Oracle Cloud Infrastructure Documentation

Using Pre-Authenticated Requests

Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials, as long as the request creator has permissions to access those objects. For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner update shared data in a bucket without owning API keys.

When you create a pre-authenticated request, a unique URL is generated. Users in your organization, partners, or third parties can use this URL to access the Object Storage resource target identified in the pre-authenticated request.

Important

Carefully assess the business requirement for and the security ramifications of pre‑authenticated access to a bucket or objects.

A pre-authenticated request URL gives anyone who has the URL access to the targets identified in the request while the request is active. Be sure to carefully manage the distribution of the URL.

Required Permissions

To Create a Pre-Authenticated Request

To create or manage pre-authenticated requests, you need PAR_MANAGE permission to the target bucket or object.

While you only need PAR_MANAGE permission to create a pre-authenticated request, you also need to have the appropriate permissions for the access type that you are granting. For example:

  • If you are creating a pre-authenticated request for uploading objects to a bucket, you need OBJECT_CREATE and OBJECT_OVERWRITE permissions in addition to PAR_MANAGE.
  • If you are creating a pre-authenticated request for read/write access to objects in a bucket, you need OBJECT_READ, OBJECT_CREATE, and OBJECT_OVERWRITE permissions in addition to PAR_MANAGE to grant user read/write access to objects.

Important

If the creator of a pre-authenticated request is deleted or loses the required permissions after they created the request, the request will no longer work.

To Use a Pre-Authenticated Request

Permissions of the pre-authenticated request creator are checked each time you use a pre-authenticated request. The pre-authenticated request no longer works if the:

  • Permissions of the pre-authenticated request creator change
  • User who created the pre-authenticated request is deleted
  • Pre-authenticated request has expired

Options

When creating a pre-authenticated request, you have the following options:

  • You can specify the name of a bucket that a pre-authenticated request user has write access to and can upload one or more objects to.
  • You can specify the name of an object that a pre-authenticated request user can read from, write to, or read from and write to.

Scope and Constraints

Understand the following scope and constraints regarding pre-authenticated requests:

  • Users can't list bucket contents.
  • You can create an unlimited number of pre-authenticated requests.
  • There is no time limit to the expiration date that you can set.
  • You can't edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you need to create a new pre‑authenticated request.
  • The target and actions for a pre-authenticated request are based on its creator's permissions. The request is not, however, bound to the creator's account login credentials. If the creator's login credentials change, a pre-authenticated request is not affected.
  • You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket.

Working with Pre-Authenticated Requests

You can create, delete, or list pre-authenticated requests using the Console, using the CLI, or by using an SDK to access the API.

Important

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.

Using the Console

To create a pre-authenticated request for a bucket
To create a pre-authenticated request for an object
To copy a pre-authenticated request ID

Using the Command Line Interface (CLI)

For information about using the CLI, see Command Line Interface (CLI). For a complete list of flags and options available for CLI commands, see CLI Help.

To create a pre-authenticated request for a bucket
To create a pre-authenticated request for an object
To list a pre-authenticated request
To get a pre-authenticated request
To delete a pre-authenticated request

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to work with pre-authenticated requests: