Security Token Service (STS) enables more strict permission management than Resource Access Management (RAM). Using STS to implement resource access control involves a complicated authorization process.You can use STS to grant RAM users temporary permissions to access resources.

RAM users and the permissions granted to RAM users have long-term validity. You need to manually delete a RAM user or revoke permissions from RAM users. After the account information of a RAM user has been leaked, if you fail to timely delete this user or revoke related permissions, your Alibaba Cloud resources and important information may be compromised. Therefore, we recommend that you use STS to manage key permissions or permissions that do not require long-term validity.

Figure 1. Process for granting temporary permissions to RAM users.


Step 1: Create a role

A role is a virtual entity that represents a virtual user with a group of permissions.

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. Click Create RAM Role, select Alibaba Cloud Account, and then click Next.
  4. Specify the RAM Role Name and Note parameters.
  5. Under Select Trusted Alibaba Cloud Account, select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
    Note If you select Other Alibaba Cloud Account, enter the account ID.
  6. Click OK.

Step 2: Create an authorization policy

An authorization policy defines the resource permissions that are to be granted to roles.

  1. In the RAM console, click Permissions > Policies .
  2. On the page that appears, click Create Policy.
  3. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Script.

    Authorization policy example: Read-only permission of IoT resources.

    
    {
    "Version": "1",
    "Statement": [
    {
    "Action": [
    "rds:DescribeDBInstances",
    "rds:DescribeDatabases",
    "rds:DescribeAccounts",
    "rds:DescribeDBInstanceNetInfo"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": "ram:ListRoles",
    "Effect": "Allow",
    "Resource": "*"
    },
    {
    "Action":[
    "mns:ListTopic"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": [
    "dhs:ListProject",
    "dhs:ListTopic",
    "dhs:GetTopic"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": [
    "ots:ListInstance",
    "ots:ListTable",
    "ots:DescribeTable"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action":[
    "log:ListShards",
    "log:ListLogStores",
    "log:ListProject"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Effect": "Allow",
    "Action": [
    "iot:Query*",
    "iot:List*",
    "iot:Get*",
    "iot:BatchGet*" 
    ],
    "Resource": "*"
    }
    ]
    }

    Authorization policy example:Read-write permission of IoT resources.

    
    {
    "Version": "1",
    "Statement": [
    {
    "Action": [
    "rds:DescribeDBInstances",
    "rds:DescribeDatabases",
    "rds:DescribeAccounts",
    "rds:DescribeDBInstanceNetInfo"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": "ram:ListRoles",
    "Effect": "Allow",
    "Resource": "*"
    },
    {
    "Action":[
    "mns:ListTopic"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": [
    "dhs:ListProject",
    "dhs:ListTopic",
    "dhs:GetTopic"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action": [
    "ots:ListInstance",
    "ots:ListTable",
    "ots:DescribeTable"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Action":[
    "log:ListShards",
    "log:ListLogStores",
    "log:ListProject"
    ],
    "Resource": "*",
    "Effect": "Allow"
    },
    {
    "Effect": "Allow",
    "Action": "iot:*",
    "Resource": "*"
    }
    ]
    }

After an authorization policy has been created, you can grant the permissions defined in this policy to roles.

Step 3: Authorize a role

A role can only have resource access permissions after it has been authorized.

  1. In the RAM console, click Grants under Permissions.
  2. Click Grant Permission.
  3. Enter the RAM role name under Principal, and click the target RAM role.

  4. Click OK.

Next, you need to grant a RAM user the permission to play this role.

Step 4: Grant a RAM user the permission to play the role

After authorization is complete, the role obtains the permissions that are defined in the authorization policy. However, the role is only a virtual user. You need a RAM user to play the role in order to perform the operations allowed by the permissions. If all RAM users are allowed to play the role, this causes security risks. You should only grant the permission to play this role to specified RAM users.

To grant a RAM user the permission to play this role, you need to create a custom authorization policy where the Resource parameter of this policy is set to the ID of the role. You then authorize the RAM user with this authorization policy.

  1. In the RAM console, click Permissions > Policies .
  2. On the page that appears, click Create Policy.
  3. On the Create Custom Policy page, specify the Policy Name and Note parameters.
  4. Under Configuration Mode, select Script.
    Note In the policy content, set the Resource parameter to the Arn of the role. On the RAM Roles page, find the specified role, click the role name to go to the details page to view the Arn of the role .

    Role authorization policy example:

    
    {
    "Version": "1",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": "iot:QueryProduct",
    "Resource": "Role Arn"
    }
    ]
    }
  5. After the policy has been created, go to the home page of the RAM console.
  6. Click Users in the left-side navigation pane to enter RAM user management page.
  7. Select the RAM user you want to authorize and click Add Permissions.
  8. In the dialog box that appears, select the policy that you have just created, and then click OK.

After authorization is complete, the RAM user obtains the permission to play this role. You can then use STS to obtain the temporary identity credentials for accessing the resources.

Step 5: The RAM user obtains temporary identity credentials

Authorized RAM users can call the STS API operations or use the STS SDKs to obtain the temporary identity credentials for role play. The temporary credentials include an AccessKeyId, AccessKeySecret, and SecurityToken. For more information about the STS API and STS SDKs, see API Reference (STS)and SDK Reference (STS).

You need to specify the following parameters when using an STS API or SDK to obtain temporary identity credentials:

  • RoleArn: The Arn of the role that the RAM user is to play.
  • RoleSessionName: The name of the temporary credentials. This is a custom parameter.
  • Policy: The authorization policy. This parameter adds a restriction to the permissions of the role. You can use this parameter to restrict the permissions of the token. If you do not specify this parameter, a token possessing all permissions of the specified role is created.
  • DurationSeconds: The validity period of the temporary credentials. This parameter is measured in seconds. The default value is 3,600 and the value ranges from 900 to 3,600.
  • id and secret: The AccessKeyId and AccessKeySecret of the RAM user.

Examples of obtaining temporary identity credentials

API example: The RAM user calls the STS AssumeRole operation to obtain the temporary identity credentials for role play.

https://sts.aliyuncs.com?Action=AssumeRole
&RoleArn=acs:ram::1234567890123456:role/iotstsrole
&RoleSessionName=iotreadonlyrole
&DurationSeconds=3600
&Policy=<url_encoded_policy>
&<Common request parameters>

SDK example: The RAM user obtains the temporary identity credentials through the Python CLI interface for STS.

$python ./sts.py AssumeRole RoleArn=acs:ram::1234567890123456:role/iotstsrole RoleSessionName=iotreadonlyrole Policy='{"Version":"1","Statement":[{"Effect":"Allow","Action":"iot:*","Resource":"*"}]}' DurationSeconds=3600 --id=id --secret=secret

After the request has been received, the temporary identity credentials that are required to play the role are returned. The credentials include an AccessKeyId, AccessKeySecret, and SecurityToken.

Step 6: The RAM user accesses the resources

After obtaining the temporary identity credentials, the RAM user can pass in the credentials in the SDK requests to play the specified role.

Java SDK example: The RAM user passes in the AccessKeyId, AccessKeySecret, and SecurityToken parameters that are contained in the temporary identity credentials in the request and creates the IAcsClient object.

IClientProfile profile = DefaultProfile.getProfile("cn-hangzhou", AccessKeyId,AccessSecret);
RpcAcsRequest request.putQueryParameter("SecurityToken", Token);
IAcsClient client = new DefaultAcsClient(profile);
AcsResponse response = client.getAcsResponse(request);