Creating a Pre-Authenticated Request for Objects with a Specific Prefix
Create a pre-authenticated request for objects in an Object Storage bucket that begin with a specific prefix.
When you create a pre-authenticated request with a prefix, you're limiting the scope of the request to only those objects with that prefix.
For more information about pre-authenticated requests, see Using Pre-Authenticated Requests.
When you create a pre-authenticated request with a prefix, you are limiting the scope of the request to only those objects with that prefix.
oci os preauth-request create --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <preauthenticated_request_name> --access-type <enum_value> --object-name="<prefix>" --time-expires <timestamp> [--bucket-listing-action ListObjects]
Avoid entering confidential information in the <preauthenticated_request_name>.
The <enum_value> for
--access-type
is one of the following when creating a pre-authenticated request for all objects in a bucket:-
AnyObjectRead
permits reads on objects with the specified prefix -
AnyObjectWrite
permits writes to objects with the specified prefix -
AnyObjectReadWrite
permits both reads and writes to objects with the specified prefix
<timestamp> is required and must be an RFC 3339 timestamp. For example:
2017-09-01T00:09:51.000+02:00
.Specify the prefix to match on in the
--object-name
parameter:- You can specify a prefix that includes one or more forward slashes (/) to match on object names that simulate a hierarchy or a directory structure.
- You can specify a prefix string without a delimiter to match on the left-most characters of the object name.
Listing objects is denied by default. If the
--access-type
isAnyObjectRead
orAnyObjectReadWrite
, you can specify the optional--bucket-listing-action ListObjects
parameter when creating the pre-authenticated request that lets users list the objects in the bucket.For example, to create a pre-authenticated request that allows reads and writes to objects with the prefixservice
in the bucket namedMyParBucket
:oci os preauth-request create --namespace MyNamespace --bucket-name MyParBucket --name PrefixedObjectsReadWritePAR --access-type AnyObjectReadWrite --object-name service --time-expires "2022-11-21T23:00:00+00:00" --bucket-listing-action ListObjects { "data": { "access-type": "AnyObjectReadWrite", "access-uri": "/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/", "bucket-listing-action": "ListObjects", "id": "YOExDlFsNYBNEwF8Uo4aK8WHiz59enVQm1aID+4cxFobgcaofVbZkg371rxK+6Vb", "name": "PrefixedObjectsReadWritePAR", "object-name": "service", "time-created": "2021-04-01T15:35:40.609000+00:00", "time-expires": "2022-11-21T23:00:00+00:00" } }
Important
Theaccess-uri
provided by the system when you create a pre-authenticated request is the key element of the URL you need to construct to provide user access to the target objects. Copy theaccess-uri
to durable storage. Theaccess-uri
is displayed only at the time of creation and cannot be retrieved later.The unique pre-authenticated request URL provided to users for the previous example is constructed as follows:
https://objectstorage.<region_identifier>.oraclecloud.com<access-uri>
See About Regions and Availability Domains for the list of valid region identifiers.
For example, here is the complete URL for the request that allows reads and writes to objects with the prefix
service
in the bucket namedMyParBucket
:https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/
When you create a pre-authenticated request that limits the scope to objects with a specific prefix, request users can only
GET
andPUT
objects with the prefix name specified in the request. Trying toGET
orPUT
an object without or with a different prefix fails.Here is an example of using curl to
PUT
an object using the pre-authenticated request that allows reads and writes to objects with the prefixservice
in the bucket namedMyParBucket
:$ curl -X PUT --data-binary '@servicediscovery.dita' https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/servicediscovery.dita
Here is an example of using curl to
GET
objects using the same pre-authenticated request:$ curl -X GET https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/ {"objects":[{"name":"servicechanges.html"},{"name":"servicediscovery.dita"},{"name":"serviceessentials.html"},{"name":"servicelogreference.htm"},{"name":"services.html"}]}
Notice the
GET
lists the recentPUT
forservicediscovery.dita
and all other objects with aservice
prefix. Optionally, you can use thefields
query parameter to also include thesize
(object size in bytes),etag
,md5
,timeCreated
(object creation date and time),timeModified
(object modification date and time),storageTier
, andarchivalState
fields. See Getting a list of objects for more details.Here is another example of using curl to
PUT
an object using the same pre-authenticated request. The request fails because the object does not have aservice
prefix:$ curl -X PUT --data-binary '@objectstoragelogreference.htm' https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/objectstoragelogreference.htm {"code":"NotAuthenticated","message":"PAR does not exist"}
-
This task is not available in the API.