This topic explains how to use STS and a signed URL to grant temporary access to OSS resources.
Since both STS temporary accounts and signed URLs have a validity period, when using an STS temporary account to generate a signed URL for operations such as uploading or downloading files, the shorter validity period prevails. For instance, if the STS temporary account's validity period is 1200 seconds and the signed URL's is 3600 seconds, the signed URL cannot be used to upload files after 1200 seconds.
Usage notes
In this topic, the public endpoint of the China (Hangzhou) region is used. If you want to access OSS from other Alibaba Cloud services in the same region as OSS, use an internal endpoint. For more information about OSS regions and endpoints, see Regions and endpoints.
In this topic, an OSSClient instance is created by using an OSS endpoint. If you want to create an OSSClient instance by using custom domain names or Security Token Service (STS), see Initialization.
Use STS for temporary authorization
Alibaba Cloud STS enables you to grant temporary access to OSS. STS is a web service that issues temporary access tokens to cloud computing users. With STS, you can provide a third-party application or a RAM user you manage with an access credential that has a specified validity period and permissions. For more information about STS, see What is STS.
STS offers the following advantages:
-
You can avoid exposing your AccessKey pair to a third-party application by generating an access token and sending it to the application. This token can have specific access permissions and a set validity period.
-
There's no need to manually revoke an access token's permissions; it automatically expires once the validity period ends.
To access OSS with temporary credentials provided by STS, follow these steps:
-
Obtain Temporary Access Credentials
Temporary access credentials include an AccessKey pair and a security token. An AccessKey pair comprises an AccessKey ID and an AccessKey secret. The minimum validity period for temporary credentials is 900 seconds, and the maximum is determined by the current role's maximum session duration. For more details, see Set the Maximum Session Duration for a RAM Role.
You can obtain temporary access credentials by:
-
Method 1:
You can retrieve temporary access credentials using the AssumeRole operation from the STS service.
-
Method 2:
You can retrieve temporary access credentials using the STS SDK overview.
-
-
Sign a Request with STS Credentials
-
Use a signed URL for temporary authorization
Precautions
When you use an OSS SDK to generate a signed URL, the OSS SDK uses a specific algorithm based on the key information stored in the local computer to calculate a signature and adds the signature to a URL to ensure the validity and security of the URL. The operations performed to calculate and construct the URL are completed on the client. You do not need to send requests to the server over the network. This way, you do not need to grant specific permissions to the caller when you generate the signed URL. However, to allow third-party users to perform relevant operations on the resources authorized by the signed URL, you must make sure that the principal that calls the API operations to generate the signed URL has the corresponding permissions.
For example, if a principal wants to upload an object by using a signed URL, you must grant the oss:PutObject permission to the principal. If a principal wants to download or preview an object by using a signed URL, you must grant the oss:GetObject permission to the principal.
You can generate a signed URL and provide the URL to a visitor for temporary access. When you generate a signed URL, you can specify the validity period of the URL to limit the period of time during which the visitor can access specific data.
To generate a signed URL that is used to access resources over HTTPS, set the protocol in the endpoint to HTTPS.
The signed URL generated by using the following sample code may contain a plus sign (
+
). In this case, replace the plus sign (+
) in the URL with%2B
. Otherwise, the signed URL may not be used to access the object as expected.