PrevNext
search by keyword

Recent Pages

Documentation
Cloud Object Storage
    Documentation
    Download PDF

    Generating Pre-Signed URLs

    Last updated: 2021-12-27 14:18:31
    Download PDF

      Overview

      The Mini Program SDK provides APIs for getting object URLs and getting pre-signed request URLs.

      Note:

      • You are advised to use a temporary key to generate pre-signed URLs for the security of your requests such as uploads and downloads. When you apply for a temporary key, follow the Principle of Least Privilege to avoid leaking resources besides your buckets and objects.
      • If you need to use a permanent key to generate a pre-signed URL, you are advised to limit the permission of the permanent key to uploads and downloads only to avoid risks.

      Signature Calculation

      In all COS XML API requests, the authentication credential Authorization is required for all operations on private resources for COS to determine whether a request is valid.

      There are two ways to use the authentication credential:

      1. Put it in the header parameter; field name: authorization.
      2. Put it in the URL parameter; field name: sign.

      The COS.getAuthorization method is used to calculate the authentication credential (Authorization), which is the signing information used to verify the validity of the request.

      Note:

      It is recommended that this method is only used for frontend debugging but not in actual projects, as it may disclose keys.

      Sample code

      Obtain the authentication credential for object download:

      // Log in to the [CAM console](https://console.cloud.tencent.com/cam/capi) to check and manage the `SecretId` and `SecretKey` of your project.
var Authorization = COS.getAuthorization({
   SecretId: 'SECRETID',
   SecretKey: 'SECRETKEY',
   Method: 'get',
   Key: 'exampleobject',
   Expires: 60,
   Query: {},
   Headers: {}
});

      Parameter description

      Parameter Description Type Required
      SecretId User SecretId String Yes
      SecretKey User's SecretKey String Yes
      Method HTTP request method such as GET, POST, DELETE, or HEAD String Yes
      Key Object key (object name) is the unique ID of an object in a bucket. If the request operation is to be performed on a file, this parameter is required and should be a filename. If the operation is on a bucket, this parameter should be left empty. String No
      Query Request parameters to include in the signature. Format: {key: 'val'} Object No
      Headers Request headers to include in the signature. Format: {key: 'val'} Object No
      Expires Signature expiration time in seconds. Default value: 900 Number No

      Returned value description

      The returned value is the calculated authentication credential string authorization.

      Getting a Pre-signed Request URL

      Download request samples

      Sample 1. Get an object URL without a signature

      var url = cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Sign: false
});

      Sample 2. Get a signed object URL

      var url = cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
});

      Sample 3. Get a signed URL through callback

      Note:

      If the signing process is asynchronous, you need to get the signed URL through a callback.

      cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Sign: false
}, function (err, data) {
   console.log(err || data.Url);
});

      Sample 4. Specify the validity period of a link

      cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Sign: true,
   Expires: 3600, // Unit: second
}, function (err, data) {
   console.log(err || data.Url);
});

      Sample 5. Get the object URL and download the object

      cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Sign: true
}, function (err, data) {
   if (!err) return console.log(err);
   wx.downloadFile({
       url: data.Url, // The “url” domain name needs to be added to the download allowlist
       success (res) {
           console.log(res.statusCode, res.tempFilePath);
       },
       fail: function (err) {
           console.log(err);
       },
   });
});

      Sample 6. Generate the pre-signed URL with the signature containing Query and Header

      cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Sign: true,
   /* The HTTP request parameters passed in should be the same as those of the actual request. This can prevent users from tampering with the HTTP request parameters. */
   Query: {
     'imageMogr2/thumbnail/200x/': '' 
   },
   /* The HTTP request headers passed in should be included in the actual request. This can prevent users from tampering with the HTTP request headers that are signed here. */
   Headers: {
     host: 'xxx' /* Specified host for access. Error code 403 will be reported for access by a non-specified host. */
   },
}, function (err, data) {
   console.log(err || data.Url);
});

      Upload request samples

      Sample 1. Get a pre-signed URL for Put Object upload

      cos.getObjectUrl({
   Bucket: 'examplebucket-1250000000', /* Your bucket name. Required. */
   Region: 'COS_REGION',  /* Bucket region, such as `ap-beijing`. Required. */
   Key: '1.jpg',  /* Object key stored in the bucket (such as `1.jpg` and `a/b/test.txt`). Required. */
   Method: 'PUT',
   Sign: true
}, function (err, data) {
   if (err) return console.log(err);
   console.log(data.Url);

   // After the URL is obtained, the object can be uploaded in the frontend using AJAX.
   var xhr = new XMLHttpRequest();
   xhr.open('PUT', data.Url, true);
   xhr.onload = function (e) {
       console.log('Uploaded successfully', xhr.status, xhr.statusText);
   };
   xhr.onerror = function (e) {
       console.log('Upload failed', xhr.status, xhr.statusText);
   };
   xhr.send(file); // "file" is the object to upload.
});

      Parameter description

      Parameter Description Type Required
      Bucket Bucket name in the format of BucketName-APPID. String Yes
      Region Bucket region. For the enumerated values, please see Regions and Access Endpoints. String Yes
      Key Object key (object name) is the unique ID of an object in a bucket. If the request operation is to be performed on a file, this parameter is required and should be a filename. If the operation is on a bucket, this parameter should be left empty String Yes
      Sign Whether to return a signed URL. Default value: true Boolean No
      Protocol It can be http: (default) or https: String No
      Domain Bucket access domain. Default value: {BucketName-APPID}.cos.{Region}.myqcloud.com String No
      Method HTTP request method such as GET, POST, DELETE, or HEAD. Default value: GET String No
      Query Query parameter object for signature calculation in the format of {key: 'val'} Object No
      Headers Header parameter object for signature calculation in the format of {key: 'val'} Object No
      Expires Signature expiration time in seconds. Default value: 900 Number No

      Returned value description

      The returned value is a string. There are two possible scenarios:

      1. If the signature can be calculated synchronously (for example, the SecretId and SecretKey have been passed in during instantiation), the signed URL will be returned by default.
      2. Otherwise, an unsigned URL will be returned.

      Callback function description

      function(err, data) { ... }
      Parameter Description Type
      err Error code, which is returned when an error (network error or service error) occurs. If the request is successful, this parameter is empty. For more information, please see Error Codes. Object
      data Content returned when the request is successful. If the request fails, this parameter is empty. Object
      - Url Calculated URL String
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy