Temporary keys are temporary access credentials provided by Security Token Service (STS). A temporary key consists of three parts: TmpSecretId, TmpSecretKey, and token. Compared with a permanent key, a temporary key has the following characteristics:
policyparameter to further constrain the user's permission scope.
Therefore, temporary keys are suitable for temporary authorization scenarios such as frontend direct upload. Compared with permanent keys, temporary keys are more secure to be distributed to untrusted users.
You can get a temporary key via COS STS SDK or by calling the STS API directly.
For more information, see Generating and Using Temporary Keys.
You need a CAM user account (Tencent Cloud root account or sub-account) to apply for a temporary key. When getting a temporary key, you can pass in the
policy parameter to add a temporary policy to the temporary key to further constrain the user's permission scope.
policyparameter is not set, the temporary key obtained has the same permissions as those of the CAM user.
policyparameter is set, the temporary key obtained will, based on the CAM user's permissions, further constrain the permission scope to the scope specified by the
Assume that A represents the original permissions of the CAM user, B represents the permissions that are set for the temporary key by using the
policy parameter, and the intersection of A and B is the final valid permissions of the temporary key.
As shown in the figure below, the intersection of the CAM user permissions and the temporary permissions specified by
policy is valid permissions:
As shown in the figure below, the temporary permissions specified by
policy are within the CAM user permissions, and therefore, the temporary permissions specified by
policy are valid permissions.
A temporary key consists of a SecretId, a SecretKey, and a token. Multiple temporary keys can be generated for each root account or sub-account. Compared with permanent keys, temporary keys have shorter validity periods (30 minutes to 36 hours). Therefore, temporary keys are suitable for temporary authorization scenarios such as frontend direct upload. Compared with permanent keys, temporary keys are more secure to be distributed to untrusted users. For more information, see Generating and Using Temporary Keys and Temporary Key Security Guide for Frontend Direct Upload to COS.
Authorizationto form a signed request. Upon receiving the request, COS verifies whether the signature is valid and whether the temporary key has expired.
The following is an example of the corresponding Java SDK code. For demos of other languages, see the corresponding quick start documentation in SDK Overview.
// 1. Pass in the obtained temporary key (tmpSecretId, tmpSecretKey, sessionToken). String tmpSecretId = "SECRETID"; String tmpSecretKey = "SECRETKEY"; String sessionToken = "TOKEN"; BasicSessionCredentials cred = new BasicSessionCredentials(tmpSecretId, tmpSecretKey, sessionToken); // 2. Set the bucket region. For abbreviations of COS regions, please visit https://www.tencentcloud.com/document/product/436/6224?from_cn_redirect=1. // `clientConfig` contains the set methods to set region, HTTPS (HTTP by default), timeout, and proxy. For detailed usage, please see the source code or the FAQs about the SDK for Java. Region region = new Region("COS_REGION"); ClientConfig clientConfig = new ClientConfig(region); // 3. Generate a COS client. COSClient cosClient = new COSClient(cred, clientConfig);
Temporary keys are used to authorize third parties to temporarily access COS. For example, when a user develops a client app and stores data in a COS bucket, it is unsafe to store the permanent key directly on the app client, but the client needs to be granted the upload and download permissions. For this scenario, you can use a temporary key.
As shown in the figure above, the user has developed the app client, and the permanent key is stored in the user server. The following steps are required to use a temporary key for frontend direct upload:
Temporary keys are applicable to frontend direct data upload scenarios. You can use temporary keys by referring to the following best practices: