You can use Alibaba Cloud Security Token Service (STS) to authorize temporary access to OSS.

You can use Security Token Service (STS) to authorize temporary access to OSS. STS is a web service that provides temporary access tokens for cloud computing users. You can use STS to grant a third-party application or a RAM user (whose user ID is managed by you) an access credential with a customized validity period and permissions. For more information about STS, see What is STS?

STS has the following benefits:

  • You only need to generate an access token and send the access token to a third-party application, rather than exposing your long-term key (AccessKey) to the third-party application. You can customize the access permissions and validity period of this token.
  • The access token automatically expires after the validity period.

For more information about the process of accessing OSS with STS, see Access OSS with a temporary access credential provided by STS in OSS Developer Guide.

To use STS to access OSS, you must set :sts_token, as shown in the following sample code:

require 'aliyun/sts'
require 'aliyun/oss'

sts = Aliyun::STS::Client.new(
  access_key_id: '<The AccessKey ID of the RAM user>',
  access_key_secret: '<The AccessKey secret of the RAM user>')

token = sts.assume_role('<role-arn>', '<session-name>')

client = Aliyun::OSS::Client.new(
  endpoint: '<endpoint>',
  access_key_id: token.access_key_id,
  access_key_secret: token.access_key_secret,
  sts_token: token.security_token)

bucket = client.get_bucket('my-bucket')
		

You can customize an STS policy when you apply for a temporary token from STS. The temporary permission that you apply for is determined by your role and the policy at the same time. The following code provides an example on how to specify an STS policy to apply for the read-only permission on my-bucket and set the validity period of the temporary token to 15 minutes:

require 'aliyun/sts'
require 'aliyun/oss'

sts = Aliyun::STS::Client.new(
  access_key_id: '<The AccessKey ID of the RAM user>',
  access_key_secret: '<The AccessKey secret of the RAM user>')

policy = Aliyun::STS::Policy.new
policy.allow(['oss:Get*'], ['acs:oss:*:*:my-bucket/*'])

token = sts.assume_role('<role arc>', '<session name>', policy, 15 * 60)

client = Aliyun::OSS::Client.new(
  endpoint: 'ENDPOINT',
  access_key_id: token.access_key_id,
  access_key_secret: token.access_key_secret,
  sts_token: token.security_token)

bucket = client.get_bucket('my-bucket')
		

For more information about how to use STS to authorize temporary access and how to set parameters, visit Alibaba Cloud OSS SDK for Ruby.