 0, which indicates that the access speed is not limited. Valid values: 819200 to 838860800 (100 KB/s to 100 MB/s).

    --disable-encode-slash

    Specifies that forward slashes (/) contained in the value of cloud_url are not encoded.

    --payer

    The payer of the traffic and request fees. If you want the requester who accesses the resources in the specified path to pay the traffic and request fees, set this parameter to requester.

    --query-param

    The query parameters in the request. You can specify multiple query parameters in a request. For example, you can specify image processing (IMG) parameters as query parameters.

    --query-param supports the following parameters: x-oss-process, response-content-type, x-oss-traffic-limit, response-content-language, response-expires, response-cache-control, response-content-disposition, response-content-encoding, x-oss-ac-source-ip, x-oss-ac-subnet-mask, x-oss-ac-vpc-id, and x-oss-ac-forward-allow. For more information about the parameters, see Create a signed URL by using signature V1 and GetObject.

    Note

    The --query-param parameter is available only in ossutil V.1.7.15 or later.

    Examples

    • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is the default value, which is 60 seconds. 

      ./ossutil64 sign oss://examplebucket/exampleobject.png

    • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is set to 3,600 seconds. 

      ./ossutil64 sign oss://examplebucket/exampleobject.png --timeout 3600

    • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is set to 7,200 seconds, and the maximum speed to access the object over HTTP by using the signed URL is set to 100 MB/s. 

      ./ossutil64 sign oss://examplebucket/exampleobject.png --timeout 7200 --trafic-limit 838860800

    • You can run the following command to generate a signed URL for the specified version of an object named exampleobject.jpg in a bucket named examplebucket. In this example, the validity period of the URL is set to 1,800 seconds. 

      ./ossutil64 sign oss://examplebucket/exampleobject.jpg --timeout 1800 --version-id  CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****

    • You can run the following command to resize an image object named exampleobject.jpg in the examplebucket bucket to a width of 100 pixels and a height of 100 pixels, rotate the image by 90 degrees, and generate a signed URL for the processed image: 

       ./ossutil64 sign oss://examplebucket/exampleobject.jpg  --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90

    • You can run the following command to resize an image object named exampleobject.jpg in the examplebucket bucket to a width of 100 pixels and a height of 100 pixels, rotate the image by 90 degrees, set the traffic limit to 100 KB/s (819200 bit/s), and generate a signed URL for the processed image: 

      ./ossutil64 sign oss://examplebucket/exampleobject.jpg  --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90 --query-param x-oss-traffic-limit:819200

    • After the preceding commands are run, an output similar to the following one is returned. The output includes the time used to generate the signed URL, the validity period of the URL, and the signature information in the URL:

      https://examplebucket.ss-cn-hangzhou.aliyuncs.com/exampleobject.png?Expires=1608282224&OSSAccessKeyId=LTAI4G33piUmgRN1DXx9****&Signature=jo4%2FGykfuc1A4fvyvKRpRyymYH****
0.368676(s) elapsed

    Common options

    If you use ossutil to switch to a bucket that is located in another region, add the -e option to the command to specify the endpoint of the region in which the specified bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to the command to specify the AccessKey ID of the specified account, and add the -k option to the command to specify the AccessKey secret of the specified account.

    For example, you can run the following command to generate a signed URL for an object named exampletest.jpg in a bucket named testbucket, which is located in the China (Shanghai) region and owned by another Alibaba Cloud account. In this example, the validity period of the URL is set to 3,600 seconds.

    ./ossutil64 sign oss://testbucket/exampletest.jpg --timeout 3600 -e oss-cn-shanghai.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

    For more information about common options, see Common options.