# Download Data from DOS

The Data Object Service schemas are designed to be neutral the various Object Storage environments and use cases where it might be useful. By remaining unopinionated about how objects themselves are accessed, implementors are able to design authentication and authorization scenarios that suit their needs.

For example, by presenting a DOS alongside a URL signing microservice, it is possible to delegate auth concerns for Data Objects across multiple buckets. It is also useful to note that, depending on access level restrictions, a Data Object Service may expose no Data Objects to an unauthorized request. By decoupling data management from data access, DOS gives your service infrastructure a natural way to interoperate with existing services.


## Using fence to create signed URLs

UC-CDIS presents a system, called the gen3 platform, that can provide access level restrictions for both data and metadata. This means that an unauthorized account may access the platform, see that data is present, but then must reauthorize in order to download data. Signed URLs provide a way to generate temporary access links that can be used from a simple HTTP client.

It's important to note that DOS is unopinionated about the nature of URLs it presents. Oftentimes object stores provide clients that outperform signed URLs, and depending on the use case, are the preferred method of access.

Let's now get an item from indexd via DOS and pass it off to fence for downloading. To pull this off, we first downloaded the `credentials.json` from https://dcp.bionimbus.org/identity and use the `dcp-client`, which adds the necessary authorization headers.

In [1]:
from dcp.client import Client

c = Client()

Using credentials.json to get an access token.
Getting access token from https://dcp.bionimbus.org/user/credentials/cdis/access_token .


We then get an ID from the commons sample data and use its data guid to render a signed URL. Although these data are replicated on S3, the Data Object metadata can be used to generate signed URLs from a variety of backing stores.

In [10]:
my_guid = "dg.4503/b1dcfdbe-4314-4efd-8f52-559435188b40"
url = c.get_download_url(my_guid)
print(url[0:100])

https://storage.googleapis.com/cgp-commons-multi-region-public/topmed_open_access/bd91f499-1620-5500


Now that we have a signed URL, we can use a simple HTTP client to download the file for a short time.

## Conclusion

The Data Object Service schemas intentionally leave up to implementors the details of downloading data. In this notebook we accessed a Data Object hosted by the gen3 platform which was under access control.