1. Concepts Guide
  2. Object Storage Overview
  3. Pre-Authenticated Requests

Pre-Authenticated Requests

Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials, as long as the request creator has permissions to access those objects.

For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner update shared data in a bucket without owning API keys.

When you create a pre-authenticated request, a unique URL is generated. Anyone you provide this URL to can access the Object Storage resources identified in the pre-authenticated request, using standard HTTP tools like curl and wget.

Important:

Assess the business requirements and the security ramifications of pre-authenticated access to a bucket or objects.

A pre-authenticated request URL gives anyone who has the URL access to the targets identified in the request. Carefully manage the distribution of the URL.

Required Permissions

To Create a Pre-Authenticated Request

You need the PAR_MANAGE permission to the target bucket or object.

You must also have the appropriate permissions for the access type that you are granting. For example:

  • If you are creating a pre-authenticated request for uploading objects to a bucket, you need the OBJECT_CREATE and OBJECT_OVERWRITE permissions.

  • If you are creating a pre-authenticated request for read/write access to objects in a bucket, you need the OBJECT_READ, OBJECT_CREATE, and OBJECT_OVERWRITE permissions.

Important:

If the creator of a pre-authenticated request is deleted or loses the required permissions after they created the request, the request will no longer work.

To Use a Pre-Authenticated Request

Permissions of the pre-authenticated request creator are checked each time you use a pre-authenticated request.

The pre-authenticated request no longer works when any of the following occurs:

  • Permissions of the pre-authenticated request creator have changed.

  • The user who created the pre-authenticated request is deleted.

  • A Federated user who created the pre-authenticated request has lost the user capabilities that they had when they created the request.

  • Pre-authenticated request has expired.

Types of Pre-Authentication Requests

When creating a pre-authenticated request, you have the following options:

  • You can specify the name of a bucket that a pre-authenticated request user has write access to and can upload one or more objects to.

  • You can specify the name of an object that a pre-authenticated request user can read from, write to, or read from and write to.

Scope and Constraints

Understand the following scope and constraints regarding pre-authenticated requests:

  • Users can't list bucket contents.

  • You can create an unlimited number of pre-authenticated requests.

  • There is no time limit to the expiration date that you can set.

  • You can't edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you must create a new pre-authenticated request.

  • The target and actions for a pre-authenticated request are based on the creator's permissions. The request is not, however, bound to the creator's account login credentials. If the creator's login credentials change, a pre-authenticated request is not affected.

  • You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket.

Important:

The unique URL provided by the system when you create a pre-authenticated request is the only way a user can access the bucket or object specified as the request target. Copy the URL to durable storage. The URL is displayed only at the time of creation and cannot be retrieved later.