All Products
Search
Document Center

Object Storage Service:sign

Last Updated:Aug 19, 2024

By default, the access control list (ACL) of an object in an Object Storage Service (OSS) bucket is private. Only the object owner has the permissions to access the object. However, the object owner can run the sign command to generate and share the signed URL of the object with third-party users. Access credentials are used to generate a signed URL and authorize third-party users to download or preview the object within a specific period of time.

Important
  • Third-party users can use the signed URL to access the object, regardless of whether the ACL of the object is public-read or private and whether a bucket policy or RAM policy is configured to authorize the third-party users to access the object.

  • For ossutil V1.6.16 and later, you can directly use ossutil as the binary name in the command line. You do not need to update the binary name based on the system. For ossutil earlier than V1.6.16, you must specify a binary name that corresponds to the system. For more information, see ossutil command reference.

Command syntax

ossutil sign cloud_url
[--timeout <value>] 
[--version-id <value>] 
[--trafic-limit <value>] 
[--disable-encode-slash] 
[--payer <value>]
[--query-param <value>]

The following table describes the parameters and options in the syntax.

Parameter/Option

Description

cloud_url

The full path to the object, with the bucket name included.

--timeout

The validity period of the signed URL. Unit: seconds. Default value: 60.

Important

The sum of the current timestamp and the validity period of the signed URL cannot exceed 9223372036854775807. If the sum exceeds the preceding value, an error is reported. For example, if the current timestamp is 1643341269, the validity period of the signed URL cannot exceed 9223372035211434538.

--version-id

The version ID of the object for which you want to generate a signed URL. This parameter applies only to objects in buckets for which versioning is enabled or suspended.

--trafic-limit

The maximum speed to access the object over HTTP by using the signed URL. Unit: bit/s. The default value of this parameter is 0, which specifies that the access speed is not limited. Valid values: 819200 to 838860800 (100 KB/s to 100 MB/s).

--disable-encode-slash

Specifies that forward slashes (/) contained in the value of cloud_url are not encoded.

--payer

The payer of the fees that are generated by the operation. If you want the requester who accesses the resources in the specified path to pay fees that are generated by the request, set this option to requester.

--query-param

The query parameters in the request. You can specify multiple query parameters in a request. For example, you can specify image processing (IMG) parameters as query parameters.

--query-param supports the following parameters: x-oss-process, response-content-type, x-oss-traffic-limit, response-content-language, response-expires, response-cache-control, response-content-disposition, response-content-encoding, x-oss-ac-source-ip, x-oss-ac-subnet-mask, x-oss-ac-vpc-id, and x-oss-ac-forward-allow. For more information about the parameters, see Create a signed URL by using signature V1 and GetObject.

Note

The --query-param parameter is available only in ossutil V.1.7.15 or later.

Examples

  • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is the default value, which is 60 seconds.

    ossutil sign oss://examplebucket/exampleobject.png
  • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is set to 3,600 seconds.

    ossutil sign oss://examplebucket/exampleobject.png --timeout 3600
  • You can run the following command to generate a signed URL for an object named exampleobject.png in a bucket named examplebucket. In this example, the validity period of the URL is set to 7,200 seconds, and the maximum speed to access the object over HTTP by using the signed URL is set to 100 MB/s.

    ossutil sign oss://examplebucket/exampleobject.png --timeout 7200 --trafic-limit 838860800
  • You can run the following command to generate a signed URL for the specified version of an object named exampleobject.jpg in a bucket named examplebucket. In this example, the validity period of the URL is set to 1,800 seconds.

    ossutil sign oss://examplebucket/exampleobject.jpg --timeout 1800 --version-id  CAEQARiBgID8rumR2hYiIGUyOTAyZGY2MzU5MjQ5ZjlhYzQzZjNlYTAyZDE3****
  • You can run the following command to resize an image object named exampleobject.jpg in the examplebucket bucket to a width of 100 pixels and a height of 100 pixels, rotate the image by 90 degrees, and generate a signed URL for the processed image:

     ossutil sign oss://examplebucket/exampleobject.jpg  --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90
  • You can run the following command to resize an image object named exampleobject.jpg in the examplebucket bucket to a width of 100 pixels and a height of 100 pixels, rotate the image by 90 degrees, set the traffic limit to 100 KB/s (819200 bit/s), and generate a signed URL for the processed image:

    ossutil sign oss://examplebucket/exampleobject.jpg  --query-param x-oss-process:image/resize,m_fixed,w_100,h_100/rotate,90 --query-param x-oss-traffic-limit:819200
  • After the preceding commands are successful, output is similar to the following content. The output includes the time used to generate the signed URL, the validity period of the URL, and the signature information in the URL:

    https://examplebucket.ss-cn-hangzhou.aliyuncs.com/exampleobject.png?Expires=1608282224&OSSAccessKeyId=LTAI4G33piUmgRN1DXx9****&Signature=jo4%2FGykfuc1A4fvyvKRpRyymYH****
    0.368676(s) elapsed

Common options

If you use ossutil to switch to a bucket that is located in another region, add the -e option to specify the endpoint of the region in which the bucket is located. If you use ossutil to switch to a bucket that belongs to another Alibaba Cloud account, add the -i option to specify the AccessKey ID of the specified account, and add the -k option to specify the AccessKey secret of the specified account.

For example, you can run the following command to generate a signed URL for an object named exampletest.jpg in a bucket named testbucket, which is located in the China (Shanghai) region and owned by another Alibaba Cloud account. In this example, the validity period of the URL is set to 3,600 seconds.

ossutil sign oss://testbucket/exampletest.jpg --timeout 3600 -e oss-cn-shanghai.aliyuncs.com -i LTAI4Fw2NbDUCV8zYUzA****  -k 67DLVBkH7EamOjy2W5RVAHUY9H****

For more information about common options, see Common options.