Logon-free access to the DMS console - Data Management - Alibaba Cloud Documentation Center

You can embed a logon-free URL to the Data Management (DMS) console in your R&D platform or tool platform. This way, you can access the DMS console and use its features without logging on to the DMS console with an Alibaba Cloud account or as a Resource Access Management (RAM) user. This topic describes how to create a logon-free URL to the DMS console.

Procedure

Create a RAM role that is used to access DMS and grant permissions to the role. Then, create a RAM user and grant the AliyunSTSAssumeRoleAccess permission to the user. For more information, see Preparations.
Obtain the temporary identity credentials for the role that you assume, including an AccessKey ID, AccessKey secret, and security token. These credentials are used to obtain a SigninToken. For more information, see Step 1: Obtain the temporary identity credentials for the role that you assume.
Obtain a SigninToken that is used to create a logon-free URL. For more information, see Step 2: Obtain a SigninToken.
Create a logon-free URL. For more information, see Step 3: Create a logon-free URL to the DMS console.

The following example shows the sample Java code:

 /*
  Create a RAM user and grant permissions to the user.
 */
  String accountId = "Alibaba Cloud account";
 // The role used to access DMS. You can grant the AliyunDMSReadOnlyAccess and AliyunDMSFullAccess permissions to this role as needed.
  String ramRole = "The RAM role that you have created";
 // The AccessKey ID and AccessKey secret for the RAM user and the AliyunSTSAssumeRoleAccess permission are required.
  String accessKeyId = "";
  String accessKeySecret = "";
 /*
  Step 1: Call the AssumeRole operation to obtain the temporary AccessKey ID, AccessKey secret, and security token.
 */
  AssumeRoleResponse.Credentials credentials = assumeRole(accountId, accessKeyId, accessKeySecret, ramRole);
  System.out.println("Expiration: " + credentials.getExpiration());
  System.out.println("Access Key Id: " + credentials.getAccessKeyId());
  System.out.println("Access Key Secret: " + credentials.getAccessKeySecret());
  System.out.println("Security Token: " + credentials.getSecurityToken());

  /*
  Step 2: Obtain a SigninToken.
  */
  String signInToken = getSignInToken(credentials.getAccessKeyId(),
  credentials.getAccessKeySecret(),
  credentials.getSecurityToken());
  System.out.println("Your SigninToken is: " + signInToken);

 /*
  Step 3: Create a logon-free URL. The URL to the homepage of the DMS console is used in this example.
 */
  String pageUrl = getDmsLoginUrl("https://dms.aliyun.com", signInToken);
  System.out.println("Your PageUrl is : " + pageUrl);

Preparations

Note If you have met all the following conditions, perform the steps 1, 2, and 3 below.

Create a RAM role that is used to access DMS. For more information, see Create a RAM role for a trusted Alibaba Cloud account.
Grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.
Create a RAM user. For more information, see Create a RAM user.
Grant the AliyunSTSAssumeRoleAccess permission to the RAM user. For more information, see Grant permissions to the RAM user.

Step 1: Obtain the temporary identity credentials for the role that you assume

Call the AssumeRole operation as a RAM user or RAM role to obtain the temporary identity credentials for the role that you assume. For more information about the AssumeRole operation, see AssumeRole.

The following example shows the sample Java code:

    /**
     * Call the AssumeRole operation to obtain temporary identity credentials for the user
     *
     * @param accountId
     * @param accessKeyId
     * @param accessKeySecret
     * @param ramRole
     * @return
     * @throws ClientException
     */
    private static AssumeRoleResponse.Credentials assumeRole(String accountId, String accessKeyId,
                                                             String accessKeySecret, String ramRole)
        throws ClientException {
        String defaultRegion = "cn-hangzhou";
        IClientProfile profile = DefaultProfile.getProfile(defaultRegion, accessKeyId, accessKeySecret);
        DefaultAcsClient client = new DefaultAcsClient(profile);
        AssumeRoleRequest request = new AssumeRoleRequest();
        // An Alibaba Cloud Resource Name (ARN) is the globally unique resource identifier of a RAM role.
        request.setRoleArn(getRoleArn(accountId, ramRole));
        // The user-defined parameter. You can audit access of users who use different security tokens based on the value of this parameter. The value format is ^[a-zA-Z0-9\.@\-_]+$.
        request.setRoleSessionName("session-name");
        // The specified validity period. Unit: seconds. Valid values: 900 to 3600. Default value: 3600.
        request.setDurationSeconds(3600L);
        AssumeRoleResponse response = client.getAcsResponse(request);
        return response.getCredentials();

    }

Step 2: Obtain a SigninToken

Call the GetSigninToken operation to obtain a SigninToken .

The following example shows the sample Java code:

  /**
     * Use a security token to obtain a SigninToken.
     *
     * @param accesskeyId
     * @param accessKeySecret
     * @param securityToken
     * @return
     * @throws IOException
     * @throws URISyntaxException
     */
    private static String getSignInToken(String accesskeyId, String accessKeySecret, String securityToken)
        throws IOException, URISyntaxException {
        URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);

        builder.setParameter("Action", "GetSigninToken")
            .setParameter("AccessKeyId", accesskeyId)
            .setParameter("AccessKeySecret", accessKeySecret)
            .setParameter("SecurityToken", securityToken)
            .setParameter("TicketType", "normal");

        HttpGet request = new HttpGet(builder.build());
        CloseableHttpClient httpclient = HttpClients.createDefault();

        try (CloseableHttpResponse response = httpclient.execute(request)) {
            if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
                String context = EntityUtils.toString(response.getEntity());
                JSONObject jsonObject = JSON.parseObject(context);
                return jsonObject.getString("SigninToken");
            } else {
                System.out.println(response.getStatusLine());
            }
        }
        return null;
    }

Step 3: Create a logon-free URL to the DMS console

Note The obtained SigninToken can only be used once to create a logon-free URL. If you need to use SigninToken again, you must obtain a new SigninToken.

The following example shows the sample Java code:

Sample request:

    private static String getDmsLoginUrl(String pageUrl, String signInToken) throws URISyntaxException {
        URIBuilder builder = new URIBuilder(SIGN_IN_DOMAIN);
        builder.setParameter("Action", "Login");
        // Specify the logon URL on the self-managed website that is configured to return HTTP status code 302 to redirect to another page.
        builder.setParameter("LoginUrl", "https://signin.aliyun.com/login.htm");
        // The DMS page to be actually accessed.
        builder.setParameter("Destination", pageUrl);
        builder.setParameter("SigninToken", signInToken);
        HttpGet request = new HttpGet(builder.build());
        return request.getURI().toString();
    }

Sample response:

Expiration: 2020-11-30T06:16:20Z
Access Key Id: STS.NT7L6Jp5Y8W9LNvGQku2x****
Access Key Secret: 4nU8F6rv8MCDR8tygMDnXvN9yCNBCVrxnqArj1n1****
Security Token: CAIS/gF1q6Ft5B2yfSjIr5e****+nep4j5XSTmjHo1E+eb1Ujo7xijz2IH9IeXhpB****/43nWlU7PkYlrloRoReREvCKM1565kSqFn6O11Qf****+5qsoasPETOITyZtZagToeUZdfZfejXGDKgvyRvwLz****/Vli+S/OggoJmadJlNWvRL0AxZrFsKxBltdUROF****+pKWSKuGfLC1dysQcO4gEWq4bHm5zAs0OH1QOhlrVP+N+qfqLJNZc8YM1NNP6ux/Fze6b71ypd1gNH7q8ejtYfpmua74jBXgUAuU3faraOrYd1SwZ9Z7knH****/n6ifBjpvw9Hlk0R9OcVhqAAXpZx****+STGa8vctRwyTWdMM5LByes3cr1D46jaj0****/lTMkoXCwjMlCs7sc+DA9xjJCcl57eKC7A3ThnJAWQyyeKZfIGgeHN7yUS5ND8r7TBn6bMUqwvfVX****/cbkzBX6iV6jrataHZPZdtQYHH6GgvQ5XZUZJjoD****
Your SigninToken is: 06ec409b9d8c48f6ac5dcd18a0513ee1dhUkhcRn5CMsDqffC4wxsuFt9xjYtYePmYTHEWSMVKLFyXXnSq3IUbon1v46wCmKPwrAejDvw2i8rilolPSuxpKRDxz****
Your PageUrl is : http://signin.aliyun.com/federation?Action=Login&LoginUrl=https%3A%2F%2Fsignin.aliyun.com%2Flogin.htm&Destination=https%3A%2F%2Fdms.aliyun.com&SigninToken=06ec409b9d8c48f6ac5dcd18a0513ee1dhUkhcRn5CMsDqffC4wxsuFt9xjYtYePmYTHEWSMVKLFyXXnSq3IUbon1v46wCmKPwrAejDvw2i8rilolPSuxpKRDxzD****

The following example shows the format of a logon-free URL (PageUrl):

http://signin.aliyun.com/federation?Action=Login
                            &LoginUrl=<Logon URL on the self-managed website that is configured to return HTTP status code 302 to redirect to another page>
                            &Destination=<The DMS page to be actually accessed>
                            &SigninToken=<Obtained SigninToken>

Note The DMS page specified by Destination is related to the TicketType parameter.

If the TicketType parameter is set to normal, the corresponding DMS domain name is http://dms.aliyun.com.
If the TicketType parameter is set to mini, it generally applies to a BID virtual network operator. The following domain names are used:
- http://dms-jst4service.aliyun.com
- http://dms-Itwo4service.aliyun.com

What to do next

Use the created logon-free URL (PageUrl) to access the DMS console.