This topic describes how to authorize temporary access to Object Storage Service (OSS) by using Security Token Service (STS) or a signed URL.
Use STS for temporary access authorization
You can use Alibaba Cloud STS to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for users. You can use STS to grant a set of temporary access credentials that have a custom validity period and custom permissions to a third-party application or a RAM user managed by you. For more information about STS, see What is STS?
STS provides the following benefits:
- You need only to generate an access token and send the access token to a third-party application, instead of exposing your AccessKey pair to the third-party application. You can define the access permissions and validity period of this token.
- The token automatically expires after the validity period. Therefore, you do not need to manually revoke the access permissions of a token.
<?php
if (is_file(__DIR__ . '/../autoload.php')) {
require_once __DIR__ . '/../autoload.php';
}
if (is_file(__DIR__ . '/../vendor/autoload.php')) {
require_once __DIR__ . '/../vendor/autoload.php';
}
use OSS\OssClient;
use OSS\Core\OssException;
// Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret.
$accessKeyId = "yourAccessKeyId";
$accessKeySecret = "yourAccessKeySecret";
// Specify the security token obtained from STS.
$securityToken = "yourSecurityToken";
// Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com.
$endpoint = "yourEndpoint";
// Specify the name of the bucket.
$bucket= "examplebucket";
// Specify the full path of the object. The full path of the object cannot contain the bucket name.
$object = "exampleobject.txt";
// Specify the string that you want to upload.
$content = "Hello OSS";
try {
$ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken);
// Upload the string to the object by using the temporary access credentials obtained from STS.
$ossClient->putObject($bucket, $object, $content);
} catch (OssException $e) {
print $e->getMessage();
}
Use a signed URL for temporary access authorization
You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of access from visitors. By default, the validity period of a signed URL is 3,600 seconds. The maximum validity period of a signed URL is 32,400 seconds.
For the complete code that is used to authorize temporary access by using a signed URL, visit GitHub.
- Generate a signed URL to upload a string to an object
The following sample code provides an example on how to generate a signed URL for a PutObject request and use the signed URL to upload a string to an object:
<?php if (is_file(__DIR__ . '/../autoload.php')) { require_once __DIR__ . '/../autoload.php'; } if (is_file(__DIR__ . '/../vendor/autoload.php')) { require_once __DIR__ . '/../vendor/autoload.php'; } use OSS\OssClient; use OSS\Core\OssException; use OSS\Http\RequestCore; use OSS\Http\ResponseCore; // Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. $accessKeyId = "yourAccessKeyId"; $accessKeySecret = "yourAccessKeySecret"; // Specify the security token obtained from STS. $securityToken = "yourSecurityToken"; // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. $endpoint = "yourEndpoint"; // Specify the name of the bucket. $bucket= "examplebucket"; // Specify the full path of the object. The full path of the object cannot contain the bucket name. $object = "exampleobject.txt"; // Set the validity period of the signed URL to 3,600 seconds. $timeout = 3600; try { $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken); // Generate a signed URL. $signedUrl = $ossClient->signUrl($bucket, $object, $timeout, "PUT"); } catch (OssException $e) { printf(__FUNCTION__ . ": FAILED\n"); printf($e->getMessage() . "\n"); return; } print(__FUNCTION__ . ": signedUrl: " . $signedUrl . "\n"); // Use the signed URL to upload the object. // Specify the string that you want to upload. $content = "Hello OSS"; $request = new RequestCore($signedUrl); // Set the method to access the signed URL to PUT. $request->set_method('PUT'); $request->add_header('Content-Type', ''); $request->add_header('Content-Length', strlen($content)); $request->set_body($content); $request->send_request(); $res = new ResponseCore($request->get_response_header(), $request->get_response_body(), $request->get_response_code()); if ($res->isOK()) { print(__FUNCTION__ . ": OK" . "\n"); } else { print(__FUNCTION__ . ": FAILED" . "\n"); };
- Generate a signed URL that can be used to perform GET operations
The following sample code provides an example on how to generate a signed URL for a GET request and use the signed URL to preview or download an object:
<?php if (is_file(__DIR__ . '/../autoload.php')) { require_once __DIR__ . '/../autoload.php'; } if (is_file(__DIR__ . '/../vendor/autoload.php')) { require_once __DIR__ . '/../vendor/autoload.php'; } use OSS\OssClient; use OSS\Core\OssException; use OSS\Http\RequestCore; use OSS\Http\ResponseCore; // Specify the temporary AccessKey pair obtained from STS. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. $accessKeyId = "yourAccessKeyId"; $accessKeySecret = "yourAccessKeySecret"; // Specify the security token obtained from STS. $securityToken = "yourSecurityToken"; // Specify the endpoint of the region in which the bucket is located. For example, if the bucket is located in the China (Hangzhou) region, set the endpoint to https://oss-cn-hangzhou.aliyuncs.com. $endpoint = "yourEndpoint"; // Specify the name of the bucket. $bucket= "examplebucket"; // Specify the full path of the object. The full path of the object cannot contain the bucket name. $object = "exampleobject.txt"; // Set the validity period of the signed URL to 3,600 seconds. $timeout = 3600; A signed URL is generated to preview an object, and the custom domain name mapped to the bucket in which the object is stored is used for access. $options= array( "response-content-disposition"=>"inline",); // Generate a signed URL to download an object. /*$option = array( "response-content-disposition"=>"attachment", );*/ try { $ossClient = new OssClient($accessKeyId, $accessKeySecret, $endpoint, false, $securityToken); $signedUrl = $ossClient->signUrl($bucket, $object, $timeout,'GET',$options); } catch (OssException $e) { printf(__FUNCTION__ . ": FAILED\n"); printf($e->getMessage() . "\n"); return; } print(__FUNCTION__ . ": signedUrl: " . $signedUrl . "\n"); // You can develop code to access the signed URL, or enter the URL in the address bar of a browser to access the object. $request = new RequestCore($signedUrl); // Set the default method to access the signed URL to GET. $request->set_method('GET'); $request->add_header('Content-Type', ''); $request->send_request(); $res = new ResponseCore($request->get_response_header(), $request->get_response_body(), $request->get_response_code()); if ($res->isOK()) { print(__FUNCTION__ . ": OK" . "\n"); } else { print(__FUNCTION__ . ": FAILED" . "\n"); };