edit-icon download-icon

Use STS Token as user credentials

Last Updated: Mar 21, 2018

Using your Alibaba Cloud AccessKey directly to develop applications will have potential security risk. To enhance your account security, you can use the Security Token Service (STS) token issued for a subaccount to access Alibaba Cloud services.

Using the STS token as an access credential has the following advantages:

  • Using STS token will reduce the risks of a compromised AccessKey ID and AccessKey Secret, particularly reducing risks for your mobile devices.

  • STS token has flexible permission control. You can control the access permission in a finer granularity for products including SLB and ECS, according to the RAM role.

This document illustrates how to set up the STS token in the C# SDK to allow access to Alibaba Cloud services. For more information about STS token, see RAM and STS.

Note: Make sure that the product you are calling support STS.

Two methods are available to set up the STS token:

Use STS token directly

You must update the token periodically if you directly specify the token.

  1. using System;
  2. using Aliyun.Acs.Core;
  3. using Aliyun.Acs.Core.Auth;
  4. using Aliyun.Acs.Core.Profile;
  5. using Aliyun.Acs.Core.Exceptions;
  6. using Aliyun.Acs.Ecs.Model.V20140526;
  7. class SimpleSTSTokenSample
  8. {
  9. static void Main(string[] args)
  10. {
  11. BasicSessionCredentials credentials = new BasicSessionCredentials(
  12. "<your-access-key-id>",
  13. "<your-access-key-secret>",
  14. "<your-session-token>");
  15. // Create a client instance
  16. IClientProfile profile = DefaultProfile.GetProfile("<your-region-id>");
  17. DefaultAcsClient client = new DefaultAcsClient(profile, credentials);
  18. try
  19. {
  20. // Create a request and set parameters
  21. DescribeInstancesRequest request = new DescribeInstancesRequest();
  22. request.PageSize = 10;
  23. // Initiate the request and print the handling result
  24. DescribeInstancesResponse response = client.GetAcsResponse(request);
  25. Console.WriteLine("TotalCount: {0}", response.TotalCount);
  26. }
  27. catch (ServerException e)
  28. {
  29. Console.WriteLine(e.ErrorCode);
  30. Console.WriteLine(e.ErrorMessage);
  31. }
  32. catch (ClientException e)
  33. {
  34. Console.WriteLine(e.ErrorCode);
  35. Console.WriteLine(e.ErrorMessage);
  36. }
  37. }
  38. }

where:

  • region-id is the ID of the region that you are using. See Regions and zones to obtain the region ID.

  • sts-access-key-id, sts-access-key-secret, and sts-session-token are credentials returned by the AssumeRole API.

Use SDK to manage STS tokens

You can create a new STSAssumeRoleSessionCredentialsProvider object to allow Alibaba Cloud C# SDK to create and maintain STS tokens.

  1. using System;
  2. using Aliyun.Acs.Core;
  3. using Aliyun.Acs.Core.Auth;
  4. using Aliyun.Acs.Core.Profile;
  5. using Aliyun.Acs.Core.Exceptions;
  6. using Aliyun.Acs.Ecs.Model.V20140526;
  7. class UseRoleArnSample
  8. {
  9. static void Main(string[] args)
  10. {
  11. IClientProfile profile = DefaultProfile.GetProfile("<your-region-id>");
  12. BasicCredentials basicCredentials = new BasicCredentials(
  13. "<your-access-key-id>",
  14. "<your-access-key-secret>");
  15. STSAssumeRoleSessionCredentialsProvider provider = new STSAssumeRoleSessionCredentialsProvider(
  16. basicCredentials,
  17. "<your-role-arn>",
  18. profile);
  19. // Create a client instance
  20. DefaultAcsClient client = new DefaultAcsClient(profile, provider);
  21. try
  22. {
  23. // Create a request and set parameters
  24. DescribeInstancesRequest request = new DescribeInstancesRequest();
  25. request.PageSize = 10;
  26. // Initiate the request and print the handling result
  27. DescribeInstancesResponse response = client.GetAcsResponse(request);
  28. Console.WriteLine("TotalCount: {0}", response.TotalCount);
  29. }
  30. catch (ServerException e)
  31. {
  32. Console.WriteLine(e.ErrorCode);
  33. Console.WriteLine(e.ErrorMessage);
  34. }
  35. catch (ClientException e)
  36. {
  37. Console.WriteLine(e.ErrorCode);
  38. Console.WriteLine(e.ErrorMessage);
  39. }
  40. }
  41. }

where:

  • role-arn is the role resource descriptor. You can obtain it on the Role Details page from the RAM console.

  • role-session-name is a temporary role name. You can call the AssumeRole API to create a temporary identity. After the temporary identity is created, you can use the value set for the role-session-name parameter when calling the API.

Thank you! We've received your feedback.