Help Center > Object Storage Service > API Reference > Authenticating a Request > V2 Temporarily Authorized Requests

V2 Temporarily Authorized Requests

In OBS, registered and activated users can use their accounts to construct a URL for a specific operation. Such a URL contains the authentication information, and all users that have this URL can perform this specific operation. With temporary authorization for an object, all users that have the URL can download the object. The URL is valid only before the time specified by Expires. After a user issues temporary authorization but does not provide this user's secret access key, other users can use this user's identity to perform the operations defined by this user.

V2 temporarily authorized requests are in the following format:

GET /ObjectKey?AWSAccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature HTTP/1.1
Host: bucketname.obs.cn-north-1.myhwclouds.com

The required authentication elements are specified as query string parameters, as described in Table 1.

Table 1 Temporarily authorized request parameters

Parameter

Description

Required or Optional

AWSAccessKeyId

Indicates the AK of the permission grantor.

Type: string

Required

Expires

Indicates the time (expressed in seconds) when the temporarily authorized URL expires. The time must be in Coordinated Universal Time (UTC) format and later than 00:00:00 on January 1, 1970.

Type: string

Required

Signature

Indicates the signature generated using the SK and parameter Expires.

Type: string

Required

The temporarily authorized signature algorithm differs from the authorization header in the following aspects:

  • The signature is both Base64 and URL encoded.
  • Expires in StringToSign corresponds to Date in authorization information.
StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expire + "\n" + CanonicalizedOBSHeaders + CanonicalizedResource

Signature = URL-Encode(Base64( HMAC-SHA1( UTF-8-Encoding-Of(YourSecretAccessKeyID, StringToSign ) ) ))
Registration