Oracle Cloud Infrastructure Documentation

Using Pre-Authenticated Requests

Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials, as long as the request creator has permissions to access those objects. For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner update shared data in a bucket without owning API keys.

When you create a pre-authenticated request, a unique URL is generated. Users in your organization, partners, or third parties can use this URL to access the Object Storage resource target identified in the pre-authenticated request.

Important

Carefully assess the business requirement for and the security ramifications of pre‑authenticated access to a bucket or objects.

A pre-authenticated request URL gives anyone who has the URL access to the targets identified in the request for as long as the request is active. In addition to considering the operational needs of pre-authenticated access, it is equally important to manage its distribution.

Required Permissions

You need PAR_MANAGE permission access to the target bucket or object to create or manage pre-authenticated requests.

You also need permission to perform the action the pre-authenticated request is permitting. For example, if you are creating a pre-authenticated request for uploading an object, you must have both the PAR_MANAGE and the OBJECT_CREATE permissions in the target compartment.

Important

If the user who creates a pre-authenticated request is deleted or loses the OBJECT_CREATE permission after they created the request, then the request no longer works.

Options

When creating a pre-authenticated request, you have the following options:

  • You can configure the name of a specific bucket that a user has write access to and can upload one or more objects to.
  • You can configure the name of a specific object that a user can read from, write to, or read from and write to.
  • You can configure the expiration date for the request.

Scope and Constraints

Understand the following scope and constraints regarding pre-authenticated requests:

  • Users can't list bucket contents.
  • There is no hard limit on the number of pre-authenticated requests that you can create.
  • You can't edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you need to create a new pre‑authenticated request.
  • The target and actions for a pre-authenticated request are based on its creator's permissions. The request is not, however, bound to the creator's account login credentials. A pre-authenticated request is not affected if the creator's login credentials change.
  • If the user who created a pre-authenticated request is deleted, then the request no longer works.
  • You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket.

Working with Pre-Authenticated Requests

You can create, delete, or list pre-authenticated requests using the Console, using the CLI, or by using an SDK to access the API.

Important

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

Using the Console

To create a pre-authenticated request for a bucket
To create a pre-authenticated request for an object

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

To create a pre-authenticated request for a bucket
To create a pre-authenticated request for an object
To list a pre-authenticated request
To get a pre-authenticated request
To delete a pre-authenticated request

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to work with pre-authenticated requests: