tencent cloud

Feedback

Generating Pre-Signed URL

Last updated: 2022-05-25 14:40:16

    Overview

    The JavaScript SDK provides APIs for getting object URLs and pre-signed request URLs.

    Note:

    • We recommend you use a temporary key to generate a pre-signed URL for the security of your requests such as uploads and downloads. When you apply for a temporary key, follow the principle of least privilege to avoid leaking resources besides your buckets and objects.
    • If you need to use a permanent key to generate a pre-signed URL, you are advised to limit the permission of the permanent key to uploads and downloads only to avoid risks.

    Signature Calculation

    In all COS XML API requests, the authentication credential Authorization is required for all operations on private resources for COS to determine whether a request is valid.

    There are two ways to use the authentication credential:

    1. Put it in the header parameter; field name: authorization.
    2. Put it in the URL parameter; field name: sign.

    The COS.getAuthorization method is used to calculate the authentication credential (Authorization), which is the signing information used to verify the validity of the request.

    Note:

    We recommend you use this method only for frontend debugging but not in actual projects, as it may disclose keys.

    Sample code

    Get the authentication credential for object download:

    // Log in to https://console.tencentcloud.com/cam/capi to check and manage the `SecretId` and `SecretKey` of your project.
    var Authorization = COS.getAuthorization({
       SecretId: 'SECRETID',
       SecretKey: 'SECRETKEY',
       Method: 'get',
       Key: 'exampleobject',
       Expires: 60,
       Query: {},
       Headers: {}
    });
    

    Parameter description

    Parameter Description Type Required
    SecretId User SecretId String Yes
    SecretKey User SecretKey String Yes
    Method HTTP request method, such as GET, POST, DELETE, or HEAD. String Yes
    Key Object key (object name), which is the unique identifier of the object in the bucket. If the request operation is to be performed on a file, this parameter is required and should be a filename. If the operation is on a bucket, this parameter should be left empty. String No
    Query Request parameters to be included in the signature. Format: {key: 'val'}. Object No
    Headers Request headers to be included in the signature. Format: {key: 'val'}. Object No
    Expires Signature expiration time in seconds. Default value: 900. Number No

    Returned value description

    The returned value is the calculated authentication credential string authorization.

    Getting Pre-signed Request URL

    Sample requests for download

    Sample 1. Get an object URL without a signature

    var url = cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Sign: false
    });
    

    Sample 2. Get a signed object URL

    var url = cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
    });
    

    Sample 3. Get a signed URL through callback

    Note:

    If the signing process is async, you need to get the signed URL through a callback.

    cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Sign: false
    }, function (err, data) {
       console.log(err || data.Url);
    });
    

    Sample 4. Specify the URL validity period

    cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Sign: true,
       Expires: 3600, // Unit: seconds
    }, function (err, data) {
       console.log(err || data.Url);
    });
    

    Sample 5. Get an object URL and download the object

    cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Sign: true
    }, function (err, data) {
       if (err) return console.log(err);
       var downloadUrl = data.Url + (data.Url.indexOf('?') > -1 ? '&' : '?') + 'response-content-disposition=attachment'; // Add the parameter for a forced download
       // This opens the URL in a new window. If you need to open the URL in the current window, you can use the hidden iframe for download, or use the `a` tag download attribute. (The `window.open()` method is recommended.)
       window.open(downloadUrl);
    });
    

    Sample 6. Generate a pre-signed URL with the signature containing Query and Header

    cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Sign: true,
       /* The HTTP request parameters passed in should be the same as those of the actual request. This can prevent users from tampering with the HTTP request parameters. */
       Query: {
         'imageMogr2/thumbnail/200x/': '' 
       },
       /* The HTTP request headers passed in should be included in the actual request. This can prevent users from tampering with the HTTP request headers that are signed here. */
       Headers: {
         host: 'xxx' /* Specified host for access. Error code 403 will be reported for access by a non-specified host. */
       },
    }, function (err, data) {
       console.log(err || data.Url);
    });
    

    Sample requests for upload

    Sample 1. Get a pre-signed URL for upload through Put Object

    cos.getObjectUrl({
       Bucket: 'examplebucket-1250000000', /* Your bucket name (required). */
       Region: 'COS_REGION',  /* Bucket region (required), such as `ap-beijing`. */
       Key: '1.jpg',  /* Object key stored in the bucket (required), such as `1.jpg` and `a/b/test.txt`. */
       Method: 'PUT',
       Sign: true
    }, function (err, data) {
       if (err) return console.log(err);
       console.log(data.Url);
       
       /* After the URL is obtained, an upload can be performed on the frontend through AJAX. */
       var xhr = new XMLHttpRequest();
       xhr.open('PUT', data.Url, true); /* `PUT` corresponds to the `Method` entered in `getObjectUrl` */
       xhr.onload = function (e) {
           console.log('Uploaded successfully', xhr.status, xhr.statusText);
       };
       xhr.onerror = function (e) {
           console.log('Upload failed', xhr.status, xhr.statusText);
       };
       xhr.send(file); /* `file` is the object to be uploaded */
    });
    

    Parameter description

    Parameter Description Type Required
    Bucket Bucket name in the format of BucketName-APPID. String Yes
    Region Bucket region. For the enumerated values, see Regions and Access Endpoints. String Yes
    Key Object key (object name), which is the unique identifier of the object in the bucket. If the request operation is to be performed on a file, this parameter is required and should be a filename. If the operation is on a bucket, this parameter should be left empty. String Yes
    Sign Whether to return a signed URL. Default value: true. Boolean No
    Protocol It can be http: (default) or https:. String No
    Domain Bucket endpoint. Default value: {BucketName-APPID}.cos.{Region}.myqcloud.com. String No
    Method HTTP request method, such as GET, POST, DELETE, or HEAD. Default value: GET. String No
    Query Request parameters to be included in the signature. Format: {key: 'val'}. Object No
    Headers Request headers to be included in the signature. Format: {key: 'val'}. Object No
    Expires Signature expiration time in seconds. Default value: 900. Number No

    Returned value description

    The returned value is a string. There are two possible scenarios:

    1. If the signature can be calculated synchronously (for example, the SecretId and SecretKey have been passed in during instantiation), the signed URL will be returned by default.
    2. Otherwise, an unsigned URL will be returned.

    Callback function description

    function(err, data) { ... }
    
    Parameter Description Type
    err The object returned when an error (network error or service error) occurs. If the request is successful, this parameter is empty. For more information, see Error Codes. Object
    data The object returned when the request is successful. If an error occurs with the request, this parameter is empty. Object
    - Url Calculated URL String
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support