Configure environment variables
You can configure the MPAAS_AK_ENV and MPAAS_SK_ENV environment variables.
For Linux and macOS, run the following commands:
export MPAAS_AK_ENV=<ACCESS_KEY_ID> export MPAAS_SK_ENV=<ACCESS_KEY_SECRET>NoteReplace
<ACCESS_KEY_ID>with your AccessKey ID and<ACCESS_KEY_SECRET>with your AccessKey secret.Windows configuration:
Create the MPAAS_AK_ENV and MPAAS_SK_ENV environment variables. Set their values to your AccessKey ID and AccessKey secret.
Restart Windows.
Prerequisites
Log on to the RAM console to create a RAM user. Obtain the user's AccessKey pair (AccessKey ID and AccessKey secret).
Grant the RAM user the permission to call the AssumeRole operation.
After you create a RAM user, use your Alibaba Cloud account or a RAM user that has Resource Access Management (RAM) administrative permissions to grant the new RAM user the AliyunSTSAssumeRoleAccess permission. This permission allows the RAM user to call the Security Token Service (STS) to assume a role.
NoteThe AliyunSTSAssumeRoleAccess permission only allows the RAM user to call the `AssumeRole` API operation of STS. This permission is separate from the permissions that are required to obtain temporary access credentials and make mPaaS requests using those credentials.
Create a RAM role
Use an Alibaba Cloud account or a RAM user with RAM administrative permissions to create a RAM role. The RAM role defines the access permissions that are granted when the role is assumed.
Log on to the RAM console.
In the navigation pane on the left, choose Identity > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principle Type to Cloud Account and Principle Name to Current Account, and then click OK.
In the Create Role panel, enter a role name and click OK.
Click Copy next to the ARN and save the ARN of the role.
Grant mPaaS permissions to the RAM role
After you create the RAM role, use an Alibaba Cloud account or a RAM user with RAM administrative permissions to attach one or more access policies to the role. These policies define the access permissions that are granted when the role is assumed, such as the MpaasFullAccess permission.
Use a RAM user to assume a RAM role and obtain temporary access credentials
You cannot use the AccessKey pair of an Alibaba Cloud account to call STS API operations to obtain temporary access credentials. An error is returned if you use the AccessKey pair of an Alibaba Cloud account. The following example shows how to use the AccessKey pair of a RAM user.
After the required permissions are granted to the role, the RAM user must assume the role to obtain temporary access credentials. These credentials include a security token (SecurityToken), a temporary AccessKey pair (AccessKeyId and AccessKeySecret), and an expiration time (Expiration). Use an STS SDK to obtain the temporary access credentials. For more information about STS SDKs for other languages, see STS SDK overview.
In the sample code, endpoint specifies the endpoint of the STS service. To obtain faster STS responses, select an endpoint that is in or near the region where your server is located. For more information about STS endpoints, see Endpoints.
import com.alibaba.fastjson.JSON; import com.aliyun.mpaas20201028.models.QueryMcubeVhostRequest; import com.aliyun.mpaas20201028.models.QueryMcubeVhostResponse; import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.http.MethodType; import com.aliyuncs.profile.DefaultProfile; import com.aliyuncs.profile.IClientProfile; import com.aliyuncs.auth.sts.AssumeRoleRequest; import com.aliyuncs.auth.sts.AssumeRoleResponse; import com.aliyun.mpaas20201028.Client; public class StsServiceSample { /** * The App ID from the mPaaS console. */ private static final String APP_ID = "ALIPUB40DXXXXXXX"; /** * The workspace ID from the mPaaS console. */ private static final String WORKSPACE_ID = "default"; /** * The tenant ID from the mPaaS console. */ private static final String TENANT_ID = "XVXXXXXF"; public static void main(String[] args) { // The STS endpoint, for example, sts.cn-hangzhou.aliyuncs.com. You can access the STS service over the public network or a VPC. String endpoint = "sts.cn-hangzhou.aliyuncs.com"; // Obtain the AccessKey pair (AccessKey ID and AccessKey secret) of the RAM user that you created in Step 1 from environment variables. String accessKeyId = System.getenv("ACCESS_KEY_ID"); String accessKeySecret = System.getenv("ACCESS_KEY_SECRET"); // Obtain the ARN of the RAM role that you created in Step 3.6 from an environment variable. String roleArn = System.getenv("RAM_ROLE_ARN"); // A custom role session name to distinguish different tokens. String roleSessionName = "yourRoleSessionName"; // The temporary access credential will have all the permissions of the role. String policy = null; // The validity period of the temporary access credential in seconds. The minimum value is 900. The maximum value is the maximum session duration of the current role. The maximum session duration for the role can be from 3,600 seconds to 43,200 seconds. The default value is 3,600 seconds. Long durationSeconds = 3600L; try { // The region where the STS request is initiated. String regionId = ""; // Add an endpoint. This applies to Java SDK 3.12.0 and later. DefaultProfile.addEndpoint("", "", "Sts", endpoint); // Add an endpoint. This applies to Java SDK versions earlier than 3.12.0. // DefaultProfile.addEndpoint("",regionId, "Sts", endpoint); // Construct a default profile. IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret); // Construct a client. DefaultAcsClient client = new DefaultAcsClient(profile); final AssumeRoleRequest request = new AssumeRoleRequest(); // This applies to Java SDK 3.12.0 and later. request.setMethod(MethodType.POST); // This applies to Java SDK versions earlier than 3.12.0. // request.setMethod(MethodType.POST); request.setRoleArn(roleArn); request.setRoleSessionName(roleSessionName); // If the policy is empty, the user gets all the permissions of the role. request.setPolicy(policy); request.setDurationSeconds(durationSeconds); final AssumeRoleResponse response = client.getAcsResponse(request); // Print the obtained STS information. System.out.println("Expiration: " + response.getCredentials().getExpiration()); System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId()); System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret()); System.out.println("Security Token: " + response.getCredentials().getSecurityToken()); System.out.println("RequestId: " + response.getRequestId()); com.aliyun.teaopenapi.models.Config stsConfig = new com.aliyun.teaopenapi.models.Config() .setAccessKeyId(response.getCredentials().getAccessKeyId()) .setAccessKeySecret(response.getCredentials().getAccessKeySecret()) .setSecurityToken(response.getCredentials().getSecurityToken()) // The mPaaS service invocation address. .setEndpoint("mpaas.cn-hangzhou.aliyuncs.com"); Client stsclient = new Client(stsConfig); QueryMcubeVhostRequest queryMcubeVhostRequest = new QueryMcubeVhostRequest(); queryMcubeVhostRequest.setAppId(APP_ID); queryMcubeVhostRequest.setWorkspaceId(WORKSPACE_ID); queryMcubeVhostRequest.setTenantId(TENANT_ID); try { QueryMcubeVhostResponse queryMcubeVhostResponse = stsclient.queryMcubeVhost(queryMcubeVhostRequest); System.out.println(queryMcubeVhostResponse.getBody().getResultCode()); System.out.println(JSON.toJSONString(queryMcubeVhostResponse.getBody().getQueryVhostResult())); } catch (Exception e) { throw new RuntimeException(e); } } catch (Exception e) { throw new RuntimeException(e); } } }