This topic describes how to obtain a Security Token Service (STS) token. This prepares you for the initialization of an upload instance when you use a client upload SDK to upload files.
Background information
- Use an upload URL and credential.
- Use an STS token.
STS provides a universal service for authenticating the access to Alibaba Cloud services. A client SDK for uploading media files by using STS tokens encapsulates all the upload logic. You need to only focus on the configurations for obtaining the STS token, updating the STS token when it expires, and setting the callback for upload completion. For more information about whether to upload media files by using upload URLs and credentials or STS tokens, see Comparison between credentials and STS. For more information about how to upload media files by using upload URLs and credentials, see Obtain upload URLs and credentials.
Process
For more information about how to upload media files by using STS tokens, see Upload processes.
Obtain an STS token
To skip the signature process, we recommend that you integrate STS SDK and call the AssumeRole operation to obtain an STS token. Before you integrate STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the user.
Sample code in Java
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
/**
* @author jack
* @date 2020/5/25
*/
public class TestStsService {
public static void main(String[] args) {
// Only RAM users can call the AssumeRole operation.
// AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
// Create a RAM user in the Resource Access Management (RAM) console and create an AccessKey pair for the RAM user.
String accessKeyId = "LTAI5tKtf6vKccbinQu****";
String accessKeySecret = "D47l1yBPgjdqe3JzVASSF9yrje****";
// Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
// RoleArn: You can obtain the value of this parameter in the RAM console.
String roleArn = "acs:ram::1748098430911242:role/vodrole";
// RoleSessionName: the session name of the role. You can set this parameter based on your needs.
String roleSessionName = "session-name";// Specify a session name.
// Specify a policy.
String policy = "{\n" +
" \"Version\": \"1\",\n" +
" \"Statement\": [\n" +
" {\n" +
" \"Action\": \"vod:*\",\n" +
" \"Resource\": \"*\",\n" +
" \"Effect\": \"Allow\"\n" +
" }\n" +
" ]\n" +
"}";
try {
AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
System.out.println("Expiration: " + response.getCredentials().getExpiration());
System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
System.out.println("RequestId: " + response.getRequestId());
createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
} catch (ClientException e) {
System.out.println("Failed to get a token.");
System.out.println("Error code: " + e.getErrCode());
System.out.println("Error message: " + e.getErrMsg());
}
}
static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
try {
// Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
/*
Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the region in which you use STS. Example: cn-shanghai.
For more information about the STS endpoints in different regions, see Endpoints.
*/
IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
// Use the profile to construct a client.
DefaultAcsClient client = new DefaultAcsClient(profile);
// Create an AssumeRole request and set the request parameters.
final AssumeRoleRequest request = new AssumeRoleRequest();
request.setSysEndpoint("sts.aliyuncs.com");
request.setSysMethod(MethodType.POST);
request.setRoleArn(roleArn);
request.setRoleSessionName(roleSessionName);
request.setPolicy(policy);
// Initiate the request and obtain the response.
final AssumeRoleResponse response = client.getAcsResponse(request);
return response;
} catch (ClientException e) {
throw e;
}
}
Parameters
Parameter | Description |
---|---|
RoleArn | The Alibaba Cloud Resource Name (ARN) of the role to be assumed. After you create a role for the RAM user, you can perform the following steps to view the ARN of the role: Log on to the RAM console and choose Identities > Roles. Click the required role and view the ARN in the Basic Information section. |
RoleSessionName | The custom name of the role session. Set this parameter based on your business requirements. In most cases, this parameter is set to the identity of the user who calls the operation, for example, the username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_). |
Policy | The policy that specifies the permissions added when a role is assumed.
Note
|
DurationSeconds | The validity period of the temporary access credential. Valid values: 900 to 3600. Unit: seconds. |
accessKeyId and accessKeySecret | The AccessKey ID and AccessKey secret of the RAM user that assumes the role. |
Use STS tokens to upload media files
Each media file requires an STS token. Therefore, you must obtain the STS token from the AppServer and specify the STS token for the upload instance in the onUploadStarted callback. The specific settings vary based on different clients.
Client | User guide |
---|---|
Web | Upload SDK for JavaScript |
Android | Upload a file |
iOS | Upload a file |
WeChat mini program | Upload SDK for WeChat mini programs |