Object Storage Service (OBS) : pre signed URL for Object Storage
Flexible Engine
Release Notes
January, 2022
Each request initiated by an app client applies for a presigned URL from the app server. The validity period of the presigned URL is 900 seconds (feature update ongoing to allow duration setting). Figure 1 describes the process.
Figure 1 Process for a mobile app to access data in OBS
Role Analysis
- App client: End user’s mobile app. It requests a presigned URL from the app server, and uploads data to or downloads data from OBS.
- App server: A backend provided by developers of Android or iOS apps. It manages the credential information and issues presigned URLs.
- OBS: HUAWEI CLOUD’s object storage service. It processes requests from mobile apps.
Workflow
1. An app client requests a presigned URL from the app server.Access keys (AK and SK) are not required for accessing OBS from Android or iOS apps. But a presigned URL must be obtained from the app server before accessing OBS, and required information must be carried in the URL, including the request type, resource path, and resource name. For example, an upload request needs to indicate that the URL is for uploading data. In the URL, the upload path and object name are specified. Similarly, a URL for downloading data should contain the name of the object to be downloaded.
2. As a trusted device, the application server stores access keys (AK and SK). After verifying that the client is valid, the app server generates a presigned URL using the stored access keys (AK and SK), in accordance with the operation type and resources to be accessed by the client.
The following is a sample URL:
https://examplebucket.obs.cn-north-4.myhuaweicloud.com/objectkey?AccessKeyId=_AccessKeyID_&Expires=1532779451&Signature=0Akylf43Bm3mD1bh2rM3dmVp1Bo%3D *
3. Android/iOS mobile apps obtain the URL and use the URL to perform desired operations, such as uploading and downloading data.The URL contains the access key ID (AK) of the user, signature, validity period, and resource information. Anyone who has the URL can perform the operation. After receiving the request and verifying the signature, OBS deems that the request is executed by the user who issues the URL. For example, you can construct an object download URL with signature information, but the URL is valid only within the expiration time specified by Expires. If temporary access keys are used, the URL validity period is the smaller value of either the expiration time specified by Expires or the validity period of the temporary access keys. The URL that carries the signature is used to allow others to use the presigned URL for identity authentication when the SK is not provided, and perform the predefined operation.
More information