This topic describes how to use a temporary STS token of a RAM role for authorizing a mobile app to access Alibaba Cloud resources.

Prerequisites

An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.

Background information

An enterprise has developed a mobile app and purchased the OSS service. The mobile app runs on mobile devices. These mobile devices are not controlled by the enterprise. The enterprise must grant the necessary permissions to the mobile app. Then, the mobile app can upload data to and download data from OSS.

The requirements of the enterprise are as follows:

  • Direct data transmission: The mobile app no longer transfers data through the application server of the enterprise. It directly uploads data to or downloads data from OSS.
  • Security control: AccessKey pairs are not saved on mobile devices. Mobile devices are controlled by app users and cannot provide trusted operating environments.
  • Risk control: Security risks are minimized. During direct access to OSS, each app client is authorized according to the principle of least privilege and the access duration is under strict control.

Solution

Before a mobile app can directly upload data to or download data from OSS, the mobile app must apply for an access credential from the application server. The application server assumes a RAM role as a RAM user and calls the AssumeRole STS API operation to obtain a temporary STS token. The temporary STS token is sent to the mobile app. Then, the mobile app can use the temporary STS token to access OSS.

Authorize a mobile app to access Alibaba Cloud resources
  1. The mobile app applies for an access credential from the application server.
  2. The enterprise uses its Alibaba Cloud account to create a RAM role and grant the necessary permissions to the role. For more information, see Create a RAM role and grant the necessary permissions.
  3. The enterprise uses its Alibaba Cloud account to create a RAM user for the application server and allows the application server to assume the RAM role. For more information, see Create a RAM user and allow the user to assume a RAM role.
  4. The application server calls the AssumeRole STS API operation to obtain a temporary STS token of the RAM role. For more information, see Obtain the temporary STS token of the RAM role.
  5. The application server further restricts the permissions of the temporary STS token for finer-grained permission control on each mobile app. For more information, see Restrict the permissions of the temporary STS token.
  6. The mobile app uses the temporary STS token to directly upload data to or download data from OSS. For more information, see Use the temporary STS token to access OSS.

Create a RAM role and grant the necessary permissions

The ID of the Alibaba Cloud account used by the enterprise in the following procedure is 123456789012****.

  1. The enterprise uses its Alibaba Cloud account to create a RAM role named oss-readonly.
    Note When the RAM role is created, the Current Alibaba Cloud Account is selected as the trusted account. This ensures that only RAM users under the account can assume this role.

    For more information, see Create a RAM role for a trusted Alibaba Cloud account.

    After creating a RAM role, the enterprise can view the role information on the basic information page.

    • In this example, the Alibaba Cloud Resource Name (ARN) of the RAM role is acs:ram::123456789012****:role/oss-readonly.
    • The policy attached to the RAM role is illustrated as follows.
      Note The following policy indicates that only RAM users under the current Alibaba Cloud account of the enterprise can assume the RAM role:
      {
      "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Effect": "Allow",
       "Principal": {
         "RAM": [
           "acs:ram::123456789012****:root"
         ]
       }
      }
      ],
      "Version": "1"
      }
  2. The enterprise uses its Alibaba Cloud account to attach the AliyunOSSReadOnlyAccess policy (OSS read-only permission) to the RAM role oss-readonly.

    For more information, see Grant permissions to a RAM role.

Create a RAM user and allow the user to assume a RAM role

  1. The enterprise uses its Alibaba Cloud account to create a RAM user named appserver.

    For more information, see Create a RAM user.

  2. The enterprise uses its Alibaba Cloud account to attach the AliyunSTSAssumeRoleAccess policy to the RAM user. Then, the RAM user can assume a RAM role.

    For more information, see Grant permissions to a RAM user.

Obtain the temporary STS token of the RAM role

  1. The application server uses the AccessKey pair of the RAM user to call the AssumeRole STS API operation.
    Note The AccessKey pair for the application server must be configured.

    The following example describes how to use Alibaba Cloud CLI to call the AssumeRole operation:

    $ aliyuncli sts AssumeRole --RoleArn acs:ram::123456789012****:role/oss-readonly --RoleSessionName client-001
     {
         "AssumedRoleUser": {
             "AssumedRoleId": "391578752573****:client-001", 
             "Arn": "acs:ram::123456789012****:role/oss-readonly/client-001"
         }, 
         "Credentials": {
             "AccessKeySecret": "93ci2umK1QKNEja6WGqi1Ba7Q2Fv9PwxZqtVF2Vy****", 
             "SecurityToken": "********", 
             "Expiration": "2016-01-13T15:02:37Z", 
             "AccessKeyId": "STS.F13GjskXTjk38dBY6YxJt****"
         }, 
         "RequestId": "E1779AAB-E7AF-47D6-A9A4-53128708B6CE"
     }
    Note In this example, the returned temporary STS token has all permissions of the RAM role oss-readonly because the Policy parameter is unspecified. The permissions of the temporary STS token can be restricted. For more information, see Restrict the permissions of the temporary STS token.
  2. The STS service sends the temporary STS token to the application server. The temporary STS token contains the following elements: AccessKeyId, AccessKeySecret, and SecurityToken.
    Note The temporary STS token (SecurityToken) is valid only for a short period of time. If the mobile app requires a longer validity period, the application server can issue a new temporary STS token (for example, every 1,800 seconds).

Restrict the permissions of the temporary STS token

In actual scenarios, the Policy parameter must be configured to restrict the permissions of the temporary STS token, according to the user or device, to avoid unauthorized access. The following is an example of how this parameter is configured.

The following code sample indicates that only sample-bucket/2015/01/01/*.jpg can be accessed.

$ aliyuncli sts AssumeRole --RoleArn acs:ram::123456789012****:role/oss-readonly --RoleSessionName client-002 --Policy "{\"Version\":\"1\", \"Statement\": [{\"Effect\":\"Allow\", \"Action\":\"oss:GetObject\", \"Resource\":\"acs:oss:*:*:sample-bucket/2015/01/01/*.jpg\"}]}"
{
   "AssumedRoleUser": {
       "AssumedRoleId": "391578752573****:client-002", 
       "Arn": "acs:ram::123456789012****:role/oss-readonly/client-002"
   }, 
   "Credentials": {
       "AccessKeySecret": "28Co5Vyx2XhtTqj3RJgdud4ntyzrSNdUvNygAj7x****", 
       "SecurityToken": "********", 
       "Expiration": "2016-01-13T15:03:39Z", 
       "AccessKeyId": "STS.FJ6EMcS1JLZgAcBJSTDG1****"
   }, 
   "RequestId": "98835D9B-86E5-4BB5-A6DF-9D3156ABA567"
}
Note The default and maximum validity period of the temporary STS token is 3,600 seconds. The enterprise can specify the DurationSeconds parameter to limit the validity period of the temporary STS token.

Use the temporary STS token to access OSS

  1. The application server sends the temporary STS token to the mobile app.
  2. The mobile app uses the temporary STS token to access OSS.

    The following example describes how to use Alibaba Cloud CLI and the temporary STS token to access an OSS object:

    The syntax used to configure the temporary STS token: aliyuncli oss Config --host  --accessid  --accesskey  --sts_token 
    $ aliyuncli oss Config --host oss.aliyuncs.com --accessid STS.FJ6EMcS1JLZgAcBJSTDG1**** --accesskey 28Co5Vyx2XhtTqj3RJgdud4ntyzrSNdUvNygAj7x**** --sts_token CAESnQMIARKAASJgnzMzlXVyJn4KI+FsysaIpTGm8ns8Y74HVEj0pOevO8ZWXrnnkz4a4rBEPBAdFkh3197GUsprujsiU78FkszxhnQPKkQKcyvPihoXqKvuukrQ/Uoudk31KAJEz5o2EjlNUREcxWjRDRSISMzkxNTc4NzUyNTczOTcyODU0KgpjbGllbnQtMDAxMKmZxIHBKjoGUnNhTUQ1Qn8KATEaegoFQWxsb3cSJwoMQWN0aW9uRXF1YWxzEgZBY3Rpb24aDwoNb3NzOkdldE9iamVjdBJICg5SZXNvdXJjZUVxdWFscxIIUmVzb3VyY2UaLAoqYWNzOm9zczoqOio6c2FtcGxlLWJ1Y2tldC8yMDE1LzAxLzAxLyouanBnSgU0MzI3NFIFMjY4NDJaD0Fzc3VtZWRSb2xlVXNlcmAAahIzOTE1Nzg3NTI1NzM5NzI4NTRyCWVjcy1hZG1pbnjgxt7Cj/bo****
    Access OSS:
    $ aliyuncli oss Get oss://sample-bucket/2015/01/01/grass.jpg grass.jpg