tencent cloud

Cloud Object Storage

Release Notes and Announcements
Release Notes
Announcements
Product Introduction
Overview
Features
Use Cases
Strengths
Concepts
Regions and Access Endpoints
Specifications and Limits
Service Regions and Service Providers
Billing
Billing Overview
Billing Method
Billable Items
Free Tier
Billing Examples
Viewing and Downloading Bill
Payment Overdue
FAQs
Getting Started
Console
Getting Started with COSBrowser
User Guide
Creating Request
Bucket
Object
Data Management
Batch Operation
Global Acceleration
Monitoring and Alarms
Operations Center
Data Processing
Content Moderation
Smart Toolbox
Data Processing Workflow
Application Integration
User Tools
Tool Overview
Installation and Configuration of Environment
COSBrowser
COSCLI (Beta)
COSCMD
COS Migration
FTP Server
Hadoop
COSDistCp
HDFS TO COS
GooseFS-Lite
Online Tools
Diagnostic Tool
Use Cases
Overview
Access Control and Permission Management
Performance Optimization
Accessing COS with AWS S3 SDK
Data Disaster Recovery and Backup
Domain Name Management Practice
Image Processing
Audio/Video Practices
Workflow
Direct Data Upload
Content Moderation
Data Security
Data Verification
Big Data Practice
COS Cost Optimization Solutions
Using COS in the Third-party Applications
Migration Guide
Migrating Local Data to COS
Migrating Data from Third-Party Cloud Storage Service to COS
Migrating Data from URL to COS
Migrating Data Within COS
Migrating Data Between HDFS and COS
Data Lake Storage
Cloud Native Datalake Storage
Metadata Accelerator
GooseFS
Data Processing
Data Processing Overview
Image Processing
Media Processing
Content Moderation
File Processing Service
File Preview
Troubleshooting
Obtaining RequestId
Slow Upload over Public Network
403 Error for COS Access
Resource Access Error
POST Object Common Exceptions
API Documentation
Introduction
Common Request Headers
Common Response Headers
Error Codes
Request Signature
Action List
Service APIs
Bucket APIs
Object APIs
Batch Operation APIs
Data Processing APIs
Job and Workflow
Content Moderation APIs
Cloud Antivirus API
SDK Documentation
SDK Overview
Preparations
Android SDK
C SDK
C++ SDK
.NET(C#) SDK
Flutter SDK
Go SDK
iOS SDK
Java SDK
JavaScript SDK
Node.js SDK
PHP SDK
Python SDK
React Native SDK
Mini Program SDK
Error Codes
Harmony SDK
Endpoint SDK Quality Optimization
Security and Compliance
Data Disaster Recovery
Data Security
Cloud Access Management
FAQs
Popular Questions
General
Billing
Domain Name Compliance Issues
Bucket Configuration
Domain Names and CDN
Object Operations
Logging and Monitoring
Permission Management
Data Processing
Data Security
Pre-signed URL Issues
SDKs
Tools
APIs
Agreements
Service Level Agreement
Privacy Policy
Data Processing And Security Agreement
Contact Us
Glossary
DocumentationCloud Object StorageUse CasesAccess Control and Permission ManagementGenerating and Using Temporary Keys

Generating and Using Temporary Keys

PDF
Focus Mode
Font Size
Last updated: 2024-03-25 15:11:17
Note:
When authorizing access with a temporary key, ensure that you follow the principle of the least privilege as needed. If you grant excessive permissions, such as granting permissions to all resources (resource: *) or all operations (action: *), data security risks may arise.
If you have specified a permission scope for the temporary key when applying for it, you can only use the key within the scope. For example, if you have limited the permissions to only uploading objects to the examplebucket-1-1250000000, you can’t upload objects to the examplebucket-2-1250000000 bucket or download objects from the examplebucket-1-1250000000 bucket.

Temporary Key

Temporary keys (temporary access credentials) are access-limited keys requested through CAM APIs. To call the COS API, you use temporary keys to calculate a signature for identity authentication. When a COS API request uses a temporary key to calculate the signature for authentication, the following three fields in the message returned by the temporary key API are required:
TmpSecretId
TmpSecretKey
Token

Benefits to Use a Temporary Key

When using COS on web, iOS, and Android applications, fixed keys are less ideal for permission management and less secure if stored in your client-side code, as the key may be disclosed. In this case, you can use a temporary key. For example, when applying for a temporary key, you can specify the action and resource by setting the policy field to grant limited access permissions.
For COS API authorization policies, see:
Working with COS API Access Policies
Examples of Temporary Key Authorization Policies in Common Scenarios.

Getting a Temporary Key

You can get a temporary key via the COS STS SDK or by calling the STS API GetFederationToken directly.
Note:
The Java SDK is used as an example in this document. To use it, you need to get the SDK code (version number) on GitHub. If you cannot find the SDK version number, check whether this SDK version is available on GitHub.

COS STS SDK

COS provides SDKs and samples in various languages (e.g., Java, Node.js, PHP, Python, and Go) for STS. For more information, please see COS STS SDK. To learn about how to use each SDK, see the README files and samples on GitHub by referring to the following table:
Language
Download Address
Sample
Java
.NET
Go
Node.js
PHP
Python
Note:
To avoid the differences between versions of the STS API, STS SDKs take a return parameters structure that may be different from that of the STS API. For more information, see Java SDK documentation.
Here is an example to obtain a temporary key using the downloaded Java SDK:

Sample codes

// Import `java sts sdk` using the integration method with Maven as described on GitHub, with v3.1.0 or later required.
public class Demo {
    public static void main(String[] args) {
        TreeMap<String, Object> config = new TreeMap<String, Object>();

        try {
            // `SecretId` and `SecretKey` represent permanent identities (root account, sub-account) for applying for a temporary key. If it is a sub-account, it must have permission to operate buckets.
            String secretId = System.getenv("secretId");// User `SecretId`. We recommend you use a sub-account key and follow the principle of least privilege to reduce risks. For information about how to obtain a sub-account key, visit https://www.tencentcloud.com/document/product/598/37140?from_cn_redirect=1.
             String secretKey = System.getenv("secretKey");// User `SecretKey`. We recommend you use a sub-account key and follow the principle of least privilege to reduce risks. For information about how to obtain a sub-account key, visit https://www.tencentcloud.com/document/product/598/37140?from_cn_redirect=1.
            // Replace it with your Cloud API key SecretId
            config.put("secretId", secretId);
            // Replace it with your Cloud API key SecretKey
            config.put("secretKey", secretKey);

            // Set a domain: 
            // If you use Tencent Cloud CVMs, you can set an internal domain.
            //config.put("host", "sts.internal.tencentcloudapi.com");

            // Validity period of the key, in seconds (default: 1800). The value can be up to 7200 (2 hours) for the root account, and 129600 (36 hours) for a sub-account.
            config.put("durationSeconds", 1800);

            // Replace it with your own bucket
            config.put("bucket", "examplebucket-1250000000");
            // Replace it with the region where your bucket resides
            config.put("region", "ap-guangzhou");

            // Change it to an allowed path prefix. You can determine the upload path based on your login status.
            // Examples of several typical prefix authorization scenarios:
            // 1. Allow access to all objects: "*"
            // 2. Allow access to specified objects: "a/a1.txt", "b/b1.txt"
            // 3. Allow access to objects with specified prefixes: "a*", "a/*", "b/*"
            // If "*" is entered, you allow the user to access all resources. Unless otherwise necessary, grant the user only the limited permissions that are needed following the principle of least privilege.
            config.put("allowPrefixes", new String[] {
                    "exampleobject",
                    "exampleobject2"
            });

            // A list of permissions needed for the key (required)
            // The following permissions are required for simple, form-based, and multipart upload. For other permissions, visit https://www.tencentcloud.com/document/product/436/30580.
            String[] allowActions = new String[] {
                     // Simple upload
                    "name/cos:PutObject",
                    // Upload using a form or Weixin Mini Program
                    "name/cos:PostObject",
                    // Multipart upload
                    "name/cos:InitiateMultipartUpload",
                    "name/cos:ListMultipartUploads",
                    "name/cos:ListParts",
                    "name/cos:UploadPart",
                    "name/cos:CompleteMultipartUpload"
            };
            config.put("allowActions", allowActions);
                /**
             * Set `condition` (if necessary)
             //# Condition for the temporary key to take effect. For the detailed configuration rules of `condition` and `condition` types supported by COS, visit https://www.tencentcloud.com/document/product/436/71307?from_cn_redirect=1.
             final String raw_policy = "{\\n" +
             "  \\"version\\":\\"2.0\\",\\n" +
             "  \\"statement\\":[\\n" +
             "    {\\n" +
             "      \\"effect\\":\\"allow\\",\\n" +
             "      \\"action\\":[\\n" +
             "          \\"name/cos:PutObject\\",\\n" +
             "          \\"name/cos:PostObject\\",\\n" +
             "          \\"name/cos:InitiateMultipartUpload\\",\\n" +
             "          \\"name/cos:ListMultipartUploads\\",\\n" +
             "          \\"name/cos:ListParts\\",\\n" +
             "          \\"name/cos:UploadPart\\",\\n" +
             "          \\"name/cos:CompleteMultipartUpload\\"\\n" +
             "        ],\\n" +
             "      \\"resource\\":[\\n" +
             "          \\"qcs::cos:ap-shanghai:uid/1250000000:examplebucket-1250000000/*\\"\\n" +
             "      ],\\n" +
             "      \\"condition\\": {\\n" +
             "        \\"ip_equal\\": {\\n" +
             "            \\"qcs:ip\\": [\\n" +
             "                \\"192.168.1.0/24\\",\\n" +
             "                \\"101.226.100.185\\",\\n" +
             "                \\"101.226.100.186\\"\\n" +
             "            ]\\n" +
             "        }\\n" +
             "      }\\n" +
             "    }\\n" +
             "  ]\\n" +
             "}";

             config.put("policy", raw_policy);
             */				


            Response response = CosStsClient.getCredential(config);
            System.out.println(response.credentials.tmpSecretId);
            System.out.println(response.credentials.tmpSecretKey);
            System.out.println(response.credentials.sessionToken);
        } catch (Exception e){
            e.printStackTrace();
            throw new IllegalArgumentException("no valid secret !");
        }
    }
}

FAQs

What should I do if NoSuchMethodError occurs due to JSONObject package conflict?

Use 3.1.0 or a later version.

Accessing COS using a temporary key

When a COS API accesses COS with a temporary key, it passes the temporary sessionToken through the x-cos-security-token field, and calculates the signature using the temporary SecretId and SecretKey.
The following example shows how to use a temporary key obtained by use of COS Java SDK to access COS:
Note:
Before you run the sample, go to the GitHub project to download the Java SDK installation package.
// Import `cos xml java sdk` using the integration method with Maven as described on GitHub.
import com.qcloud.cos.*;
import com.qcloud.cos.auth.*;
import com.qcloud.cos.exception.*;
import com.qcloud.cos.model.*;
import com.qcloud.cos.region.*;
public class Demo {
    public static void main(String[] args) throws Exception {

        // Basic user information
        String tmpSecretId = "COS_SECRETID";   // Replace it with the temporary SecretId returned by the STS API. 
        String tmpSecretKey = "COS_SECRETKEY";  // Replace it with the temporary SecretKey returned by the STS API.
        String sessionToken = "Token";  // Replace it with the temporary token returned by the STS API.

        // 1. Initialize user authentication information (`secretId`, `secretKey`).
        COSCredentials cred = new BasicCOSCredentials(tmpSecretId, tmpSecretKey);
        // 2. Set the bucket region. For more information on COS regions, visit https://www.tencentcloud.com/document/product/436/6224?from_cn_redirect=1.
        ClientConfig clientConfig = new ClientConfig(new Region("ap-guangzhou"));
        // 3. Generate a COS client
        COSClient cosclient = new COSClient(cred, clientConfig);
        // The bucket name must contain `appid`.
        String bucketName = "examplebucket-1250000000";

        String key = "exampleobject";
        // Upload an object. You are advised to call this API to upload objects smaller than 20 MB.
        File localFile = new File("src/test/resources/text.txt");
        PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, key, localFile);

        // Set the `x-cos-security-token` header field.
        ObjectMetadata objectMetadata = new ObjectMetadata();
        objectMetadata.setSecurityToken(sessionToken);
        putObjectRequest.setMetadata(objectMetadata);

        try {
            PutObjectResult putObjectResult = cosclient.putObject(putObjectRequest);
            // Success: PutObjectResult returns the file ETag.
            String etag = putObjectResult.getETag();
        } catch (CosServiceException e) {
            //Failure: CosServiceException is thrown.
            e.printStackTrace();
        } catch (CosClientException e) {
            //Failure: CosClientException is thrown.
            e.printStackTrace();
        }

        // Disable the client
        cosclient.shutdown();

    }
}

Previous Topic: Security Guidelines for Using Temporary Credentials for Direct Upload from Frontend to COSNext Topic: Authorizing Sub-Account to Get Buckets by Tag

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback