Help & Documentation>Cloud Object Storage>SDK Documentation>Python SDK>Object Operations>Generating Pre-Signed URLs

Generating Pre-Signed URLs

Last updated: 2023-09-13 11:04:57

On this page:

Feature Overview

The Python SDK provides interfaces for obtaining signatures, pre-signed URLs, and downloading pre-signed URLs, which are used for request distribution. The methods for obtaining pre-signed URLs using permanent keys or temporary keys are the same. When using temporary keys, you need to add x-cos-security-token to the header or query_string.
For instructions on using pre-signed URLs for uploads, please refer to Pre-signed Authorization Upload. For instructions on using pre-signed URLs for downloads, please refer to Pre-signed Authorization Download.
Note:
When getting a signature, you are strongly advised to include sensitive request headers and parameters in the signature to prevent related request headers and parameters from being tampered with by users and prevent permission trespassing. In addition, the SDK will include the requested domain name in the signature by default. If the requested domain name is modified after distribution, the access will fail. In this case, you can ignore the requested domain name in the input parameters when getting the signature. See the request examples below for details.
We recommend users to generate pre-signed URLs using temporary keys to further enhance the security of pre-signed upload, download, and other requests through temporary authorization. When applying for temporary keys, please follow the Principle of Least Privilege to prevent the leakage of resources beyond the target storage bucket or object.
If you need to use a permanent key to generate a pre-signed URL, you are advised to limit the permission of the permanent key to uploads and downloads only to avoid risks.

Getting Pre-Signed URLs

Note

The SDK allows you to get a pre-signed URL that can be used for distribution purposes.

Method prototype

get_presigned_url(Bucket, Key, Method, Expired=300, Params={}, Headers={})

Sample request 1. Generate a pre-signed upload URL

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging
import requests

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)

# Generate upload URL without restricting request headers and parameters
url = client.get_presigned_url(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate an upload URL while limiting the storage type and upload speed
url = client.get_presigned_url(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={
        'x-cos-storage-class':'STANDARD_IA', 
        'x-cos-traffic-limit':'819200' # Although the pre-signed URL itself does not contain request headers, the headers are included in the signature. Therefore, when using the URL, you must carry the request headers, and the header values must be the ones specified here.
    },
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate upload URL, can only upload specified file content
url = client.get_presigned_url(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'Content-MD5':'string'}, # The user who uploads the object using this URL must carry the MD5 request header, and the value of the request header must be the value specified here, thus limiting the content of the file.
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate upload URL, can only be used for uploading ACL
url = client.get_presigned_url(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={'acl': ''}, # If a request parameter is specified, the URL will carry this request parameter, and the parameter will be included in the signature, preventing users from modifying the parameter value.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate an upload URL, excluding the request domain from the signature. Use this when the user needs to modify the request domain after signing.
url = client.get_presigned_url(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    SignHost=False, # The requested domain name is not included in the signature, allowing users to modify the requested domain name, which poses a certain security risk.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Using Upload URL
response = requests.put(url=url, data=b'123')
print(response)

Sample request 2. Generate a pre-signed download URL

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging
import requests

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)

# Generate download URL without restricting request headers and parameters
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate a download URL, and specify the response content-disposition header to prompt the browser to save the file instead of displaying it.
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={
        'response-content-disposition':'attachment; filename=example.xlsx' # Save as the specified file when downloading
        # In addition to response-content-disposition, it also supports response-cache-control, response-content-encoding, and response-content-language.
        Request parameters such as response-content-type and response-expires can be found in the Download Object API documentation: https://cloud.tencent.com/document/product/436/7753
    },
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate Download URL while limiting download speed
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'x-cos-traffic-limit':'819200'}, # The pre-signed URL itself does not contain request headers, but the headers are included in the signature. Therefore, when using the URL, you must carry the request headers, and the header values must be the ones specified here.
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate download URL, can only be used for downloading ACLs
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={'acl': ''}, # If a request parameter is specified, the URL will carry this request parameter, and the parameter will be included in the signature, preventing users from modifying the parameter value.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate Download URL, excluding the request domain name from the signature, used when the user needs to modify the request domain name after signing.
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    SignHost=False, # The requested domain name is not included in the signature, allowing users to modify the requested domain name, which poses a certain security risk.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Using Download URL
response = requests.get(url)
print(response)

Sample request 3. Generate a pre-signed download URL with a temporary key

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging
import requests

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)

# Generate Download URL
url = client.get_presigned_url(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'x-cos-traffic-limit':'819200'}, # The pre-signed URL itself does not contain request headers, but the headers are included in the signature. Therefore, when using the URL, you must carry the request headers, and the header values must be the ones specified here.
    Params={
        'x-cos-security-token': 'string' # When using temporary keys, you need to fill in the Token as a request parameter
    },
    Expired=120,  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
    SignHost=False # The request domain name is not included in the signature. This is used when the user needs to modify the request domain name after signing, which carries a certain security risk.
)
print(url)

# Using Download URL
response = requests.get(url)
print(response)

Sample request with all parameters

response = client.get_presigned_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Method='PUT'|'POST'|'GET'|'DELETE'|'HEAD',
    Expired=300,
    Headers={
        'header1': 'string',
        'header2': 'string',
    },
    Params={
        'param1': 'string',
        'param2': 'string'
    },
    SignHost=True|False
)

Description

Parameter name
ParameterDescription
Local Disk Types
Required
Bucket
Bucket name in the format of BucketName-APPID
String
Required
Key
The object key (Key) is the unique identifier of an object in a bucket. For example, in the object access domain examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com/doc/pic.jpg, the object key is doc/pic.jpg (URL encoding is not required for users).
String
Required
Method
Operation method. Valid values: 'PUT', 'POST', 'GET', 'DELETE', 'HEAD'
String
Required
Expired
Specifies the time in seconds before a signature expires
Int
Not required
Params
Request parameters in a pre-signed URL. If a request parameter is specified, it will be carried in the URL and included in the signature, and its value cannot be modified by users. The request parameters that can be signed depend on the corresponding operations. For example, for request parameters that can be carried and signed for object download, see the description of the request parameters of the GET Object API.
Dict
Not required
Headers
Request headers that need to be signed in a pre-signed URL. The pre-signed URL itself does not include request headers, but request headers are included in the signature. Therefore, the URL must carry the request headers and their values specified by this parameter. The request headers that can be signed depend on the corresponding operations. For example, for request headers that can be signed for object upload, see the description of the request headers of the PUT Object API.
Dict
Not required
SignHost
Whether to include the request domain name in the signature. The default value is True. To allow users to modify the request domain name after signing, set this parameter to False.
Bool
Not required

Response description

A pre-signed URL is returned upon success.

Getting Pre-Signed Download URLs

Note

The SDK allows you to get a pre-signed download URL that can be used to directly download an object.

Method prototype

get_presigned_download_url(Bucket, Key, Expired=300, Params={}, Headers={})

Sample Request

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging
import requests

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)

# Generate download URL without restricting request headers and parameters
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate a download URL, and specify the response content-disposition header to prompt the browser to save the file instead of displaying it.
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={
        'response-content-disposition':'attachment; filename=example.xlsx' # Save as the specified file when downloading
        # In addition to response-content-disposition, it also supports response-cache-control, response-content-encoding, and response-content-language.
        Request parameters such as response-content-type and response-expires can be found in the Download Object API documentation: https://cloud.tencent.com/document/product/436/7753
    },
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate Download URL while limiting download speed
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'x-cos-traffic-limit':'819200'}, # The pre-signed URL itself does not contain request headers, but the headers are included in the signature. Therefore, when using the URL, you must carry the request headers, and the header values must be the ones specified here.
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate download URL, can only be used for downloading ACLs
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={'acl': ''}, # If a request parameter is specified, the URL will carry this request parameter, and the parameter will be included in the signature, preventing users from modifying the parameter value.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate Download URL, excluding the request domain name from the signature, used when the user needs to modify the request domain name after signing.
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    SignHost=False, # The requested domain name is not included in the signature, allowing users to modify the requested domain name, which poses a certain security risk.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(url)

# Generate download URL, signed with temporary key
url = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={
        'x-cos-security-token': 'string'  # No need to enter a token when using a permanent key; enter a token if using a temporary key.
    }
)
print(url)

# Using Download URL
response = requests.get(url)
print(response)

Sample request with all parameters

response = client.get_presigned_download_url(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=300,
    Headers={
        'header1': 'string'
    },
    Params={
        'param1': 'string',
        'param2': 'string'
    },
    SignHost=True|False
)

Description

Parameter name
ParameterDescription
Local Disk Types
Required
Bucket
Bucket name in the format of BucketName-APPID
String
Required
Key
The object key (Key) is the unique identifier of an object in a bucket. For example, in the object access domain examplebucket-1250000000.cos.ap-guangzhou.myqcloud.com/doc/pic.jpg, the object key is doc/pic.jpg (URL encoding is not required for users).
String
Required
Expired
Specifies the time in seconds before a signature expires
Int
Not required
Params
Request parameters in a pre-signed URL. If a request parameter is specified, it will be carried in the URL and included in the signature, and its value cannot be modified by users. The request parameters that can be signed depend on the corresponding operations. For example, for request parameters that can be carried and signed for object download, see the description of the request parameters of the GET Object API.
Dict
Not required
Headers
Request headers that need to be signed in a pre-signed URL. The pre-signed URL itself does not include request headers, but request headers are included in the signature. Therefore, the URL must carry the request headers and their values specified by this parameter. The request headers that can be signed depend on the corresponding operations. For example, for request headers that can be signed for object upload, see the description of the request headers of the PUT Object API.
Dict
Not required
SignHost
Whether to include the request domain name in the signature. The default value is True. To allow users to modify the request domain name after signing, set this parameter to False.
Bool
Not required

Response description

A pre-signed download URL is returned upon success.

Getting Signatures

Note

The SDK allows you to obtain a signature for a specified operation. This feature is commonly used for signature distribution to mobile devices.

Method prototype

get_auth(Method, Bucket, Key, Expired=300, Headers={}, Params={})

Sample request 1. Generate an upload signature

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)

# Generate upload signature without restricting request headers and parameters
response = client.get_auth(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate an upload signature while limiting storage type and upload speed
response = client.get_auth(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={
        'x-cos-storage-class':'STANDARD_IA', 
        'x-cos-traffic-limit': '819200' # It is agreed that the user of this signature must carry the link speed limit request header, and the value of the request header must be the value specified here.
    },
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate an upload signature, allowing only the upload of specified file content.
response = client.get_auth(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'Content-MD5': 'string'}, # The user who agrees to use this signature must carry the MD5 request header, and the value of the request header must be the value specified here, thus limiting the content of the file.
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate an upload signature, which can only be used for uploading ACLs.
response = client.get_auth(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={'acl': ''}, # It is agreed that the person using this signature carries this ACL request parameter, so the request can only be used for uploading object ACLs.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate an upload signature without including the request domain in the signature, used when the user needs to modify the request domain after signing.
response = client.get_auth(
    Method='PUT',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    SignHost=False, # The requested domain name is not included in the signature, allowing users to modify the requested domain name, which poses a certain security risk.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

Sample request 2: Generate a download signature

# -*- coding=utf-8
from qcloud_cos import CosConfig
from qcloud_cos import CosS3Client
import sys
import os
import logging

# Under normal circumstances, use the INFO log level. To locate issues, change it to DEBUG, and the SDK will print communication information with the server.
logging.basicConfig(level=logging.INFO, stream=sys.stdout)

# 1. Set user properties, including secret_id, secret_key, region, etc. Appid has been removed from CosConfig, please include Appid in the Bucket parameter. Bucket is composed of BucketName-Appid.
secret_id = os.environ['COS_SECRET_ID']     # User <1>SecretId</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
secret_key = os.environ['COS_SECRET_KEY']   # User <1>SecretKey</1>. We recommend that you use a sub-account key and follow the principle of least privilege to reduce risks. For more information on how to obtain a sub-account key, visit https://cloud.tencent.com/document/product/598/37140.
region = 'ap-beijing'      # Replace it with the actual region, which can be viewed in the console at https://console.cloud.tencent.com/cos5/bucket.
                           For a list of all regions supported by COS, visit https://cloud.tencent.com/document/product/436/6224
token = None               # Token is required for temporary keys but not permanent keys. For more information about how to generate and use a temporary key, see https://cloud.tencent.com/document/product/436/14048.
scheme = 'https'           # Specify whether to use HTTP or HTTPS protocol to access COS. This is optional and is https by default.

config = CosConfig(Region=region, SecretId=secret_id, SecretKey=secret_key, Token=token, Scheme=scheme)
client = CosS3Client(config)


# Generate download signature without restricting request headers and parameters
response = client.get_auth(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate a download signature while limiting the download speed
response = client.get_auth(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Headers={'x-cos-traffic-limit':'819200'}, # It is agreed that the user of this signature must carry the link speed limit request header, and the value of the request header must be the value specified here.
    Expired=300  # Expires after 300 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate a download signature, which can only be used for downloading ACLs.
response = client.get_auth(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={'acl': ''}, # It is agreed that the person using this signature carries this ACL request parameter, so the request can only be used for downloading object ACL.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate a download signature without including the request domain in the signature. Use this when the user needs to modify the request domain after signing.
response = client.get_auth(
    Method='GET',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    SignHost=False, # The requested domain name is not included in the signature, allowing users to modify the requested domain name, which poses a certain security risk.
    Expired=120  # Expires after 120 seconds. Set the expiration time according to your specific scenario.
)
print(response)

# Generate download signature using temporary key for signing
response = client.get_auth(
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Params={
        'x-cos-security-token': 'string'  # No need to enter a token when using a permanent key; enter a token if using a temporary key.
    }
)
print(response)

Sample request with all parameters

response = client.get_auth(
    Method='PUT'|'POST'|'GET'|'DELETE'|'HEAD',
    Bucket='examplebucket-1250000000',
    Key='exampleobject',
    Expired=300,
    Headers={
        'header1': 'string',
        'header2': 'string'
    },
    Params={
        'param1': 'string',
        'param2': 'string'
    },
    SignHost=True|False
)

Description

Parameter name
ParameterDescription
Local Disk Types
Required
Method
Operation method. Valid values: 'PUT', 'POST', 'GET', 'DELETE', 'HEAD'
String
Required
Bucket
Bucket name in the format of BucketName-APPID
String
Required
Key
For bucket operations, enter the root path /, and for object operations, enter the file path (no URL encoding required for users).
String
Required
Expired
Specifies the time in seconds before a signature expires
Int
Not required
Params
The request parameters to be included in the signature. When using this signature, you must carry the specified request parameters and the parameter values must be the ones specified here. The Params that can be included are related to the specific operation. For example, when downloading an object, the Params that can be carried and included can be found in the GET Object request parameters description.
Dict
Not required
Headers
The request headers to be included in the signature. When using this signature, you must carry the specified request headers, and the header values must be the ones specified here. The Headers that can be included are related to specific operations. For example, the Headers that can be included for uploading an object can be found in the PUT Object Request Headers description.
Dict
Not required
SignHost
Whether to include the request domain name in the signature. The default value is True. To allow users to modify the request domain name after signing, set this parameter to False.
Bool
Not required

Response description

The signature value for the corresponding operation is returned upon success.
中国站 - English