Download a protected object using Immutable Object Storage

This enhancement of the GET operations adds new response headers.

The storage account user making this request must have certain permissions for this object. In Vault Mode, if restrictive ACL is enabled then the storage account user must have READ_ACP permissions for the object. If restrictive ACL is not enabled, the storage account user must have READ_ACP permissions for the bucket. In Container Mode, the storage account user must have READ_ACP permissions on the object. For more information, see Create an ACL for an object.

Optional headers

Header Type Description
range string Returns the bytes of an object within the specified range.
Mirror-Destination string

This header is applicable for listing of buckets in a protected mirror.

The Mirror-Destination header specifies from which vault of the mirror to read. By default, if no explicit vault is specified, then the listing request will attempt to read from both vaults and provide a listing response that combines the list of objects on each component vault to the mirror excluding duplicates (object resides on both vaults in the mirror). If the Mirror-Destination header is specified and includes a valid Vault Identifier, the data returned will be from the Vault with the ID that matches what was provided in the header. The Mirror-Destination header is applicable only to protected mirrors, and the header is ignored otherwise. A failure to read from the specified vault will result in an error back to the HTTP client.

Type
String
Default
None
Constraints
{Valid Vault Identifier}
x-amz-checksum-mode String (ENABLED is the only valid value) This indicates whether or not to include checksum metadata on the response.

Specific headers for SSE-C

Common SSE-C headers are available for buckets using Server Side Encryption with Customer-Provided Keys (SSE-C) enabled.

Attention: SSE-C headers can be used to write or write objects from a protected bucket. However, it should be noted that SSE-C keys cannot be rotated for objects in a protected bucket.

Responses

Response headers

This enhancement to the operation add these new headers.

Table 1. Response headers
Name Description Required
Retention-Period Retention period of the object in seconds. The object can be neither overwritten or deleted until the amount of time specified in the retention period has elapsed. If there is no retention period on the object this header is not returned.

A retention period of -2 indicates permanent retention for the object. In order to specify -2, permanent retention must be enabled on the bucket in which this object resides. Once an object is permanently retained, the object, and thus the bucket which contains the object, cannot be deleted.

Type
Non-negative integer (in seconds) or -1 or -2
No
Retention-Legal-Hold-Count Returns the count of legal holds on the object.
Type
Non-negative integer
No
Retention-Expiration-Date Computed date on which the retention period will expire. Calculated from object last-modified-time + retention period. If there is no retention period on the object, or the retention period is set to indefinite or permanent, this header is not returned.
Type
Date (ISO 8601 Format)
No

Examples

Sample request


GET /BucketName/ObjectName HTTP/1.1 
Host: myBucket.mydsNet.corp.com
Date: Sat, 11 Feb 2017 17:09:00 GMT
Authorization: {authorization-string}

Sample response


HTTP/1.1 200 OK
x-amz-id-2: eftixk72aD6Ap51TnqcoF8eFidJG9Z/2mkiDFu8yU9AS1ed4OpIszj7UDNEHGran
x-amz-request-id: 318BC8BC148832E5
Date: Sat, 11 Feb 2017 17:10:00 GMT
Last-Modified: Thu, 2 Sep 2016 21:33:08 GMT
ETag: "fba9dede5f27731c9771645a39863328"
Retention-Period: 220752000
Retention-Expiration-Date: Fri, 1 Sep 2023 21:33:08 GMT
Retention-Legal-Hold-Count: 1
Content-Length: 434234
[434234 bytes of object data]