Using Pre-Authenticated Requests
Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials. Users continue to have access to the bucket or object as long as the creator of the request has permissions to access those resources. For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner access all your quarterly financial reports in a bucket without owning API keys.
When you create a pre-authenticated request, a unique URL is generated. Anyone you provide this URL to can access the Object Storage resources identified in the pre-authenticated request, using standard HTTP tools like curl and wget.
Assess the business requirement for pre-authenticated access to a bucket or objects. A pre-authenticated request URL gives anyone who has the URL access to the targets identified in the request. Carefully manage the distribution of the URL.
To Create a Pre-Authenticated Request
To create or manage pre-authenticated requests, you
PAR_MANAGE permission to the target bucket.
While you only need
PAR_MANAGE permission to create a pre-authenticated request, you must also have the appropriate permissions for the access type that you are granting. For example:
- If you are creating a pre-authenticated request for uploading objects to a bucket, you need
OBJECT_OVERWRITEpermissions in addition to
- If you are creating a pre-authenticated request for read/write access to
objects in a bucket, you need
OBJECT_OVERWRITEpermissions in addition to
If the creator of a pre-authenticated request is deleted or loses the required permissions after they created the request, the request will no longer work.
To Use a Pre-Authenticated Request
Permissions of the pre-authenticated request creator are checked each time you use a pre-authenticated request. The pre-authenticated request no longer works when any of the following occurs:
- Permissions of the pre-authenticated request creator have changed.
- User who created the pre-authenticated request is deleted.
- Federated user who created the pre-authenticated request has lost the user capabilities that they had when they created the request.
- Pre-authenticated request has expired or has been deleted.
You can create a pre-authenticated request that grants read, write, or read/write access to one of the following:
- All objects in the bucket.
- A specific object in the bucket.
- All objects in the bucket that have a specified prefix.
For requests that apply to multiple objects, you can also decide whether you want to let users list those objects.
Scope and Constraints
Understand the following scope and constraints regarding pre-authenticated requests:
- You can create an unlimited number of pre-authenticated requests.
- A pre-authenticated request created for all objects in a bucket lets request users upload any number of objects to the bucket.
- Expiration date is required, but has no limits. You can set them as far out in the future as you want.
- You can't edit a pre-authenticated request. If you want to change user access options or enable object listing in response to changing requirements, you must create a new pre-authenticated request.
- By default, pre-authenticated requests for a bucket or objects with prefix cannot be used to list objects. You can explicitly enable object listing when you create a pre-authenticated request.
- When you create a pre-authenticated request that limits scope to objects with a
specific prefix, request users can only
PUTobjects with the prefix name specified in the request. Trying to
PUTan object without the specified prefix or with a different prefix fails.
- The target and actions for a pre-authenticated request are based on the creator's permissions. The request is not, however, bound to the creator's account login credentials. If the creator's login credentials change, a pre-authenticated request is not affected.
- Deleting a pre-authenticated request revokes user access to the associated bucket or object.
- Pre-authenticated requests cannot be used to delete buckets or objects.
- You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket.