Mobile apps are commonly used to upload data due to the fast development of the mobile Internet. If logs can be directly uploaded from mobile apps to Log Service instead of being transferred by app servers, you can focus on your business logic development.

Background information

When you write logs to Log Service in normal mode, you must use the AccessKey pair of your Alibaba Cloud account for authentication and anti-tamper protection. If a mobile app accesses Log Service in this mode, you must save your AccessKey pair on a mobile client. This increases the risk of data leaks if the AccessKey pair is exposed. If your AccessKey pair is exposed, you must upgrade the mobile app and change the AccessKey pair. This process is complicated and costly. To upload logs from mobile clients to Log Service, you can also use app servers to transfer the logs. However, if the number of mobile apps is large, the app servers must meet high performance requirements to carry all data from mobile clients.

To prevent the preceding issues, Log Service provides a more secure and convenient solution to collect logs from mobile apps based on Resource Access Management (RAM). You can use RAM to directly transfer data. In this mode, you do not need to save your AccessKey pair on a mobile client. This prevents your AccessKey pair from being exposed. A temporary token is used to increase data security. The temporary token has a lifecycle. You can configure more complex access permission policies for the temporary token. For example, you can reject access requests from specified CIDR blocks. This solution can minimize costs. You do not need to prepare a large number of app servers because the mobile apps are directly connected to Alibaba Cloud. Only the control flow is sent to your app servers.

You can create a RAM role of Log Service and configure a mobile app as a RAM user to assume this role. This way, you can build a data transfer service for the mobile app based on Log Service within 30 minutes. The direct data transfer service allows mobile apps to directly access Log Service, and only the control flow is sent to app servers.

Benefits

A data transfer service that is built for mobile apps based on Log Service by using RAM has the following benefits:
  • Higher access security: Flexible and temporary permission assignment and authentication are supported.
  • Lower cost: Fewer servers are required. Mobile apps are directly connected to Alibaba Cloud and only the control flow is sent to app servers.
  • Higher concurrency: A large number of users can use the service at the same time. Higher upload bandwidth and download bandwidth are provided by Log Service.
  • Auto scaling: Log Service provides unlimited storage space.
The following figure shows the architecture. Architecture
The following table describes the nodes of the architecture.
Node Description
Android or iOS mobile app The app on the mobile phones of users. Logs are generated by the app.
SLS Log Service. Log Service stores log data that is uploaded from the app.
RAM/STS RAM. This service allows you to manage user identities and resource access permissions. You can use RAM to generate temporary upload credentials.
App server The backend service that is developed for the Android or iOS app. The app server manages tokens used by the app to upload and download logs, and manages the metadata uploaded by users to the app.

Configuration process

  1. The app applies for a temporary access credential from the app server.

    To prevent data leaks, the Android or iOS app does not store the AccessKey ID or AccessKey secret. Therefore, the app must apply for a temporary upload credential (a token) from the app server. The token is valid only for a specific period. For example, if a token is set to be valid for 30 minutes, the Android or iOS app can use this token to access Log Service within 30 minutes. The validity period of a token can be specified by the app server. However, the app must apply for a new token after 30 minutes.

  2. The app server checks the validity of the request and then returns a token to the app.
  3. After the mobile app receives the token, the mobile app can access Log Service.

This topic describes how to use an app server to apply for a token from RAM, and how to obtain the token for an Android or iOS app.

Procedure

  1. Authorize a RAM role to manage Log Service resources.

    Create a RAM role and configure a mobile app as a RAM user to assume the role. For more information, see Assign a RAM role to an Alibaba Cloud account.

    After you configure the mobile app, you can obtain the following information:
    • The AccessKey ID and AccessKey secret of the RAM user
    • The resource path of the role
  2. Set up an app server.

    This topic provides sample programs in multiple languages. The download URLs are listed at the end of this topic.

    Each downloaded language pack contains the configuration file config.json. The following script shows the config.json file:
    {
        "AccessKeyID" : "",
        "AccessKeySecret" : "",
        "RoleArn" : "",
        "TokenExpireTime" : "900",
        "PolicyFile": "policy/write_policy.txt"
    }
                                
    Note
    1. AccessKeyID: the AccessKey ID.
    2. AccessKeySecret: the AccessKey secret.
    3. RoleArn: the Alibaba Cloud Resource Name (ARN) of the role.
    4. TokenExpireTime: the validity period of the token that is obtained by the Android or iOS app. Valid values: 900 to 1800. Unit: seconds.
    5. PolicyFile: the file that lists the permissions of the token. You can use the default value.
    This step provides the following two token files that define the most common permissions in the policy directory:
    • write_policy.txt: grants a token the write permissions on the projects of an Alibaba Cloud account.
    • readonly_policy.txt: grants a token the read permissions on the projects of an Alibaba Cloud account.

    You can customize your policy file based on your business requirements.

    Response format:
    //Sample success response
    {
        "StatusCode":200,
        "AccessKeyId":"STS.3p***dgagdasdg",
        "AccessKeySecret":"rpnwO9***tGdrddgsR2YrTtI",
       "SecurityToken":"CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVtbzI=",
       "Expiration":"2017-11-12T07:49:09Z",
    }
    
    //Sample error response
    {
        "StatusCode":500,
        "ErrorCode":"InvalidAccessKeyId.NotFound",
        "ErrorMessage":"Specified access key is not found."
    }
    
                                
    The following table describes the success response parameters. The five variables in the table constitute a token.
    Parameter Description
    StatusCode The result returned when the app retrieves the token. The app returns 200 if the token is retrieved.
    AccessKeyId The AccessKey ID that the Android or iOS app obtains when the app initializes LogClient.
    AccessKeySecret The AccessKey secret that the Android or iOS app obtains when the app initializes LogClient.
    SecurityToken The token that the Android or iOS app uses to access Log Service.
    Expiration The expiration time of the token. The Android SDK automatically checks the validity of the token and then obtains a new token as needed.
    The following table describes the error response parameters.
    Parameter Description
    StatusCode The result returned when the app obtains the token. The app returns 500 if the token fails to be obtained.
    ErrorCode The error cause.
    ErrorMessage The error description.

    You can perform the following operations to run the sample code:

    For Java V1.7 or later, after you download and decompress the package, create a Java project. Copy the dependency, code, and configuration to the project, and then run the main function. By default, the program listens on port 7080 and waits for the HTTP request. You can perform these operations in other languages by using this method.

  3. Construct an HTTP request on a mobile client to obtain a token from the app server.
    The following script shows the formats of an HTTP request and response:
    Request URL: GET https://localhost:7080/
    
    Response:
    {
    "StatusCode":"200",
    "AccessKeyId":"STS.XXXXXXXXXXXXXXX",
    "AccessKeySecret":"",
    "SecurityToken":"",
    "Expiration":"2017-11-20T08:23:15Z"
    }
                                
    Note All examples in this topic are used to demonstrate how to deploy a server. When you deploy a server, you can customize based on these examples.

Download the source code

Sample code of the app server: PHP, Java, Ruby, and Node.js.