STS temporary access authorization

Last Updated: May 04, 2017

In the previous sections, we used only the RAM subaccount functions. These subaccounts are for long-term normal use. This still poses a serious risk if the subaccount permissions cannot be promptly revoked in the case of information leakage.

Still in the previous example, assume that our developer’s app allows users to upload data to the OSS bucket am-test-app and there are currently a large number of app users. In this case, how can he securely grant data upload permissions to many user and how can be ensure storage isolation among multiple users?

In such scenarios, we need to grant users temporary access using STS. STS can be used to specify a complex policy that restricts specified users by only granting them the minimum permissions necessary.

Create a role

We have previously explained the concept of a role and, in this section, we will provide an actual example of using the role.

Based on the example in the previous section, the App user has a bucket, ram-test-app, to store personal data. A role can be created as follows:

  1. Create a subaccount named ram_test_app using the process illustrated above. Do not grant this account any permissions, as it will inherit the permissions of a role which it assumes.

  2. Create roles. Here you need to create two roles for users to perform read operations and to upload files respectively.

    1. Log in to the RAM console and select Roles > New Role.
    2. Select a role type. Here you need to select User role.
      new role
    3. Enter the role type information. Because this role has been used by its own Alibaba Cloud account, use the default setting.
    4. Configure basic role information.basic config
  3. When created, the role does not have any permissions. Therefore, we must create a custom authorization policy using the process described earlier. The authorization policy is shown below:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Effect": "Allow",
    6. "Action": [
    7. "oss:ListObjects",
    8. "oss:GetObject"
    9. ],
    10. "Resource": [
    11. "acs:oss:*:*:ram-test-app",
    12. "acs:oss:*:*:ram-test-app/*"
    13. ]
    14. }
    15. ]
    16. }

    This indicates read-only permission for ram-test-app.

    ram test readonly

  4. After the policy is established, give the role RamTestAppReadOnly the ram-test-app read-only permission on the role management page.
    authorize
    selected

  5. Perform the same procedure to create the role RamTestAppWrite and use a custom authorization policy to grant ram-test-app write permission. The authorization policy is as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Effect": "Allow",
    6. "Action": [
    7. "oss:DeleteObject",
    8. "oss:ListParts",
    9. "oss:AbortMultipartUpload",
    10. "oss:PutObject"
    11. ],
    12. "Resource": [
    13. "acs:oss:*:*:ram-test-app",
    14. "acs:oss:*:*:ram-test-app/*"
    15. ]
    16. }
    17. ]
    18. }

Now we have created two roles, RamTestAppReadOnly and RamTestAppWrite, with read and write permissions for ram-test-app, respectively.
two roles

Temporary access authorization

After creating roles, we can use them to grant temporary access to OSS.

Preparation

However, we still have more to do before getting started. Authorization is also required for assuming roles. Otherwise, any subaccount could assume these roles, leading to unpredictable risks. Therefore, in order to assume corresponding roles, a subaccount needs to have explicitly configured permissions.

  1. Create two custom authorization policies in authorization policy management, as shown below:
    one role

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Resource": "acs:ram::1894189769722283:role/ramtestappreadonly"
    7. }
    8. ],
    9. "Version": "1"
    10. }


    Use the same method to create another custom authorization policy:

    1. {
    2. "Statement": [
    3. {
    4. "Action": "sts:AssumeRole",
    5. "Effect": "Allow",
    6. "Resource": "acs:ram::1894189769722283:role/ramtestappwrite"
    7. }
    8. ],
    9. "Version": "1"
    10. }

    Here, the content entered after Resource is a role’s ID. Role IDs can be found in Roles > Role detail.

  2. Grant the two authorization policies to the account ram_test_app.

Use STS to grant access permissions

Everything is now ready for us to officially use STS to grant access permissions.

Here we use a simple STS Python command line tool sts.py. The calling method is as follows. For more detailed parameter, refer to STS API File.

  1. $python ./sts.py AssumeRole RoleArn=acs:ram::1894189769722283:role/ramtestappreadonly RoleSessionName=usr001 Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:ListObjects","oss:GetObject"],"Resource":["acs:oss:*:*:ram-test-app","acs:oss:*:*:ram-test-app/*"]}]}' DurationSeconds=1000 --id=id --secret=secret
  • RoleArn indicates the ID of a role to be assumed. Role IDs can be found in Role Management > Role Details.
  • RoleSessionName indicates the name of the temporary credentials. Generally, we suggest separating this using different application users.
  • Policy indicates that a permission restriction is added when the role is assumed.
  • DurationSeconds indicates the validity time of the temporary credentials in seconds. The minimum value is 900, and the maximum value is 3600.
  • id and secret indicate the AccessKey of the subaccount to assume a role.

Here, we need to explain the “Policy” mentioned above. The policy entered here is used to restrict the temporary credential permissions after a role is assumed. Ultimately the permissions obtained through temporary credentials are the overlapping permissions of the role and the policy passed in.

When a role is assumed, a policy can be entered to increase the flexibility. For example, when uploading files, we can add different upload path restrictions for different users. This is shown in the example below.

Now, let’s test the STS function. To test the bucket, first use the console to put the file test.txt in ram-test-app, with the content ststest.

First, use the subaccount ram_test_app to directly access the file. Next, replace AccessKey with your own access key used in the test.

  1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
  2. $./osscmd get oss://ram-test-app/test.txt test.txt --host=oss-cn-hangzhou.aliyuncs.com -i oOhuek56i53Frogv -k OmVwFJO3qcT0IWrmqkFhOYpg3p0KnA
  3. Error Headers:
  4. [('content-length', '229'), ('server', 'AliyunOSS'), ('connection', 'keep-alive'), ('x-oss-request-id', '564A94D444F4D8B2225E4AFE'), ('date', 'Tue, 17 Nov 2015 02:45:40 GMT'), ('content-type', 'application/xml')]
  5. Error Body:
  6. <?xml version="1.0" encoding="UTF-8"?>
  7. <Error>
  8. <Code>AccessDenied</Code>
  9. <Message>AccessDenied</Message>
  10. <RequestId>564A94D444F4D8B2225E4AFE</RequestId>
  11. <HostId>ram-test-app.oss-cn-hangzhou.aliyuncs.com</HostId>
  12. </Error>
  13. Error Status:
  14. 403
  15. get Failed!
  16. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
  17. $./osscmd put test.txt oss://ram-test-app/test.txt --host=oss-cn-hangzhou.aliyuncs.com -i oOhuek56i53Frogv -k OmVwFJO3qcT0IWrmqkFhOYpg3p0KnA
  18. 100% Error Headers:
  19. [('content-length', '229'), ('server', 'AliyunOSS'), ('connection', 'keep-alive'), ('x-oss-request-id', '564A94E5B1119B445B9F8C3A'), ('date', 'Tue, 17 Nov 2015 02:45:57 GMT'), ('content-type', 'application/xml')]
  20. Error Body:
  21. <?xml version="1.0" encoding="UTF-8"?>
  22. <Error>
  23. <Code>AccessDenied</Code>
  24. <Message>AccessDenied</Message>
  25. <RequestId>564A94E5B1119B445B9F8C3A</RequestId>
  26. <HostId>ram-test-app.oss-cn-hangzhou.aliyuncs.com</HostId>
  27. </Error>
  28. Error Status:
  29. 403
  30. put Failed!

Without access permission, access attempts using the subaccount ram_test_app failed.

Use temporary authorization for downloads

Now, we will use STS to download files. For simplicity, the entered policy and the role policy are the same. The expiration time is set to 3600s, and we will call the app user usr001. Steps:

  1. Use STS to obtain a temporary credential.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $python ./sts.py AssumeRole RoleArn=acs:ram::1894189769722283:role/ramtestappreadonly RoleSessionName=usr001 Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:ListObjects","oss:GetObject"],"Resource":["acs:oss:*:*:ram-test-app","acs:oss:*:*:ram-test-app/*"]}]}' --id=oOhuek56i53Frogv --secret=OmVwFJO3qcT0IWrmqkFhOYpg3p0KnA
    3. https://sts.aliyuncs.com/?SignatureVersion=1.0&Format=JSON&Timestamp=2015-11-17T03%3A07%3A25Z&RoleArn=acs%3Aram%3A%3A1894189769722283%3Arole%2Framtestappreadonly&RoleSessionName=usr001&AccessKeyId=oOhuek56i53Frogv&Policy=%7B%22Version%22%3A%221%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22oss%3AListObjects%22%2C%22oss%3AGetObject%22%5D%2C%22Resource%22%3A%5B%22acs%3Aoss%3A%2A%3A%2A%3Aram-test-app%22%2C%22acs%3Aoss%3A%2A%3A%2A%3Aram-test-app%2F%2A%22%5D%7D%5D%7D&SignatureMethod=HMAC-SHA1&Version=2015-04-01&Signature=bshxPZpwRJv5ch3SjaBiXLodwq0%3D&Action=AssumeRole&SignatureNonce=53e1be9c-8cd8-11e5-9b86-008cfa5e4938
    4. {
    5. "AssumedRoleUser": {
    6. "Arn": "acs:ram::1894189769722283:role/ramtestappreadonly/usr001",
    7. "AssumedRoleId": "317446347657426289:usr001"
    8. },
    9. "Credentials": {
    10. "AccessKeyId": "STS.3mQEbNftyc9uOwa180Le",
    11. "AccessKeySecret": "B1w7rCbR4dzGwNYJ2ASsvG3PiPqKZ3gjQhAxb6mB",
    12. "Expiration": "2015-11-17T04:07:25Z",
    13. "SecurityToken": "CAESvAMIARKAASQQUUTSE+7683CGlhdGsv2/di8uI+X1BxG7MDxM5FTd0fp5wpPK/7UctYH2MJ///c4yMN1PUCcEHI1zppCINmpDG2XeNA3OS16JwS6ESmI50sHyWBmsYkCJW15gXnfhz/OK+mSp1bYxlfB33qfgCFe97Ijeuj8RMgqFx0Hny2BzGhhTVFMuM21RRWJOZnR5Yzl1T3dhMTgwTGUiEjMxNzQ0NjM0NzY1NzQyNjI4OSoGdXNyMDAxMJTrgJ2RKjoGUnNhTUQ1QpsBCgExGpUBCgVBbGxvdxI4CgxBY3Rpb25FcXVhbHMSBkFjdGlvbhogCg9vc3M6TGlzdE9iamVjdHMKDW9zczpHZXRPYmplY3QSUgoOUmVzb3VyY2VFcXVhbHMSCFJlc291cmNlGjYKGGFjczpvc3M6KjoqOnJhbS10ZXN0LWFwcAoaYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwLypKEDE4OTQxODk3Njk3MjIyODNSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzE3NDQ2MzQ3NjU3NDI2Mjg5chJyYW10ZXN0YXBwcmVhZG9ubHk="
    14. },
    15. "RequestId": "8C009F64-F19D-4EC1-A3AD-7A718CD0B49B"
    16. }
  2. Use the temporary credential to download files. Here sts_token is the SecurityToken returned by the STS above.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $./osscmd get oss://ram-test-app/test.txt test.txt --host=oss-cn-hangzhou.aliyuncs.com -i STS.3mQEbNftyc9uOwa180Le -k B1w7rCbR4dzGwNYJ2ASsvG3PiPqKZ3gjQhAxb6mB --sts_token=CAESvAMIARKAASQQUUTSE+7683CGlhdGsv2/di8uI+X1BxG7MDxM5FTd0fp5wpPK/7UctYH2MJ///c4yMN1PUCcEHI1zppCINmpDG2XeNA3OS16JwS6ESmI50sHyWBmsYkCJW15gXnfhz/OK+mSp1bYxlfB33qfgCFe97Ijeuj8RMgqFx0Hny2BzGhhTVFMuM21RRWJOZnR5Yzl1T3dhMTgwTGUiEjMxNzQ0NjM0NzY1NzQyNjI4OSoGdXNyMDAxMJTrgJ2RKjoGUnNhTUQ1QpsBCgExGpUBCgVBbGxvdxI4CgxBY3Rpb25FcXVhbHMSBkFjdGlvbhogCg9vc3M6TGlzdE9iamVjdHMKDW9zczpHZXRPYmplY3QSUgoOUmVzb3VyY2VFcXVhbHMSCFJlc291cmNlGjYKGGFjczpvc3M6KjoqOnJhbS10ZXN0LWFwcAoaYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwLypKEDE4OTQxODk3Njk3MjIyODNSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzE3NDQ2MzQ3NjU3NDI2Mjg5chJyYW10ZXN0YXBwcmVhZG9ubHk=
    3. 100% The object test.txt is downloaded to test.txt, please check.
    4. 0.061(s) elapsed
  3. As you can see, we can use the temporary credentials to download the file. Next, we will test if we can use them to upload a file.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $./osscmd put test.txt oss://ram-test-app/test.txt --host=oss-cn-hangzhou.aliyuncs.com -i STS.3mQEbNftyc9uOwa180Le -k B1w7rCbR4dzGwNYJ2ASsvG3PiPqKZ3gjQhAxb6mB --sts_token=CAESvAMIARKAASQQUUTSE+7683CGlhdGsv2/di8uI+X1BxG7MDxM5FTd0fp5wpPK/7UctYH2MJ///c4yMN1PUCcEHI1zppCINmpDG2XeNA3OS16JwS6ESmI50sHyWBmsYkCJW15gXnfhz/OK+mSp1bYxlfB33qfgCFe97Ijeuj8RMgqFx0Hny2BzGhhTVFMuM21RRWJOZnR5Yzl1T3dhMTgwTGUiEjMxNzQ0NjM0NzY1NzQyNjI4OSoGdXNyMDAxMJTrgJ2RKjoGUnNhTUQ1QpsBCgExGpUBCgVBbGxvdxI4CgxBY3Rpb25FcXVhbHMSBkFjdGlvbhogCg9vc3M6TGlzdE9iamVjdHMKDW9zczpHZXRPYmplY3QSUgoOUmVzb3VyY2VFcXVhbHMSCFJlc291cmNlGjYKGGFjczpvc3M6KjoqOnJhbS10ZXN0LWFwcAoaYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwLypKEDE4OTQxODk3Njk3MjIyODNSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzE3NDQ2MzQ3NjU3NDI2Mjg5chJyYW10ZXN0YXBwcmVhZG9ubHk=
    3. 100% Error Headers:
    4. [('content-length', '254'), ('server', 'AliyunOSS'), ('connection', 'keep-alive'), ('x-oss-request-id', '564A9A2A1790CF0F53C15C82'), ('date', 'Tue, 17 Nov 2015 03:08:26 GMT'), ('content-type', 'application/xml')]
    5. Error Body:
    6. <?xml version="1.0" encoding="UTF-8"?>
    7. <Error>
    8. <Code>AccessDenied</Code>
    9. <Message>Access denied by authorizer's policy.</Message>
    10. <RequestId>564A9A2A1790CF0F53C15C82</RequestId>
    11. <HostId>ram-test-app.oss-cn-hangzhou.aliyuncs.com</HostId>
    12. </Error>
    13. Error Status:
    14. 403
    15. put Failed!

    Because the assumed role only has download permission, the file upload failed.

Use temporary authorization for uploads

Now, we will try to use STS to upload a file. Steps:

  1. Obtain an STS temporary credential. The App user is usr001.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $python ./sts.py AssumeRole RoleArn=acs:ram::1894189769722283:role/ramtestappwrite RoleSessionName=usr001 Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":["oss:PutObject"],"Resource":["acs:oss:*:*:ram-test-app/usr001/*"]}]}' --id=oOhuek56i53Frogv --secret=OmVwFJO3qcT0IWrmqkFhOYpg3p0KnA
    3. https://sts.aliyuncs.com/?SignatureVersion=1.0&Format=JSON&Timestamp=2015-11-17T03%3A16%3A10Z&RoleArn=acs%3Aram%3A%3A1894189769722283%3Arole%2Framtestappwrite&RoleSessionName=usr001&AccessKeyId=oOhuek56i53Frogv&Policy=%7B%22Version%22%3A%221%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Action%22%3A%5B%22oss%3APutObject%22%5D%2C%22Resource%22%3A%5B%22acs%3Aoss%3A%2A%3A%2A%3Aram-test-app%2Fusr001%2F%2A%22%5D%7D%5D%7D&SignatureMethod=HMAC-SHA1&Version=2015-04-01&Signature=Y0OPUoL1PrCqX4X6A3%2FJvgXuS6c%3D&Action=AssumeRole&SignatureNonce=8d0798a8-8cd9-11e5-9f49-008cfa5e4938
    4. {
    5. "AssumedRoleUser": {
    6. "Arn": "acs:ram::1894189769722283:role/ramtestappwrite/usr001",
    7. "AssumedRoleId": "355407847660029428:usr001"
    8. },
    9. "Credentials": {
    10. "AccessKeyId": "STS.rtfx13DYMUbcNlIJlS4U",
    11. "AccessKeySecret": "2fsaM8E2maB2dngj7S2KwpsKTyK4ajo7TxFr0zIM",
    12. "Expiration": "2015-11-17T04:16:10Z",
    13. "SecurityToken": "CAESkwMIARKAAUh3/Uzcg13YLRBWxy0IZjGewMpg31ITxCleBFU1eO/3Sgpudid+GVs+Olvu1vXJn6DLcvPa8azKJKtzV0oKSy+mwUrxSvUSRVDntrs78CsNfWoOJUMJKjLIxdWnGi1pgxJCBzNZ2YV/6ycTaZySSE1V6kqQ7A+GPwYoBSnWmLpdGhhTVFMucnRmeDEzRFlNVWJjTmxJSmxTNFUiEjM1NTQwNzg0NzY2MDAyOTQyOCoGdXNyMDAxMOPzoJ2RKjoGUnNhTUQ1QnYKATEacQoFQWxsb3cSJwoMQWN0aW9uRXF1YWxzEgZBY3Rpb24aDwoNb3NzOlB1dE9iamVjdBI/Cg5SZXNvdXJjZUVxdWFscxIIUmVzb3VyY2UaIwohYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwL3VzcjAwMS8qShAxODk0MTg5NzY5NzIyMjgzUgUyNjg0MloPQXNzdW1lZFJvbGVVc2VyYABqEjM1NTQwNzg0NzY2MDAyOTQyOHIPcmFtdGVzdGFwcHdyaXRl"
    14. },
    15. "RequestId": "19407707-54B2-41AD-AAF0-FE87E8870B0D"
    16. }
  2. Let us test if we can use the credentials to upload and download.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $./osscmd get oss://ram-test-app/test.txt test.txt --host=oss-cn-hangzhou.aliyuncs.com -i STS.rtfx13DYMUbcNlIJlS4U -k 2fsaM8E2maB2dngj7S2KwpsKTyK4ajo7TxFr0zIM --sts_token=CAESkwMIARKAAUh3/Uzcg13YLRBWxy0IZjGewMpg31ITxCleBFU1eO/3Sgpudid+GVs+Olvu1vXJn6DLcvPa8azKJKtzV0oKSy+mwUrxSvUSRVDntrs78CsNfWoOJUMJKjLIxdWnGi1pgxJCBzNZ2YV/6ycTaZySSE1V6kqQ7A+GPwYoBSnWmLpdGhhTVFMucnRmeDEzRFlNVWJjTmxJSmxTNFUiEjM1NTQwNzg0NzY2MDAyOTQyOCoGdXNyMDAxMOPzoJ2RKjoGUnNhTUQ1QnYKATEacQoFQWxsb3cSJwoMQWN0aW9uRXF1YWxzEgZBY3Rpb24aDwoNb3NzOlB1dE9iamVjdBI/Cg5SZXNvdXJjZUVxdWFscxIIUmVzb3VyY2UaIwohYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwL3VzcjAwMS8qShAxODk0MTg5NzY5NzIyMjgzUgUyNjg0MloPQXNzdW1lZFJvbGVVc2VyYABqEjM1NTQwNzg0NzY2MDAyOTQyOHIPcmFtdGVzdGFwcHdyaXRl
    3. Error Headers:
    4. [('content-length', '254'), ('server', 'AliyunOSS'), ('connection', 'keep-alive'), ('x-oss-request-id', '564A9C31FFFC811F24B6E7E3'), ('date', 'Tue, 17 Nov 2015 03:17:05 GMT'), ('content-type', 'application/xml')]
    5. Error Body:
    6. <?xml version="1.0" encoding="UTF-8"?>
    7. <Error>
    8. <Code>AccessDenied</Code>
    9. <Message>Access denied by authorizer's policy.</Message>
    10. <RequestId>564A9C31FFFC811F24B6E7E3</RequestId>
    11. <HostId>ram-test-app.oss-cn-hangzhou.aliyuncs.com</HostId>
    12. </Error>
    13. Error Status:
    14. 403
    15. get Failed!
    16. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    17. $./osscmd put test.txt oss://ram-test-app/test.txt --host=oss-cn-hangzhou.aliyuncs.com -i STS.rtfx13DYMUbcNlIJlS4U -k 2fsaM8E2maB2dngj7S2KwpsKTyK4ajo7TxFr0zIM --sts_token=CAESkwMIARKAAUh3/Uzcg13YLRBWxy0IZjGewMpg31ITxCleBFU1eO/3Sgpudid+GVs+Olvu1vXJn6DLcvPa8azKJKtzV0oKSy+mwUrxSvUSRVDntrs78CsNfWoOJUMJKjLIxdWnGi1pgxJCBzNZ2YV/6ycTaZySSE1V6kqQ7A+GPwYoBSnWmLpdGhhTVFMucnRmeDEzRFlNVWJjTmxJSmxTNFUiEjM1NTQwNzg0NzY2MDAyOTQyOCoGdXNyMDAxMOPzoJ2RKjoGUnNhTUQ1QnYKATEacQoFQWxsb3cSJwoMQWN0aW9uRXF1YWxzEgZBY3Rpb24aDwoNb3NzOlB1dE9iamVjdBI/Cg5SZXNvdXJjZUVxdWFscxIIUmVzb3VyY2UaIwohYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwL3VzcjAwMS8qShAxODk0MTg5NzY5NzIyMjgzUgUyNjg0MloPQXNzdW1lZFJvbGVVc2VyYABqEjM1NTQwNzg0NzY2MDAyOTQyOHIPcmFtdGVzdGFwcHdyaXRl
    18. 100% Error Headers:
    19. [('content-length', '254'), ('server', 'AliyunOSS'), ('connection', 'keep-alive'), ('x-oss-request-id', '564A9C3FB8DE437A91B16772'), ('date', 'Tue, 17 Nov 2015 03:17:19 GMT'), ('content-type', 'application/xml')]
    20. Error Body:
    21. <?xml version="1.0" encoding="UTF-8"?>
    22. <Error>
    23. <Code>AccessDenied</Code>
    24. <Message>Access denied by authorizer's policy.</Message>
    25. <RequestId>564A9C3FB8DE437A91B16772</RequestId>
    26. <HostId>ram-test-app.oss-cn-hangzhou.aliyuncs.com</HostId>
    27. </Error>
    28. Error Status:
    29. 403
    30. put Failed!

    Here a problem occurs. The test.txt upload fails. Here, we have formatted the entered policy discussed at the beginning of this section as follows:

    1. {
    2. "Version": "1",
    3. "Statement": [
    4. {
    5. "Effect": "Allow",
    6. "Action": [
    7. "oss:PutObject"
    8. ],
    9. "Resource": [
    10. "acs:oss:*:*:ram-test-app/usr001/*"
    11. ]
    12. }
    13. ]
    14. }

    This policy indicates that users are only allowed to upload files like usr001/ to the ram-test-app bucket. If the app user is usr002, the policy can be changed to only allow for the uploading of files like usr002/. By setting different policies for different app users, we can isolate the storage space of different app users.

  3. Retry the test and specify the upload destination as ram-test-app/usr001/test.txt.

    1. [admin@NGIS-CWWF344M01C /home/admin/oss_test]
    2. $./osscmd put test.txt oss://ram-test-app/usr001/test.txt --host=oss-cn-hangzhou.aliyuncs.com -i STS.rtfx13DYMUbcNlIJlS4U -k 2fsaM8E2maB2dngj7S2KwpsKTyK4ajo7TxFr0zIM --sts_token=CAESkwMIARKAAUh3/Uzcg13YLRBWxy0IZjGewMpg31ITxCleBFU1eO/3Sgpudid+GVs+Olvu1vXJn6DLcvPa8azKJKtzV0oKSy+mwUrxSvUSRVDntrs78CsNfWoOJUMJKjLIxdWnGi1pgxJCBzNZ2YV/6ycTaZySSE1V6kqQ7A+GPwYoBSnWmLpdGhhTVFMucnRmeDEzRFlNVWJjTmxJSmxTNFUiEjM1NTQwNzg0NzY2MDAyOTQyOCoGdXNyMDAxMOPzoJ2RKjoGUnNhTUQ1QnYKATEacQoFQWxsb3cSJwoMQWN0aW9uRXF1YWxzEgZBY3Rpb24aDwoNb3NzOlB1dE9iamVjdBI/Cg5SZXNvdXJjZUVxdWFscxIIUmVzb3VyY2UaIwohYWNzOm9zczoqOio6cmFtLXRlc3QtYXBwL3VzcjAwMS8qShAxODk0MTg5NzY5NzIyMjgzUgUyNjg0MloPQXNzdW1lZFJvbGVVc2VyYABqEjM1NTQwNzg0NzY2MDAyOTQyOHIPcmFtdGVzdGFwcHdyaXRl
    3. 100%
    4. Object URL is: http://ram-test-app.oss-cn-hangzhou.aliyuncs.com/usr001%2Ftest.txt
    5. Object abstract path is: oss://ram-test-app/usr001/test.txt
    6. ETag is "946A0A1AC8245696B9C6A6F35942690B"
    7. 0.071(s) elapsed

    As you can see, the upload was successful.

Conclusion

This section describes how to grant users temporary access authorization for OSS using STS. In typical mobile development scenarios, STS can be used to grant temporary authorizations for access to OSS when different App users need to access the App. The temporary authorization can be configured with an expiration time to greatly reduce the hazards of leaks. When obtaining temporary authorization, we can enter different authorization policies for different app users to restrict their access permissions, for example, to restrict the object paths accessible to users. This isolates the storage space of different app users.

Thank you! We've received your feedback.