Using temporary URLs

Even though an object might be stored in a private container, you may still grant temporary access to it. This is known as a temporary URL, or TempURL.

Prerequisites

In order to manage TempURLs, be sure that you have installed and configured the swift command-line interface (CLI). There is presently no way to create TempURLs with the openstack CLI.

Also, ensure that you have configured a private container, i.e. one with an empty Read ACL. The examples in this how-to guide assume that your container is named private-container.

Setting a TempURL shared secret

In order to be able to create TempURLs, you must first create a shared secret at the account level. You should create a secret that is hard to guess, such as one generated by a utility like pwgen:

TEMP_URL_KEY=`pwgen 32 1`

To set the account-level secret, proceed with the following command:

OpenStack CLISwift CLI

$ openstack object store account set --property Temp-URL-Key=${TEMP_URL_KEY}

$ swift post -m Temp-Url-Key:${TEMP_URL_KEY}

Note that since this an account-level setting, you invoke swift post without a container or object name.

The TempURL secret is not encrypted or hashed; you can read it back at the account level with the following command:

OpenStack CLISwift CLI

$ openstack object store account show
+------------+-------------------------------------------------+
| Field      | Value                                           |
+------------+-------------------------------------------------+
| Account    | AUTH_d42230ea21674515ab9197af89fa5192           |
| Bytes      | 12                                              |
| Containers | 2                                               |
| Objects    | 1                                               |
| properties | temp-url-key='goh3peisohkeeshuush8aut4oiD3wi3a' |
+------------+-------------------------------------------------+

$ swift stat
                                    Account: AUTH_d42230ea21674515ab9197af89fa5192
                                 Containers: 2
                                    Objects: 1
                                      Bytes: 12
Objects in policy "default-placement-bytes": 0
  Bytes in policy "default-placement-bytes": 0
   Containers in policy "default-placement": 2
      Objects in policy "default-placement": 1
        Bytes in policy "default-placement": 12
                          Meta Temp-Url-Key: goh3peisohkeeshuush8aut4oiD3wi3a
                                X-Timestamp: 1740651069.33342
                X-Account-Bytes-Used-Actual: 4096
                                 X-Trans-Id: tx0000014568b03aa275005-0067c03a3d-1130eb5-az1
                     X-Openstack-Request-Id: tx0000014568b03aa275005-0067c03a3d-1130eb5-az1
                              Accept-Ranges: bytes
                               Content-Type: text/plain; charset=utf-8
                                 Connection: close

Creating a TempURL for an object

To create a temporary URL for an object in a private container, select a duration for which you want it to be valid. The example below uses 1 hour (3,600 seconds).

Then, use swift tempurl and specify

• the HTTP method for which the TempURL should apply (usually GET),
• the TempURL lifetime, in seconds,
• the full path to the object including
• the /v1 prefix,
• the account identifier starting with AUTH_,
• the container name,
• the object name,
• the TempURL key.

When specified in this way, the command returns a path similar to the following:

$ swift tempurl GET 3600 \
    /v1/AUTH_d42230ea21674515ab9197af89fa5192/private-container/testobj.txt \
    ${TEMP_URL_KEY}

/v1/AUTH_d42230ea21674515ab9197af89fa5192/private-container/testobj.txt?temp_url_sig=746d382b7b211bdb24ca59ca21f90745f5741c83&temp_url_expires=1670250048

Accessing objects via their TempURL

You must then use your freshly generated TempURL path as the path in a URL pointing to the object. This will enable you to fetch the object using a simple HTTP client, like curl:

$ curl 'https://object-store.sto-com.cleura.cloud/swift/v1/AUTH_d42230ea21674515ab9197af89fa5192/private-container/testobj.txt?temp_url_sig=746d382b7b211bdb24ca59ca21f90745f5741c83&temp_url_expires=1670250048'
hello world

If you (or someone else) were to attempt to fetch the same URL after its lifetime expired, they would be met with an HTTP 401 error:

$ curl --version 'https://object-store.sto-com.cleura.cloud/swift/v1/AUTH_d42230ea21674515ab9197af89fa5192/private-container/testobj.txt?temp_url_sig=746d382b7b211bdb24ca59ca21f90745f5741c83&temp_url_expires=1670250048'

* Host object-store.sto-com.cleura.cloud:443 was resolved.

[...]

> GET /swift/v1/AUTH_d42230ea21674515ab9197af89fa5192/private-container/testobj.txt?temp_url_sig=e8a6d6304c92fe4cb230545ace6727b43e8ce5ea&temp_url_expires=1740655536 HTTP/2
> Host: object-store.sto-com.cleura.cloud
> User-Agent: curl/8.6.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 401 
< content-length: 12
< x-trans-id: tx000003a2e52128563efd2-0067c079c5-1133217-az1
< x-openstack-request-id: tx000003a2e52128563efd2-0067c079c5-1133217-az1
< accept-ranges: bytes
< content-type: text/plain; charset=utf-8
< date: Thu, 27 Feb 2025 14:42:13 GMT
< 
* Connection #0 to host object-store.sto-com.cleura.cloud left intact
AccessDenied