All Products
Search
Document Center

Temporary access authorization

Last Updated: Sep 13, 2019

Security Token Service (STS) is responsible for the temporary access authorization of Alibaba Cloud accounts (primary account) and RAM users (sub-account).

Comparison Between RAM and STS

The critial issue that both RAM and STS have resolved is how to securely grant access without leaking AccessKey (AK) of the primary account. Once the AK of the primary account is leaked, there is great risk that others can operate on all the resources of the primary account and steal important information. Using RAM and STS greatly improves management security and flexibility.

RAM provides an access control mechanism that is available permanently. This mechanism divides the primary accounts into many sub-accounts with defferent permissions granted. Even if information about one of the sub-account is leaked, information about the rest sub-accounts is still secure. For better maintenance, the RAM sub-accounts are avaiable permanently.

Instead of offering permanent access permissions like RAM, STS adopts a temporary solution by providing temporary AK and SecurityToken (Token). As a result, STS is often more rigorous and time constraint with less impact even after information leakage.

Cross-account authorization

STS also applies to cross-account authorization. For details, see Cross-account resource access and authorization.

Temporary access authorization

For the prerequisites for using STS, including creating roles, AK and Token, see Getting started and AssumeRole.

Use STS in MQ

Note: STS is supported only by Java SDK 1.7.8.Final or above.

To use STS when sending or receiving messages via the API, fill out the properties below with your AK and Token.

  1. Properties properties = new Properties();
  2. ......
  3. // The AccessKeyId of STS
  4. properties.put(PropertyKeyConst.AccessKey,"XXX");
  5. // The AccessKeySecret of STS
  6. properties.put(PropertyKeyConst.SecretKey, "XXX");
  7. // The SecurityToken of STS
  8. properties.put(PropertyKeyConst.SecurityToken, "XXX");
  9. ......