Mobile apps are commonly used to upload data due to the fast development of the mobile Internet. If logs can be uploaded from mobile apps to Log Service instead of being transferred by app servers, you can focus on the development of your business logic.

Background information

When you write logs to Log Service in normal mode, you must use the AccessKey pair of your Alibaba Cloud account for authentication and anti-tamper protection. If a mobile app accesses Log Service in this mode, you must save your AccessKey pair on a mobile client. This increases the risk of data leaks if the AccessKey pair is exposed. If your AccessKey pair is exposed, you must upgrade the mobile app and change the AccessKey pair. This process is complex and costly. To upload logs from mobile clients to Log Service, you can also use app servers to transfer the logs. If the number of mobile apps is large, the app servers must meet high performance requirements to carry all data from mobile clients.

To prevent the preceding issues, Log Service provides a more secure and convenient solution to collect logs from mobile apps based on Resource Access Management (RAM). You can use RAM to directly transfer data. In this mode, you do not need to save your AccessKey pair on a mobile client. This prevents your AccessKey pair from being exposed. You can use a temporary token to increase data security. The temporary token has a lifecycle. You can configure access permission policies for the temporary token. For example, you can reject access requests from specified CIDR blocks.

You can create a RAM role of Log Service and configure a mobile app as a RAM user to assume this role. This way, you can build a data transfer service for the mobile app based on Log Service within 30 minutes. The direct data transfer service allows mobile apps to directly access Log Service, and only the control flow is sent to app servers.

Benefits

A data transfer service that is built for mobile apps based on Log Service by using RAM has the following benefits:
  • Higher access security: Flexible and temporary permission assignment and authentication are supported.
  • Lower cost: Fewer servers are required. Mobile apps are directly connected to Alibaba Cloud and only the control flow is sent to app servers.
  • Higher concurrency: A large number of users can use the service at the same time. Higher upload bandwidth and download bandwidth are provided by Log Service.
  • Auto scaling: Log Service provides unlimited storage space.
The following figure shows the architecture.Architecture
The following table describes the nodes of the architecture.
Node Description
Android or iOS mobile app The app on the mobile phones of users. Logs are generated by the app.
SLS Log Service. Log Service stores log data that is uploaded from the app.
RAM/STS RAM. This service allows you to manage user identities and resource access permissions. You can use RAM to generate temporary upload credentials.
App server The backend service that is developed for the Android or iOS app. The app server manages tokens that are used by the app to upload and download logs. The app server also manages the metadata that is uploaded by users to the app.

Configuration process

  1. An Android or iOS app requests a temporary access credential from your app server.
    To prevent data leaks, the Android or iOS app does not store the AccessKey ID or AccessKey secret. The Android or iOS app must request a temporary upload credential (a token) from your app server. The token is valid only for a specific period of time. For example, if the validity period of a token is set to 30 minutes, the Android or iOS app can use this token to access Log Service within 30 minutes. The validity period of a token can be specified by the app server. However, the app must request a new token after 30 minutes.
    Notice Each time the Android or iOS app obtains a token from the app server, the app server caches the token based on the validity period. We recommend that the app server sends the cached token as a response to each client request. After the cached token expires, the app server requests a new token.
  2. The app server verifies the preceding request and returns a token to the Android or iOS app.
  3. After the mobile app obtains the token, the mobile app can access Log Service.

This topic describes how to use an app server to request a token from RAM, and how to obtain the token for an Android or iOS app.

Procedure

  1. Authorize a RAM user to manage Log Service.

    Create a RAM role and configure a mobile app as a RAM user to assume this role. For more information, see Create a RAM role whose trusted entity is an Alibaba Cloud account and authorize the RAM role to access Log Service.

    After you configure the mobile app, you can obtain the following information:
    • The AccessKey ID and AccessKey secret of the RAM user
    • The Alibaba Cloud Resource Name (ARN) of the RAM role.
  2. Set up an app server.

    This topic provides sample programs in multiple languages. The download URLs are listed at the end of this topic.

    Each language pack that you download contains the configuration file config.json. The following script shows the config.json file: 
    {
    "AccessKeyID" : "",
    "AccessKeySecret" : "",
    "RoleArn" : "",
    "TokenExpireTime" : "900",
    "PolicyFile": "policy/write_policy.txt"
}
    1. AccessKeyID: the AccessKey ID of your Alibaba Cloud account. For more information, see AccessKey pair.
    2. AccessKeySecret: the AccessKey secret of your Alibaba Cloud account.
    3. RoleArn: the ARN of the RAM role.
    4. TokenExpireTime: the validity period of the token that is obtained by the Android or iOS app. Valid values: 900 to 1800. Unit: seconds.
    5. PolicyFile: the file that lists the permissions of the token. You can use the default value.
    This topic provides the following two token files that define the permissions in the policy directory:
    • write_policy.txt: grants a token the write permissions on the projects of an Alibaba Cloud account.
    • readonly_policy.txt: grants a token the read permissions on the projects of an Alibaba Cloud account.

    You can configure your policy file based on your business requirements.

    Response format: 
    //Sample success response
{
    "StatusCode":200,
    "AccessKeyId":"STS.3p***dgagdasdg",
    "AccessKeySecret":"rpnwO9***tGdrddgsR2YrTtI",
   "SecurityToken":"CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVtbzI=",
   "Expiration":"2017-11-12T07:49:09Z",
}

//Sample error response
{
    "StatusCode":500,
    "ErrorCode":"InvalidAccessKeyId.NotFound",
    "ErrorMessage":"Specified access key is not found."
}
    The following table describes the success response parameters. The five variables in the table constitute a token.
    Parameter Description
    StatusCode The result returned when the app obtains the token. The app returns 200 if the token is obtained.
    AccessKeyId The AccessKey ID that the Android or iOS app obtains when the app initializes LogClient.
    AccessKeySecret The AccessKey secret that the Android or iOS app obtains when the app initializes LogClient.
    SecurityToken The token that the Android or iOS app uses to access Log Service.
    Expiration The expiration time of the token. The Android SDK automatically checks the validity of the token and then obtains a new token as needed.
    The following table describes the error response parameters.
    Parameter Description
    StatusCode The result returned when the app obtains the token. The app returns 500 if the token fails to be obtained.
    ErrorCode The error cause.
    ErrorMessage The error description.

    You can perform the following operations to run the sample code:

    For Java V1.7 or later, create a Java project after you download and decompress the package. Copy the dependency, code, and configuration to the project, and then run the main function. By default, the program listens on port 7080 and waits for the HTTP request. You can perform these operations in other languages by using this method.

  3. Construct an HTTP request on a mobile client to obtain a token from the app server.
    The following script shows the formats of an HTTP request and response: 
    Request URL: GET https://localhost:7080/

Response:
{
"StatusCode":"200",
"AccessKeyId":"STS.XXXXXXXXXXXXXXX",
"AccessKeySecret":"",
"SecurityToken":"",
"Expiration":"2017-11-20T08:23:15Z"
}
    Note All examples in this topic are used to demonstrate how to deploy a server. When you deploy a server, you can configure the parameters based on these examples.

Download the source code

Sample code of the app server: PHP, Java, Ruby, and Node.js.