Creating a Pre-Authenticated Request for Objects with a Specific Prefix

• Console
• CLI
• API

• 1. Open the navigation menu and click Storage. Under Object Storage & Archive Storage, click Buckets.
  2. Choose the compartment that contains the bucket.
  3. Click the Actions menu () to the right of the bucket name, and select Create Pre-Authenticated Request.
  4. In the Create Pre-Authenticated Request panel, provide the following information:

     • Name: The system generates a request name that reflects the current year, month, day, and time, for example, par-object-prefix-20210330-1723. If you change this default name, use only letters, numbers, dashes, underscores, and periods. Avoid entering confidential information.

     • Pre-Authenticated Request Target: Select Objects with prefix.
     • Prefix: Specify a prefix string to specify the objects that the pre-authenticated request applies to.
       • You can specify a prefix that includes one or more forward slashes (/) to match object names that simulate a hierarchy or a directory structure.
       • You can specify a prefix string without a delimiter to match the left-most characters of the object name.

       For details, see Object Naming Using Prefixes and Hierarchies.

     • Access Type: Select the kind of access that the pre-authenticated request users have for the objects.
     • Enable Object Listing: Select this option if you want to allow the pre-authenticated request users to list the prefixed objects.
     • Expiration: Accept the one week, system-generated expiration date, or use the date and time editor to use a different expiration date and time.
  5. Click Create Pre-Authenticated Request.
     The Pre-Authenticated Request Details dialog box displays the URL used to access the bucket.
  6. Click the copy icon to the right of the URL and paste the URL somewhere in durable storage for future reference.
     Important
     
     

     • The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation, is not stored in Object Storage, and can't be retrieved later.
     • The URL generated when you create a pre-authenticated request for an object with a prefix doesn’t contain the prefix by default. The user must manually add the prefix to the URL to be able to access the object.
  7. Click Close.

• When you create a pre-authenticated request with a prefix, you are limiting the scope of the request to only those objects with that prefix.

  oci os preauth-request create --namespace <object_storage_namespace> --bucket-name <bucket_name> --name <preauthenticated_request_name> --access-type <enum_value> --object-name="<prefix>" --time-expires <timestamp> [--bucket-listing-action ListObjects]

  Avoid entering confidential information in the <preauthenticated_request_name>.

  The <enum_value> for --access-type is one of the following when creating a pre-authenticated request for all objects in a bucket:

  1. AnyObjectRead permits reads on objects with the specified prefix
  2. AnyObjectWrite permits writes to objects with the specified prefix
  3. AnyObjectReadWrite permits both reads and writes to objects with the specified prefix

  <timestamp> is required and must be an RFC 3339 timestamp. For example: 2017-09-01T00:09:51.000+02:00.

  Specify the prefix to match on in the --object-name parameter:

  • You can specify a prefix that includes one or more forward slashes (/) to match on object names that simulate a hierarchy or a directory structure.
  • You can specify a prefix string without a delimiter to match on the left-most characters of the object name.

  Listing objects is denied by default. If the --access-type is AnyObjectRead or AnyObjectReadWrite, you can specify the optional --bucket-listing-action ListObjects parameter when creating the pre-authenticated request that lets users list the objects in the bucket.

  For example, to create a pre-authenticated request that allows reads and writes to objects with the prefix service in the bucket named MyParBucket:

  oci os preauth-request create --namespace MyNamespace --bucket-name MyParBucket --name PrefixedObjectsReadWritePAR --access-type AnyObjectReadWrite --object-name service --time-expires "2022-11-21T23:00:00+00:00" --bucket-listing-action ListObjects
  {  "data": {
      "access-type": "AnyObjectReadWrite",
      "access-uri": "/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/",
      "bucket-listing-action": "ListObjects",
      "id": "YOExDlFsNYBNEwF8Uo4aK8WHiz59enVQm1aID+4cxFobgcaofVbZkg371rxK+6Vb",
      "name": "PrefixedObjectsReadWritePAR",
      "object-name": "service",
      "time-created": "2021-04-01T15:35:40.609000+00:00",
      "time-expires": "2022-11-21T23:00:00+00:00"
    }
  }

  Important
  
  The access-uri provided by the system when you create a pre-authenticated request is the key element of the URL you need to construct to provide user access to the target objects. Copy the access-uri to durable storage. The access-uri is displayed only at the time of creation and cannot be retrieved later.

  The unique pre-authenticated request URL provided to users for the previous example is constructed as follows:

  https://objectstorage.<region_identifier>.oraclecloud.com<access-uri>

  See About Regions and Availability Domains for the list of valid region identifiers.

  For example, here is the complete URL for the request that allows reads and writes to objects with the prefix service in the bucket named MyParBucket:

  https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/

  When you create a pre-authenticated request that limits the scope to objects with a specific prefix, request users can only GET and PUT objects with the prefix name specified in the request. Trying to GET or PUT an object without or with a different prefix fails.

  Here is an example of using curl to PUT an object using the pre-authenticated request that allows reads and writes to objects with the prefix service in the bucket named MyParBucket:

  $ curl -X PUT --data-binary '@servicediscovery.dita' https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/servicediscovery.dita
  

  Here is an example of using curl to GET objects using the same pre-authenticated request:

  $ curl -X GET https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/
  {"objects":[{"name":"servicechanges.html"},{"name":"servicediscovery.dita"},{"name":"serviceessentials.html"},{"name":"servicelogreference.htm"},{"name":"services.html"}]}

  Notice the GET lists the recent PUT for servicediscovery.dita and all other objects with a service prefix. Optionally, you can use the fields query parameter to also include the size (object size in bytes), etag, md5, timeCreated (object creation date and time), timeModified (object modification date and time), storageTier, and archivalState fields. See Getting a list of objects for more details.

  Here is another example of using curl to PUT an object using the same pre-authenticated request. The request fails because the object does not have a service prefix:

  $ curl -X PUT --data-binary '@objectstoragelogreference.htm' https://objectstorage.us-phoenix-1.oraclecloud.com/p/l04eqXvxQ5HcnrXkWS8Kdf4mS812KLDyG_dbArXa8hDdHssXTKiUD0w2HNCEDS4W/n/MyNamespace/b/MyParBucket/o/objectstoragelogreference.htm
  {"code":"NotAuthenticated","message":"PAR does not exist"}

• This task is not available in the API.