Security Token Service (STS) can be used to grant temporary access permissions to prevent security risks caused by leaks of RAM user passwords. This topic describes how to create RAM users and RAM roles, and how to use STS to grant temporary access permissions.


Resource Access Management (RAM) is activated.

Background information

Permissions granted to RAM users can be used indefinitely, which may lead to security risks. For security purposes, we recommend that you generate STS temporary AccessKey pairs with custom validity periods, and attach complex policies to grant only the minimum permissions to RAM users.

Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users. On the Users page, click Create User.
    User management
  3. On the Create User page, specify Logon Name and Display Name.
    Enter vod in the Logon Name field.
  4. In the Access Mode section, select OpenAPI Access and click OK.
    Create a user
    After you click OK, the SMS Verification window appears. After you enter the verification code, the AccessKey pair of the RAM user is automatically generated. Generate the AccessKey pair.
  5. Click Copy in the Actions column to copy user information, such as the logon name, logon password, and AccessKey pair (AccessKey ID and AccessKey Secret) to the clipboard.
    Note We recommend that you store your user information in a secure location for future use.
  6. Go back to the Users page. The RAM user that you created appears in the user list. After the RAM user is created, the RAM user does not have any permissions. Click Add Permissions in the Actions column to grant permissions to the RAM user that you created.
    Add permissions
  7. In the Select Policy section, enter AliyunSTSAssumeRoleAccess in the policy name field and select the policy that appears in the table below the field. Then, click OK.
    Select a policy

Create a RAM role

  1. Log on to the RAM console.
    Create a RAM role
  2. In the left-side navigation pane, choose Identities > Roles. On the Roles page, click Create Role.
  3. On the Create Role page, select Alibaba Cloud Account and click Next.
    Create a RAM role-1
  4. Enter a name for the RAM role and select Current Alibaba Cloud Account. Then, click OK.
    Create a RAM role-2
    After the RAM role is created, the following message appears.RAM roles created
  5. Go back to the Roles page. Find the role that you created, and click Add Permissions in the Actions column to grant permissions to the role that you created.
    Add permissions
  6. In the Select Policy section, enter AliyunVODFullAccess in the policy name field and select the policy that appears in the table below the field. Then, click OK.
    Grant permissions
    Note To reduce security risks, we recommend that you grant only minimum required permissions to RAM users.
    After permissions are granted, a record is generated. Permissions granted

Use STS to authorize access

You must download and install the STS SDK for the corresponding programming language or call the AssumeRole operation. The following example shows the configurations of roles and policies for Java.

For how to call API operations, see What is STS?.

  • Sample code for Java

    After a RAM user and a RAM role are created, you can use STS to grant access permissions.

    The following example describes how to grant access permissions to a RAM user. The example includes the descriptions for parameters and the relevant sample code:

    • RoleArn: the ID of the role to be assumed. To obtain the value of RoleArn, go to the Roles page in the RAM console. Click the name of the RAM role and check the value of ARN in the Basic Information section.
    • RoleSessionName: the session name of the role. Customize the value of this parameter based on your business requirements. In most cases, RoleSessionName is set to the identity of the user who calls the operation, for example, the username of the RAM user. In ActionTrail logs, you can use RoleSessionName to distinguish between users who assume the same RAM role to perform operations. This allows you to audit access requests based on RAM users. The RoleSessionName value must be 2 to 64 characters in length and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).
    • Policy: the permission limits added when the user assumes a role.
      • The Policy parameter is passed in to limit the permissions of the temporary access credentials after the user assumes a role. The final permissions obtained by the temporary access credentials are an intersection of the permissions of the role and the permissions specified by the Policy parameter.
      • The Policy parameter is passed in to improve flexibility. For example, you can set this parameter to specify that only the CreateUploadVideo operation can be called.
    • DurationSeconds: the validity period of the temporary access credentials. Unit: seconds. Valid values: 900 to 3600.
    • AccessKeyId and AccessKeySecret: the RAM user who assumes the role and its AccessKey pair.
    package pop;
    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.exceptions.ClientException;
    import com.aliyuncs.http.MethodType;
    import com.aliyuncs.profile.DefaultProfile;
    import com.aliyuncs.profile.IClientProfile;
    import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
    import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
    import com.aliyuncs.vod.model.v20170321.CreateUploadVideoRequest;
    import com.aliyuncs.vod.model.v20170321.CreateUploadVideoResponse;
     * @author jack
     * @date 2020/5/25
    public class TestStsService {
        public static void main(String[] args) {
            // Only RAM users can call the AssumeRole operation.
            // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
            // Create a RAM user in the RAM console and create an AccessKey pair for the user.
            String accessKeyId = "<access-key-id>";
            String accessKeySecret = "<access-key-secret>";
            // Request parameters for the AssumeRole operation include: RoleArn, RoleSessionName, Policy, and DurationSeconds
            // You must obtain the value of RoleArn in the RAM console.
            String roleArn = "<role-arn>";
            // RoleSessionName: the session name of the role. You can customize this parameter.
            String roleSessionName = "session-name";// Specify a session name.
            // Specify a policy.
            String policy = "{\n" +
                    "  \"Version\": \"1\",\n" +
                    "  \"Statement\": [\n" +
                    "    {\n" +
                    "      \"Action\": \"vod:*\",\n" +
                    "      \"Resource\": \"*\",\n" +
                    "      \"Effect\": \"Allow\"\n" +
                    "    }\n" +
                    "  ]\n" +
            try {
                AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
                System.out.println("Expiration: " + response.getCredentials().getExpiration());
                System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
                System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
                System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
                System.out.println("RequestId: " + response.getRequestId());
                createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
            } catch (ClientException e) {
                System.out.println("Failed to get a token.");
                System.out.println("Error code: " + e.getErrCode());
                System.out.println("Error message: " + e.getErrMsg());
        static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
            try {
                // Construct a default profile. Leave the regionId parameter empty.
                Note: If you set SysEndpoint to, regionId is optional. Otherwise, you must set regionId to the service region in use. Example: cn-shanghai.
                For the list of STS endpoints in different regions, see Endpoints. 
                IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
                // Use the profile to construct a client.
                DefaultAcsClient client = new DefaultAcsClient(profile);
                // Create an AssumeRole request and set the request parameters.
                final AssumeRoleRequest request = new AssumeRoleRequest();
                // Initiate the request and obtain the response.
                final AssumeRoleResponse response = client.getAcsResponse(request);
                return response;
            } catch (ClientException e) {
                throw e;
        static void createUploadVideo(String accessKeyId, String accessKeySecret, String token) {
            // Specify the region of ApsaraVideo VOD. For example, if the service region is Shanghai, set regionId to cn-shanghai.
            String regionId = "cn-shanghai";
            IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
            DefaultAcsClient client = new DefaultAcsClient(profile);
            CreateUploadVideoRequest request = new CreateUploadVideoRequest();
            try {
                CreateUploadVideoResponse response = client.getAcsResponse(request);
                System.out.println("CreateUploadVideoRequest, " + request.getUrl());
                System.out.println("CreateUploadVideoRequest, requestId:" + response.getRequestId());
                System.out.println("UploadAddress, " + response.getUploadAddress());
                System.out.println("UploadAuth, " + response.getUploadAuth());
                System.out.println("VideoId, " + response.getVideoId());
            } catch (ClientException e) {
                System.out.println("action, error:" + e);
  • STS SDK for PHP
  • STS SDK for Python
  • STS SDK for .NET
  • STS SDK for Node.js

A response is returned after the request is initiated. For more information, see Responses.