Security Token Service (STS) is a permission management system provided by Alibaba Cloud. You can use policies specified through STS to control user permissions. This topic describes how to use STS to authorize users temporary permissions to access Table Store.

Background information

In typical app development scenarios, you can use STS to set temporary access permissions for different users. You can specify the validity period of the temporary token to mitigate the risks of RAM user account information being leaked. Different authorization policies can be added to control the access permissions of different app users. For example, you can control the table paths accessed by users to isolate the storage spaces of different app users.

Prerequisites

  • Log on to the RAM console with an Alibaba Cloud account.
  • You have created a RAM user account named ram_test_app. When a RAM user account assumes a role, the account automatically obtains all role permissions and does not need to be granted further permissions.

Step 1: Create temporary roles

Create two roles: RamTestAppReadOnly and RamTestAppWrite. Grant read permissions to RamTestAppReadOnly and file upload permissions to RamTestAppWrite. Perform the following operations:

  1. In the left-side navigation pane, click RAM Roles.
  2. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  3. Specify the RAM Role Name and Note parameters.
  4. Under Select Trusted Alibaba Cloud Account, select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
    Note If you select Other Alibaba Cloud Account, enter the account ID.
  5. Click OK.

Step 2: Create custom policies

Repeat the following steps to create two policies named ram-test-app-readonly and ram-test-app-write.

  1. In the left-side navigation pane, click Policies under Permissions.
  2. On the page that appears, click Create Policy.
  3. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Visualized or Script.
    • If you select Visualized, click Add Statement. On the page that appears, configure the permission effect, actions, and resources.
    • If you select Script, edit the policy script according to the policy structure and syntax.
  5. Click OK.
The scripts for the ram-test-app-readonly policy and ram-test-app-write policy in this example are as follows:
  • Ram-test-app-readonly
    {
    "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ots:BatchGet*",
            "ots:Describe*",
            "ots:Get*",
            "ots:List*"
          ],
          "Resource": [
            "acs:ots:*:*:instance/ram-test-app",
            "acs:ots:*:*:instance/ram-test-app/table/*"
          ]
        }
    ],
    "Version": "1"
    }
    						
  • ram-test-app-write
        {
     "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "ots:Create*",
                "ots:Insert*",
                "ots:Put*",
                "ots:Update*",
                "ots:Delete*",
                "ots:BatchWrite*"
              ],
              "Resource": [
                "acs:ots:*:*:instance/ram-test-app",
                "acs:ots:*:*:instance/ram-test-app/table/*"
              ]
            }
     ],
     "Version": "1"
        }
    						

Step 3: Assign policies to roles

Repeat the following steps to assign the ram-test-app-readonly (read-only permissions on Table Store) policy to RamTestAppReadOnly and assign the ram-test-app-write (write-only permissions on Table Store) policy to RamTestAppWrite.

  1. In the left-side navigation pane, click Grants under Permissions.
  2. Click Grant Permission.
  3. Under Principle, enter the RAM role name, and click the target RAM role.
  4. In the Policy Name column, select the target policies by clicking the corresponding rows.
    Note You can click X in the section on the right side of the page to delete the selected policy.
  5. Click OK.
  6. Click Finished.

Subsequent operations

Authorize temporary access