To ensure correct authorization and eliminate security risks during the upload (playback) process, you can use either upload (playback) credentials or STS, preventing malicious users from uploading (playing) media files.
An upload credential is a credential issued by ApsaraVideo for VOD to authorize users to upload a media file to the bucket allocated by ApsaraVideo for VOD. An upload credential has a validity period. It specifies the objects that are granted access to resources and the maximum number of access times. For more information, see Upload URL and credential.
A playback credential is a credential issued by ApsaraVideo for VOD to authorize a player to obtain the playback URL of a video. A playback credential has a validity period. It specifies the objects that are granted access to resources and the maximum number of access times. For more information, see Use playback credentials.
STS is a cloud service provided for Alibaba Cloud accounts or RAM users to manage short-term access permissions of third-party users. You can use STS to issue an access credential with a custom validity period and limited access permissions to third-party users. With the short-term access credential issued by STS, third-party users can directly call the ApsaraVideo for VOD API, or log on to the ApsaraVideo for VOD console to operate the authorized resources. For more information, see STS authorization.
We recommend that you use upload (playback) credentials for authorization in ApsaraVideo for VOD. The following table describes the advantages of upload (playback) credentials over STS.
|Comparison item||Upload (playback) credential||STS|
|Ease of use||An upload (playback) credential is easy to use. You only need to prepare the AccessKey for an account and grant the necessary permissions to access ApsaraVideo for VOD.||You need to configure roles and authorization policies. The configuration is complicated.|
|Security||An upload (playback) credential is issued for a single video, and can only be used once.||STS grants permissions at the API level in ApsaraVideo for VOD. This means that a user with STS authorization can upload videos infinitely or play all the videos belonging to the specified account.|
|Flexibility||Compared with STS, upload credentials (playback credentials) allow you to configure more parameters. For example, you can specify the message callback URL during upload or specify the domain name during playback.||You need to wait for a new iterative version of the client SDK, and then deploy a new version of your application or website.|
|Access capacity||By default, using credentials allows for a larger number of access times. Credentials support auto scaling to process personalized authorization requests from any number of users.||As a centralized service, STS manages authorization for all products and has strict throttling requirements. This makes STS unsuitable for highly concurrent access.|