Run the sign command to generate a signed URL for an OSS object and share it with third-party users. The URL grants time-limited access to download or preview the object, regardless of the object's access control list (ACL), bucket policy, or RAM policy.
For ossutil V1.6.16 and later, use ossutil directly as the binary name. For earlier versions, specify the binary name that matches your operating system. For details, see ossutil command reference.
Syntax
ossutil sign cloud_url
[--timeout <value>]
[--version-id <value>]
[--trafic-limit <value>]
[--disable-encode-slash]
[--payer <value>]
[--query-param <value>]Parameters
| Parameter | Description |
|---|---|
cloud_url | The full path to the object, including the bucket name. Format: oss://bucket/object |
--timeout | Validity period of the signed URL, in seconds. Default: 60. The sum of the current Unix timestamp and this value must not exceed 9223372036854775807. For example, if the current timestamp is 1643341269, the maximum value is 9223372035211434538. |
--version-id | Version ID of the object. Applies only to objects in buckets with versioning enabled or suspended. |
--trafic-limit | Maximum speed to access the object over HTTP, in bit/s. Default: 0 (no limit). Valid values: 819200-838860800 (100 KB/s-100 MB/s). |
--disable-encode-slash | Skips URL encoding of forward slashes (/) in cloud_url. |
--payer | Who pays for the request. Set to requester to enable requester-pays. |
--query-param | Additional query parameters to embed in the signed URL. Supported parameters: x-oss-process, x-oss-traffic-limit, response-content-language, response-expires, response-cache-control, response-content-disposition, response-content-encoding, x-oss-ac-source-ip, x-oss-ac-subnet-mask, x-oss-ac-vpc-id, and x-oss-ac-forward-allow. For parameter details, see Create a signed URL by using signature V1 and GetObject. Note Available in ossutil V1.7.15 and later. |
Examples
After any of the following commands succeeds, output is similar to the example below. The output includes the time used to generate the signed URL, the validity period of the URL, and the signature information in the URL:
https://examplebucket.ss-cn-hangzhou.aliyuncs.com/exampleobject.png?Expires=1608282224&OSSAccessKeyId=LTAI****************&Signature=jo4%2FGykfuc1A4fvyvKRpRyymYH****
0.368676(s) elapsedTo generate a signed URL with the default validity period
The following command generates a signed URL for exampleobject.png in examplebucket. The URL is valid for 60 seconds (default).
ossutil sign oss://examplebucket/exampleobject.pngTo generate a signed URL with a custom validity period
The following command generates a signed URL valid for 3,600 seconds.
ossutil sign oss://examplebucket/exampleobject.png --timeout 3600To generate a signed URL with a validity period and download speed limit
The following command generates a signed URL valid for 7,200 seconds, with a maximum access speed of 100 MB/s (838,860,800 bit/s).
ossutil sign oss://examplebucket/exampleobject.png --timeout 7200 --trafic-limit 838860800To generate a signed URL for a specific object version
The following command generates a signed URL for a specific version of exampleobject.jpg, valid for 1,800 seconds.
ossutil sign oss://examplebucket/exampleobject.jpg --timeout 1800 --version-id CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****To generate a signed URL for an image with processing parameters
The following command resizes exampleobject.jpg to 100x100 pixels, rotates it 90 degrees, and generates a signed URL for the processed image.
ossutil sign oss://examplebucket/exampleobject.jpg --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90To generate a signed URL for a processed image with a speed limit
The following command applies the same image processing as above and limits the access speed to 100 KB/s (819,200 bit/s).
ossutil sign oss://examplebucket/exampleobject.jpg --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90 --query-param x-oss-traffic-limit:819200Common options
To access a bucket in a different region or under a different Alibaba Cloud account, add the following options:
| Option | Description |
|---|---|
-e | Endpoint of the region where the bucket is located |
-i | AccessKey ID of the target account |
-k | AccessKey secret of the target account |
Example: Generate a signed URL for exampletest.jpg in testbucket, located in the China (Shanghai) region and owned by a different account, with a validity period of 3,600 seconds.
ossutil sign oss://testbucket/exampletest.jpg --timeout 3600 -e oss-cn-shanghai.aliyuncs.com -i LTAI**************** -k yourAccessKeySecretFor the full list of common options, see Common options.