Updated on 2024-04-26 GMT+08:00

Using a Temporary URL for Authorized Access

If you have any questions during development, post them on the Issues page of GitHub. For details about parameters and usage of each API, see the API Reference.

ObsClient allows you to create a URL whose Query parameters are carried with authentication information by specifying the AK and SK, HTTP method, and request parameters. You can provide other users with this URL for temporary access. When generating a URL, you need to specify the validity period of the URL to restrict the access duration of visitors.

If you want to grant other users the permission to perform other operations on buckets or objects (for example, upload or download objects), generate a URL with the corresponding request (for example, to upload an object using the URL that generates the PUT request) and provide the URL for other users.

The following table lists operations can be performed through a signed URL.

Operation

HTTP Method

Special Operator (Sub-resource)

Bucket Name Required

Object Name Required

GET Objects

GET

N/A

Yes

No

GET Object versions

GET

versions

Yes

No

List Multipart uploads

GET

uploads

Yes

No

Obtain Bucket Metadata

HEAD

N/A

Yes

No

GET Bucket location

GET

location

Yes

No

GET Bucket storageinfo

GET

storageinfo

Yes

No

PUT Bucket quota

PUT

quota

Yes

No

GET Bucket quota

GET

quota

Yes

No

Set Bucket storagePolicy

PUT

storagePolicy

Yes

No

GET Bucket storagePolicy

GET

storagePolicy

Yes

No

PUT Bucket acl

PUT

acl

Yes

No

GET Bucket acl

GET

acl

Yes

No

PUT Bucket logging

PUT

logging

Yes

No

GET Bucket logging

GET

logging

Yes

No

PUT Bucket policy

PUT

policy

Yes

No

GET Bucket policy

GET

policy

Yes

No

DELETE Bucket policy

DELETE

policy

Yes

No

PUT Bucket lifecycle

PUT

lifecycle

Yes

No

GET Bucket lifecycle

GET

lifecycle

Yes

No

DELETE Bucket lifecycle

DELETE

lifecycle

Yes

No

PUT Bucket website

PUT

website

Yes

No

GET Bucket website

GET

website

Yes

No

DELETE Bucket website

DELETE

website

Yes

No

PUT Bucket versioning

PUT

versioning

Yes

No

GET Bucket versioning

GET

versioning

Yes

No

GET Bucket cors

GET

cors

Yes

No

DELETE Bucket cors

DELETE

cors

Yes

No

PUT Bucket tagging

PUT

tagging

Yes

No

GET Bucket tagging

GET

tagging

Yes

No

DELETE Bucket tagging

DELETE

tagging

Yes

No

PUT Object

PUT

N/A

Yes

Yes

Append Object

POST

append

Yes

Yes

GET Object

GET

N/A

Yes

Yes

PUT Object - Copy

PUT

N/A

Yes

Yes

DELETE Object

DELETE

N/A

Yes

Yes

DELETE Objects

POST

delete

Yes

Yes

Obtain Object Metadata

HEAD

N/A

Yes

Yes

PUT Object acl

PUT

acl

Yes

Yes

GET Object acl

GET

acl

Yes

Yes

Initiate Multipart Upload

POST

uploads

Yes

Yes

PUT Part

PUT

N/A

Yes

Yes

PUT Part - Copy

PUT

N/A

Yes

Yes

List Parts

GET

N/A

Yes

Yes

Complete Multipart Upload

POST

N/A

Yes

Yes

DELETE Multipart upload

DELETE

N/A

Yes

Yes

POST Object restore

POST

restore

Yes

Yes

To access OBS using a temporary URL generated by the OBS BrowserJS SDK, perform the following steps:

  1. Call ObsClient.createSignedUrlSync to generate a signed URL.
  2. Use any HTTP library to make an HTTP/HTTPS request to OBS.

If a CORS or signature mismatch error occurs, refer to the following steps to troubleshoot the issue:

  1. If CORS is not configured, you need to configure CORS rules on OBS Console. For details, see Configuring CORS.
  2. If the signatures do not match, check whether signature parameters are correct by referring to Authentication of Signature in a URL. For example, during an object upload, the backend uses Content-Type to calculate the signature and generate an authorized URL, but if Content-Type is not set or is set to an incorrect value when the frontend uses the authorized URL, a CORS error occurs. To avoid this issue, ensure that Content-Type fields at both the frontend and backend are kept consistent.

The following content provides examples of accessing OBS using a temporary URL, including object upload, download, listing, and deletion.

Uploading an Object

// Create an instance of ObsClient.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});
//Make a PUT request to upload an object.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'PUT';
var headers = {
       'Content-Type' : 'text/plain'
}
var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
       Headers : headers
});
var content = 'Hello OBS';

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
       data : content,
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Creating object using temporary signature succeed.');              
       }else{                     
              console.log('Creating object using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Creating object using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Downloading an Object

// Create an instance of ObsClient.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

//Make a GET request to download an object.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'GET';

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
});

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Getting object using temporary signature succeed.');              
       }else{                     
              console.log('Getting object using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Getting object using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Listing Objects

// Create an instance of ObsClient.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

// Make a GET request to obtain the object list.
var bucketName = 'bucketname';
var method = 'GET';

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Expires : 3600,
});

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Listing object using temporary signature succeed.');              
       }else{                     
              console.log('Listing object using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Listing object using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Deleting an Object

// Create an instance of ObsClient.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

// Make a DELETE request to delete the object.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'DELETE';

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
});

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Deleting object using temporary signature succeed.');              
       }else{                     
              console.log('Deleting object using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Deleting object using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Initiating a Multipart Upload

// Create an instance of ObsClient.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

// Make a POST request to initiate the multipart upload.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'POST';

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
       SpecialParam: "uploads"
});

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Initiate multipart upload using temporary signature succeed.');              
       }else{                     
              console.log('Initiate multipart upload using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Initiate multipart upload using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Uploading a Part

// Create an ObsClient instance.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

// Make a PUT request to upload a part.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'PUT';
var headers = {
       'Content-Type' : 'text/plain'
}

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
       Headers: headers
       QueryParams: {
           // Specify the part number.
           'partNumber': '1',
           // Specify the ID of the multipart upload, which is returned in the response for initiating the multipart upload.
           'uploadId': '000001648453845DBB78F2340DD4*****',          
       }
});

var content = 'Hello OBS';

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
       data : content,
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Upload part using temporary signature succeed.');              
       }else{                     
              console.log('Upload part using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Upload part upload using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});

Assembling Parts

// Create an ObsClient instance.
var obsClient = new ObsClient({
    // Hard-coded or plaintext AK/SK are risky. For security purposes, encrypt your AK/SK and store them in the configuration file or environment variables. In this example, the AK/SK are stored in environment variables for identity authentication. Before running this example, configure environment variables AccessKeyID and SecretAccessKey.
    // The front-end code does not have the process environment variable, so you need to use a module bundler like webpack to define the process variable.
    // Obtain an AK/SK pair on the management console. For details, see https://support.huaweicloud.com/eu/usermanual-ca/ca_01_0003.html.
    access_key_id: process.env.AccessKeyID,
    secret_access_key: process.env.SecretAccessKey,
    // Replace the example endpoint with the actual one in your case.
    server: 'https://obs.eu-west-101.myhuaweicloud.eu'
});

// Make a POST request to assemble the uploaded parts.
var bucketName = 'bucketname';
var objectKey = 'objectname';
var method = 'POST';
var headers = {
       'Content-Type' : 'application/xml'
}

var res = obsClient.createSignedUrlSync({
       Method : method,
       Bucket : bucketName,
       Key : objectKey,
       Expires : 3600,
       Headers: headers,
       QueryParams: {
           // Specify the ID of the multipart upload, which is returned in the response for initiating the multipart upload.
           'uploadId': '000001648453845DBB78F2340DD4*****',          
       }
});

var content = "<CompleteMultipartUpload>";
content += "<Part>";
content += "<PartNumber>1</PartNumber>";
content += "<ETag>da6a0d097e307ac52ed9b4ad551801fc</ETag>";
content += "</Part>";
content += "<Part>";
content += "<PartNumber>2</PartNumber>";
content += "<ETag>da6a0d097e307ac52ed9b4ad551801fc</ETag>";
content += "</Part>";
content += "</CompleteMultipartUpload>";

var reopt = {
       method : method,
       url : res.SignedUrl,
       withCredentials: false, 
       headers : res.ActualSignedRequestHeaders || {},
       validateStatus: function(status){
              return status >= 200;
       },
       maxRedirects : 0,
       responseType : 'text',
       data : content,
};

axios.request(reopt).then(function (response) {
       if(response.status < 300){                     
              console.log('Complete multipart upload using temporary signature succeed.');              
       }else{                     
              console.log('Complete multipart upload using temporary signature failed!');                     
              console.log('status:' + response.status);                     
              console.log('\n');              
       }              
       console.log(response.data);              
       console.log('\n');
}).catch(function (err) {
       console.log('Complete multipart upload using temporary signature failed!');       
       console.log(err);       
       console.log('\n');
});
  1. Use the Method parameter to specify the HTTP request method, the Expires parameter to specify the validity period of the URL, the Headers parameter to specify the request headers, the SpecialParam parameter to specify the special operators, and the QueryParams parameter to specify the query parameters.
  2. ActualSignedRequestHeaders in the response to a backend URL request may carry Host, which is not required for a browser-based upload. You need to delete Host from ActualSignedRequestHeaders. Otherwise, an error is reported.