Request Creation Overview

Last updated: 2021-07-27 10:08:17


    Tencent Cloud COS is a web-based storage service accessed using the HTTP/HTTPS protocol. You can use RESTful APIs or COS SDKs to access COS.

    Your COS access request must first pass the COS verification and authentication before COS starts to operate the resources. Therefore, depending on whether the identity is identifiable, COS access requests are divided into two types: anonymous requests and requests with signatures.

    • Anonymous request: If the request does not include Authorization or related parameters, or the user identity cannot be identified based on the related characters, the request will be treated as an anonymous request for authentication.
    • Request with signature: A request with a signature must contain the Authorization field in the HTTP header or the request package. The content of the field is generated based on Tencent Cloud security credentials (SecretID and SecretKey) and some eigenvalues of the request via an encryption algorithm.

    To access COS using COS SDKs, you only need to configure your security credentials before initiating the request. To access COS using RESTful APIs, calculate the request signature according to Request Signature or generate one using the COS signature tool.

    Obtaining Security Credentials

    Cloud Access Management (CAM) provides features and services related to accounts and credentials for COS, to help customers manage the permissions to access resources under their Tencent Cloud accounts in a secure way. You can use CAM to create, manage, and terminate users (or user groups), and manage other users' permissions to use Tencent Cloud resources through identity management and policy management.

    Security credentials of the root account

    After logging in to the root account, you can manage and obtain the security credentials (SecretID and SecretKey) of your root account on the Cloud API Key page of CAM. The following is a key pair example:

    • 36-character access key ID (SecretID): AKIDHZRLB9Ibhdp7Y7gyQq6BOk1997xxxxxx
    • 32-character access key (SecretKey): LYaWIuQmCSZ5ZMniUM6hiaLxHnxxxxxx

    The access key can be used to identify the uniqueness of an account. After the signature is generated using the key and the request is sent, Tencent Cloud will identify the identity of the request initiator, and then perform verification and authentication for the identity, resources, operations, and conditions to determine whether to allow the operation.


    The key of the root account has all the operation permissions for all resources under the root account. Disclosure of the key may cause loss of your cloud assets, so it is strongly recommended that you create sub-accounts and assign corresponding permissions for them, and then use the keys of sub-accounts to create requests for resource access and management.

    Security credentials of sub-accounts

    To manage users and cloud resources under your account in multiple dimensions, you can create multiple sub-accounts under your primary account to implement user-specific permission management. For more information on how to create a sub-account, see Sub-users in CAM.

    Before using a sub-account to initiate an API request, you need to create a security credential for the sub-account, and then the sub-account will get a unique key pair, which can facilitate the identification of the identity. You can create user policies for different sub-accounts to control their access permissions to resources. You can also create user groups and associate one access policy to a user group to facilitate the central management of user grouping and resources.


    With the corresponding permissions assigned, a sub-account can create or modify resources. The resources still belong to the primary account, and the resource cost will be deducted from the root account.

    Temporary security credentials

    In addition to using security credentials of the root account or sub-accounts to access resources, you can create roles and use the temporary security credentials of the roles to manage your Tencent Cloud resources. For more information on the role concept and how to use roles, see Role Overview.

    As a virtual identity, a role does not have a permanent key. Tencent Cloud CAM provides a set of STS APIs used to generate temporary security credentials.
    For more information on how to use the APIs and relevant examples, see Using Roles. You can also see STS API documentation to learn about how to generate temporary security credentials. Temporary security credentials contain only limited policies (operations, resources, and conditions), and are valid for a limited period (start and end time), so the generated temporary security credentials can be distributed or used directly.

    You can call the API for generating temporary security credentials and get a temporary key pair (tmpSecretId/tmpSecretKey) and a security token (sessionToken), which form the security credential that can be used to access COS. The following is an example of a temporary security credential:

    • 41-character security token (SecurityToken): 5e776c4216ff4d31a7c74fe194a978a3ff2xxxxxx
    • 36-character temporary access key ID (SecretID): AKIDcAZnqgar9ByWq6m7ucIn8LNEuYxxxxxx
    • 32-character temporary access key (SecretKey): VpxrX0IMCpHXWL0Wr3KQNCqJixxxxxxx

    This API also returns the validity period of the temporary security credential via the expiration field, which means that this set of security credentials can only be used to initiate requests during this period.

    Tencent Cloud COS provides a simple server SDK that can be used to generate temporary keys. You can visit COS STS SDK to obtain the SDK. To initiate the request using the REST API after getting the temporary security credential, you need to specify the value for the x-cos-security-token field in the HTTP header or the form-data of the POST request package to identify the security token used by the request, and then use the temporary access key pair to generate the request signature. For more information on how to initiate requests using the COS SDK, see the relevant sections in each SDK documentation.

    Access Domain Name

    RESTful APIs

    The Region and Access Domain Name document provides a list of domain names that can be used to initiate access requests via the REST API.

    It is recommended to use virtual hosting domain names to access COS buckets. When you initiate an HTTP request, the bucket to be accessed will be specified through the Host header, for example, <bucketname-appid>.cos.<region> Using virtual hosting domain names implements the same feature as the root directory of a virtual server. Virtual hosting domain names can be used to host files such asfavicon.ico,robots.txt, andcrossdomain.xml`, which are the content that many applications will retrieve from the root directory of the virtual server by default when identifying a hosted website.

    You can also use a path request to access a bucket, for example, cos.<region><bucketname-appid>/. The request Host and the signature must use cos.<region> COS SDKs do not support this access method by default.

    Domain names of static websites

    If you enable the static website feature for a bucket, a virtual hosting domain name will be assigned for you to use relevant features. Unlike RESTful APIs, the domain name of a static website supports only a few operations, such as GET/HEAD/OPTIONS Object, in addition to specific index pages, error pages and redirection configurations. Uploading or configuring resources is not supported.

    The format of a domain name of a static website is <bucketname-appid>.cos-website.<region> You can also log in to the console and go to the bucket's Basic Configuration > Static Website Configuration to get the domain name.

    COS Access via Private Network and Public Network

    The access endpoints of COS use intelligent DNS resolution. For COS access via the Internet (including different ISPs), we will detect and select the optimal linkage for you to access COS. If you have deployed a service in Tencent Cloud to access COS, access within the same region will be automatically directed to a private network address. Cross-region access is not supported in a private network and the COS endpoint is resolved to a public network address by default.

    How to determine whether an access is via a private network

    Tencent Cloud products within the same region access each other over a private network by default, incurring no traffic fees. Therefore, we recommend choosing the same region when you purchase different Tencent Cloud products to save on costs.


    The private networks of Public Cloud regions are not interconnected with those of Finance Cloud regions.

    The following shows how to determine access over a private network:

    For example, when a CVM accesses COS, to determine whether a private network is used for access, use the nslookup command on the CVM to resolve the COS endpoint. If a private IP is returned, access between the CVM and COS is over a private network; otherwise, it is over a public network.


    Generally, a private IP takes the form of 10.*.*.* or 100.*.*.*, and a VPC IP takes the form of 169.254.*.*. These two types of IPs belong to private networks.

    Assume that is the address of the destination bucket. After running the nslookup command, you can view the information as shown in the figure below.

    In the command output, the and IPs indicate that the access to COS is over a private network.

    Testing connectivity

    Basic connectivity test

    COS uses the HTTP protocol to provide services. You can use the most basic tool telnet to test the connectivity to port 80 of the COS access domain.

    The following is an example of access through the public network:

    telnet 80
    Connected to
    Escape character is '^]'.

    The following is an example of access through Tencent Cloud CVMs (classic network) within the same region:

    telnet 80
    Connected to
    Escape character is '^]'.

    The following is an example of access through Tencent Cloud CVMs (VPC) within the same region:

    telnet 80
    Connected to
    Escape character is '^]'.

    Regardless of the access environment, if the command returns the Escape character is '^]'. field, it indicates that the connection is successful.

    Test via the internet

    Since the access to COS over the internet involves the ISP network, which may prohibit you from testing connectivity using tools such as ping or traceroute of the ICMP protocol, it is recommended to use the tools of the TCP protocol to test connectivity.


    The access via the Internet may involve multiple network environments. If the access is not smooth, check your local network linkage, or contact the local ISP.

    If your ISP allows you to use the ICMP protocol, you can use the ping, traceroute or mtr tools to check your link. Otherwise, you can use the psping (Windows environment; download at the Microsoft official website) or such tools as tcping (cross-platform software) to test the latency.

    Test via a private network

    If you access the COS over the Tencent Cloud VPC in the same region, you may be unable to test connectivity using such tools as ping or traceroute of the ICMP protocol. It is recommended that you use the telnet command in the basic connectivity test to perform the testing.

    You can also use tools such as psping or tcping to test the latency to port 80 of the access domain. Before the test, make sure that the access domain name has been correctly resolved to the private network address using the nslookup command.