Your COS access request must first pass the COS identification and authentication before COS starts to operate the resources. Therefore, depending on whether the identity is identifiable, COS access requests are divided into two types: anonymous requests and signed requests.
Authorizationor related parameters, or the user identity cannot be identified based on the related characters, the request will be treated as an anonymous request for authentication.
Authorizationfield in the HTTP header or the request packet. The content of the field is generated based on Tencent Cloud security credentials (SecretID and SecretKey) and some characteristic values of the request via an encryption algorithm.
To access COS using the COS SDK, you only need to configure your security credentials to initiate a request. To access COS using RESTful API, you need to calculate the request signature as instructed in [Request Signature] or directly generate one with the COS signature tool.
Cloud Access Management (CAM) provides features and services related to accounts and credentials for COS, to help customers manage the permissions to access resources under their Tencent Cloud accounts in a secure way. You can use CAM to create, manage and terminate users (or user groups), and manage other users' permissions to use Tencent Cloud resources through identity management and policy management.
After logging in to the root account, you can manage and obtain the security credentials (SecretID and SecretKey) of your root account on the Cloud API Key page of CAM. The following is a key pair example:
The access key can be used to identify the uniqueness of an account. After the signature is generated using the key and the request is sent, Tencent Cloud will identify the identity of the request initiator, and then perform verification and authentication for the identity, resources, operations, and conditions to determine whether to allow the operation.
The key of the root account has all the operation permissions for all resources under the root account. Disclosure of the key may cause loss of your cloud assets, so it is strongly recommended that you create sub-accounts and assign corresponding permissions for them, and then use the keys of sub-accounts to create requests for resource access and management.
To manage users and cloud resources under your account in multiple dimensions, you can create multiple sub-accounts under your primary account to implement user-specific permission management. For more information on how to create a sub-account, see Sub-users in CAM.
Before using a sub-account to initiate an API request, you need to create a security credential for the sub-account, and then the sub-account will get a unique key pair, which can facilitate the identification of the identity. You can create user policies for different sub-accounts to control their access permissions to resources. You can also create user groups and associate one access policy to a user group to facilitate the central management of user grouping and resources.
With the corresponding permissions assigned, a sub-account can create or modify resources. The resources still belong to the primary account, and the resource cost will be deducted from the root account.
In addition to using security credentials of the root account or sub-accounts to access resources, you can create roles and use the temporary security credentials of the roles to manage your Tencent Cloud resources. For more information on the role concept and how to use roles, see Role Overview.
As a virtual identity, a role does not have a permanent key. Tencent Cloud CAM provides a set of STS APIs used to generate temporary security credentials.
For more information on how to use the APIs and relevant examples, see Using Role. You can also see CreateRole to learn about how to generate temporary security credentials. Temporary security credentials contain only limited policies (operations, resources, and conditions), and are valid for a limited period (start and end time), so the generated temporary security credentials can be distributed or used directly.
You can call the API for generating temporary security credentials and get a temporary key pair (tmpSecretId/tmpSecretKey) and a security token (sessionToken), which form the security credential that can be used to access COS. The following is an example of a temporary security credential:
This API also returns the validity period of the temporary security credential via the
expiration field, which means that this set of security credentials can only be used to initiate requests during this period.
Tencent Cloud COS provides a simple server-side SDK that can be used to generate temporary keys. You can visit COS STS SDK to obtain the SDK. To initiate the request using the REST API after getting the temporary security credential, you need to specify the value for the
x-cos-security-token field in the HTTP header or the form-data of the POST request packet to identify the security token used by the request, and then use the temporary access key pair to generate the request signature. For more information on how to initiate requests using the COS SDK, see the relevant sections in each SDK documentation.
The Region and Access Domain Name document provides a list of domain names that can be used to initiate access requests via RESTful APIs.
It is recommended to use virtual hosting domain names to access COS buckets. When you initiate an HTTP request, the bucket to be accessed will be specified through the
Host header, for example,
<bucketname-appid>.cos.<region>.myqcloud.com. Using virtual hosting domain names implements the same feature as the root directory of a virtual server. Virtual hosting domain names can be used to host files such as
crossdomain.xml, which are the content that many applications will retrieve from the root directory of the virtual server by default when identifying a hosted website.
You can also use a path request to access a bucket, for example,
cos.<region>.myqcloud.com/<bucketname-appid>/. The request
Host and the signature must use
cos.<region>.myqcloud.com. COS SDKs do not support this access method by default.
If you enable the static website feature for a bucket, a virtual hosting domain name will be assigned for you to use relevant features. Unlike RESTful APIs, the domain name of a static website supports only a few operations, such as GET/HEAD/OPTIONS Object, in addition to specific index pages, error pages and redirection configurations. Uploading or configuring resources is not supported.
The format of a domain name of a static website is
<bucketname-appid>.cos-website.<region>.myqcloud.com. You can also log in to the console and go to the bucket's Basic Configuration > Static Website Configuration to get the domain name.
The access endpoints of COS use intelligent DNS resolution. For COS access via the Internet (including different ISPs), we will detect and select the optimal linkage for you to access COS. If you have deployed a service in Tencent Cloud to access COS, access within the same region will be automatically directed to a private network address. Cross-region access is not supported in a private network and the COS endpoint is resolved to a public network address by default.
Tencent Cloud products within the same region access each other over a private network by default, incurring no traffic fees. Therefore, we recommend choosing the same region when you purchase different Tencent Cloud products to save on costs.
The following shows how to determine access over a private network:
For example, when a CVM accesses COS, to determine whether a private network is used for access, use the
nslookup command on the CVM to resolve the COS endpoint. If a private IP is returned, access between the CVM and COS is over a private network; otherwise, it is over a public network.
Generally, a private IP takes the form of
100.*.*.*, and a VPC IP takes the form of
169.254.*.*. These two types of IPs indicate a private network access.
examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com is the address of the destination bucket. After running the
nslookup command, you can view the information as shown in the figure below.
In the command output, the
10.148.214.14 IPs indicate that the access to COS is over a private network.
COS uses the HTTP protocol to provide services. You can use the most basic tool
telnet to test the connectivity to port 80 of the COS access domain.
The following is an example of access through the public network:
telnet examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com 80 Trying 184.108.40.206... Connected to gz.file.myqcloud.com. Escape character is '^]'.
The following is an example of access through Tencent Cloud CVMs (classic network) within the same region:
telnet examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com 80 Trying 10.148.214.14... Connected to 10.148.214.14. Escape character is '^]'.
The following is an example of access through Tencent Cloud CVMs (VPC) within the same region:
telnet examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com 80 Trying 169.254.0.47.... Connected to 169.254.0.47. Escape character is '^]'.
Regardless of the access environment, if the command returns the
Escape character is '^]'. field, it indicates that the connection is successful.
The access to COS over the internet involves the ISP network, which may prohibit you from testing connectivity using tools such as ICMP
traceroute. Therefore, we recommend you use TCP tools to test connectivity.
The access via the Internet may involve multiple network environments. If the access is not smooth, check your local network linkage, or contact the local ISP.
If your ISP allows you to use the ICMP protocol, you can use the
mtr tools to check your linkage. Otherwise, you can use the
psping (Windows environment; download at the Microsoft official website) or such tools as
tcping (cross-platform software) to test the latency.
If you access the COS over the Tencent Cloud VPC in the same region, you may be unable to test connectivity using tools such as ICMP
traceroute. We recommend that you use the
telnet command in the basic connectivity test to perform the testing.
You can also use tools such as
tcping to test the latency to port 80 of the access domain. Before the test, make sure that the access domain name has been correctly resolved to the private network address using the