This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) or a signed URL.

Use STS to authorize temporary access

You can use Alibaba Cloud STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for users. You can use STS to grant an access credential that has a custom validity period and custom permissions for a third-party application or a Resource Access Management (RAM) user managed by you. For more information about STS, see What is STS?.

STS has the following benefits:

  • You need only to generate an access token and send the access token to a third-party application, instead of exposing your AccessKey pair to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period. Therefore, you do not need to manually revoke the permissions of an access token.

The following code provides an example on how to generate a signed request by using an STS credential:

#include "oss_api.h"
#include "aos_http_io.h"

const char *endpoint = "<yourEndpoint>";
const char *access_key_id = "<yourAccessKeyId>";
const char *access_key_secret = "<yourAccessKeySecret>";
const char *sts_token = "<yourStsToken>";
const char *bucket_name = "<yourBucketName>";
const char *object_name = "<yourObjectName>";
const char *object_content = "More than just cloud.";

void init_options(oss_request_options_t *options)
{
    options->config = oss_config_create(options->pool);
    /* Use a char* string to initialize the aos_string_t data type. */
    aos_str_set(&options->config->endpoint, endpoint);
    aos_str_set(&options->config->access_key_id, access_key_id);
    aos_str_set(&options->config->access_key_secret, access_key_secret);
    aos_str_set(&options->config->sts_token, sts_token);
    /* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */
    options->config->is_cname = 0;
    /* Configure network parameters such as the timeout period. */
    options->ctl = aos_http_controller_create(options->pool, 0);
}

int main(int argc, char *argv[])
{
    /* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */
    if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
        exit(1);
    }

    /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */
    aos_pool_t *pool;
    /* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */
    aos_pool_create(&pool, NULL);
    /* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
    oss_request_options_t *oss_client_options;
    /* Allocate a memory chunk in the memory pool to options. */
    oss_client_options = oss_request_options_create(pool);
    /* Call oss_client_options to initialize the client options. */
    init_options(oss_client_options);

    /* Initialize the parameters. */
    aos_string_t bucket;
    aos_string_t object;
    aos_list_t buffer;
    aos_buf_t *content = NULL;
    aos_table_t *headers = NULL;
    aos_table_t *resp_headers = NULL; 
    aos_status_t *resp_status = NULL; 
    /* Assign the char* data to the bucket. */
    aos_str_set(&bucket, bucket_name);
    aos_str_set(&object, object_name);

    aos_list_init(&buffer);
    content = aos_buf_pack(oss_client_options->pool, object_content, strlen(object_content));
    aos_list_add_tail(&content->node, &buffer);

    /* Upload the object. */
    resp_status = oss_put_object_from_buffer(oss_client_options, &bucket, &object, &buffer, headers, &resp_headers);
    /* Determine whether the object is uploaded. */
    if (aos_status_is_ok(resp_status)) {
        printf("put object from buffer succeeded\n");
    } else {
        printf("put object from buffer failed\n");      
    }    

    /* Release the memory pool. The memory allocated to various resources used for the request is released. */
    aos_pool_destroy(pool);

    /* Release the allocated global resources. */
    aos_http_io_deinitialize();

    return 0;
}
            

Use a signed URL to authorize temporary access

You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors. By default, the validity period of a signed URL is 3,600 seconds. The maximum validity period of a signed URL is 32,400 seconds.

This section provides examples on how to use a signed URL to authorize temporary access.

  • Use a signed URL to upload an object

    The following code provides an example on how to upload an object by using a signed URL:

    #include "oss_api.h"
    #include "aos_http_io.h"
    const char *endpoint = "<yourEndpoint>";
    const char *access_key_id = "<yourAccessKeyId>";
    const char *access_key_secret = "<yourAccessKeySecret>";
    const char *bucket_name = "<yourBucketName>";
    const char *object_name = "<yourObjectName>";
    const char *local_filename = "<yourLocalFilename>";
    void init_options(oss_request_options_t *options)
    {
        options->config = oss_config_create(options->pool);
        /* Use a char* string to initialize the aos_string_t data type. */
        aos_str_set(&options->config->endpoint, endpoint);
        aos_str_set(&options->config->access_key_id, access_key_id);
        aos_str_set(&options->config->access_key_secret, access_key_secret);
        /* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */
        options->config->is_cname = 0;
        /* Configure network parameters such as the timeout period. */
        options->ctl = aos_http_controller_create(options->pool, 0);
    }
    int main(int argc, char *argv[])
    {
        /* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */
        if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
            exit(1);
        }
        /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */
        aos_pool_t *pool;
        /* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */
        aos_pool_create(&pool, NULL);
        /* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
        oss_request_options_t *oss_client_options;
        /* Allocate a memory chunk in the memory pool to options. */
        oss_client_options = oss_request_options_create(pool);
        /* Call oss_client_options to initialize the client options. */
        init_options(oss_client_options);
        /* Initialize the parameters. */
        aos_string_t bucket;
        aos_string_t object;
        aos_string_t file;
        aos_table_t *headers = NULL;
        aos_table_t *resp_headers = NULL; 
        aos_status_t *resp_status = NULL; 
        aos_http_request_t *req;
        apr_time_t now;
        char *url_str;
        aos_string_t url;
        int64_t expire_time; 
        int one_hour = 3600;
        aos_str_set(&bucket, bucket_name);
        aos_str_set(&object, object_name);
        aos_str_set(&file, local_filename);
        expire_time = now / 1000000 + one_hour;
        headers = aos_table_make(pool, 0);
        req = aos_http_request_create(pool);
        req->method = HTTP_PUT;
        now = apr_time_now(); /* Unit: microseconds */
        expire_time = now / 1000000 + one_hour;
        /* Generate a signed URL. */
        url_str = oss_gen_signed_url(oss_client_options, &bucket, &object, expire_time, req);
        aos_str_set(&url, url_str);
        printf("Temporary upload URL: %s\n", url_str);
        /* Use the signed URL to upload an object. */
        resp_status = oss_put_object_from_file_by_url(oss_client_options, &url, &file, headers, &resp_headers);
        if (aos_status_is_ok(resp_status)) {
            printf("put objects by signed url succeeded\n");
        } else {
            printf("put objects by signed url failed\n");
        }
        /* Release the memory pool. The memory allocated to various resources used for the request is released. */
        aos_pool_destroy(pool);
        /* Release the allocated global resources. */
        aos_http_io_deinitialize();
        return 0;
    }
  • Use a signed URL to download an object

    The following code provides an example on how to download a specified object by using a signed URL:

    #include "oss_api.h"
    #include "aos_http_io.h"
    const char *endpoint = "<yourEndpoint>";
    const char *access_key_id = "<yourAccessKeyId>";
    const char *access_key_secret = "<yourAccessKeySecret>";
    const char *bucket_name = "<yourBucketName>";
    const char *object_name = "<yourObjectName>";
    const char *local_filename = "<yourLocalFilename>";
    void init_options(oss_request_options_t *options)
    {
        options->config = oss_config_create(options->pool);
        /* Use a char* string to initialize the aos_string_t data type. */
        aos_str_set(&options->config->endpoint, endpoint);
        aos_str_set(&options->config->access_key_id, access_key_id);
        aos_str_set(&options->config->access_key_secret, access_key_secret);
        /* Specify whether to use CNAME to access OSS. A value of 0 indicates that CNAME is not used. */
        options->config->is_cname = 0;
        /* Configure network parameters such as the timeout period. */
        options->ctl = aos_http_controller_create(options->pool, 0);
    }
    int main(int argc, char *argv[])
    {
        /* Call aos_http_io_initialize in main() to initialize global resources such as the network and memory. */
        if (aos_http_io_initialize(NULL, 0) != AOSE_OK) {
            exit(1);
        }
        /* Create a memory pool to manage memory. aos_pool_t is equivalent to apr_pool_t. The code to create a memory pool is included in the APR library. */
        aos_pool_t *pool;
        /* Create a memory pool. The second parameter is NULL. This parameter indicates that the pool does not inherit any other memory pool. */
        aos_pool_create(&pool, NULL);
        /* Create and initialize options. This parameter includes global configuration information such as endpoint, access_key_id, access_key_secret, is_cname, and curl. */
        oss_request_options_t *oss_client_options;
        /* Allocate a memory chunk in the memory pool to options. */
        oss_client_options = oss_request_options_create(pool);
        /* Call oss_client_options to initialize the client options. */
        init_options(oss_client_options);
        /* Initialize the parameters. */
        aos_string_t bucket;
        aos_string_t object;
        aos_string_t file;
        aos_table_t *headers = NULL;
        aos_table_t *params = NULL;
        aos_table_t *resp_headers = NULL; 
        aos_status_t *resp_status = NULL; 
        aos_http_request_t *req;
        apr_time_t now;
        char *url_str;
        aos_string_t url;
        int64_t expire_time; 
        int one_hour = 3600;
        aos_str_set(&bucket, bucket_name);
        aos_str_set(&object, object_name);
        aos_str_set(&file, local_filename);
        expire_time = now / 1000000 + one_hour;
        headers = aos_table_make(pool, 0);
        params = aos_table_make(pool, 0);
        req = aos_http_request_create(pool);
        req->method = HTTP_GET;
        now = apr_time_now(); /* Unit: microseconds */
        expire_time = now / 1000000 + one_hour;
        /* Generate a signed URL. */
        url_str = oss_gen_signed_url(oss_client_options, &bucket, &object, expire_time, req);
        aos_str_set(&url, url_str);
        /* Use the signed URL to download the object. */
        resp_status = oss_get_object_to_file_by_url(oss_client_options, &url, headers, params, &file, &resp_headers);
        if (aos_status_is_ok(resp_status)) {
            printf("get object succeeded\n");
        } else {
            printf("get object failed\n");
        }
        /* Release the memory pool. The memory allocated to various resources used for the request is released. */
        aos_pool_destroy(pool);
        /* Release the allocated global resources. */
        aos_http_io_deinitialize();
        return 0;
    }