All Products
Search

This Product

    Object Storage Service:Set up direct data transfer for mobile apps

    Document Center

    Object Storage Service:Set up direct data transfer for mobile apps

    Last Updated:Jan 23, 2024

    This topic describes how to set up a direct data transfer service for a mobile app in less than 30 minutes by using the Security Token Service (STS) policy. Direct data transfer allows you to use a mobile app to connect to Object Storage Service (OSS). This way, you can upload and download data, and send only the control flow to the application server.

    Prerequisites

    Background information

    In the mobile Internet era, large volumes of data are uploaded by using mobile apps. OSS helps handle your data storage concerns so that you can focus on app development.

    OSS-based direct data transfer for mobile apps provides the following benefits:

    • Data security: OSS allows mobile apps to upload and download data based on flexible authorization and authentication methods. This helps ensure the security of data.

    • Cost-effectiveness: A small number of app servers are required. This helps reduce costs. The mobile app is connected to OSS for data upload and download, and only the control flow is sent to the app server.

    • High concurrency: OSS supports concurrent access requests that are sent from a large number of users.

    • Elastic scalability: OSS provides scalable storage space.

    • Data processing: OSS supports image processing (IMG) and audio and video transcoding to allow users to process data in a flexible manner.

    Process

    The following figure shows the development process of the direct data transfer service for mobile apps.

    image

    Role description:

    • Android or iOS app: an app on a mobile device that applies for an STS token from the app server and uses the STS token.

    • OSS: processes data requests from the mobile app.

    • Resource Access Management (RAM)/STS: generates a temporary upload token.

    • App server: a backend service developed for the Android or iOS app. The app server is used to manage the tokens for data upload and download by using the app and the metadata of the app-uploaded data.

    Procedure:

    1. The mobile app applies for a token as the temporary upload credential from the app server.

      AccessKey pairs cannot be stored in Android and iOS apps due to security concerns. The mobile app must apply for a token from the app server. The token is valid for a specific period of time. If the app server developer sets the validity period of the token to 30 minutes, the Android or iOS app can use the token to upload data to or download data from OSS within 30 minutes after the token is issued. After 30 minutes, the app must request a new token to upload or download data.

    2. The app server checks the validity of the request and then returns a token to the app.

    3. The Android or iOS app uses this token to upload data to or download data from OSS.

    The following section describes how the app server generates a token and how to use the Android or iOS app to obtain a token.

    Procedure

    Step 1: Activate STS and configure an application server

    Quick deployment

    You can use Resource Orchestration Service (ROS) to activate STS, configure an Elastic Compute Service (ECS) instance, and deploy application server source code on the ECS instance. To use ROS to activate STS and configure an application server, perform the following steps:

    1. Go to the Create Stack wizard in the ROS console.

    2. In the Select Template step of the Create Stack wizard in the ROS console, enter a stack name and the name of an OSS bucket that you want to create. Specify the zone, instance type, system disk category, and password for the ECS instance that you want to purchase, and then click Create.

      On the Stack Information tab of the page that appears, the status of the stack is Creating.

    3. After the status of the stack becomes Created, click the Outputs tab to view the resources, such as the ECS instance and OSS bucket, that are deployed with a few clicks.

    Manual deployment

    1. Log on to the OSS console.

    2. In the left-side navigation pane, click Overview.

    3. In the Common Features section, choose Security Token (Authorization for RAM Users) > Go to RAM Console.

      sts

    4. On the STS Quick Configuration page, click Start. Follow the on-screen instructions to complete the authorization.

      After the authorization is complete, save the AccessKey ID, AccessKey secret, and RoleArn parameters of the RAM user.

    5. Download and decompress the application server code package.

      PHP

      sts-server.zip

      Java

      AppTokenServerDemo.zip

      Ruby

      sts-app-server-master.zip

      Node.js

      sts-app-server-node.zip

      Go

      test_token_server.zip

    6. Modify the configuration file named config.json.

      The following sample code provides an example on how to modify the configuration file: 

      {
"AccessKeyID" : "",
"AccessKeySecret" : "",
"RoleArn" : "",
"TokenExpireTime" : "900",
"PolicyFile": "policy/bucket_write_policy.txt"
}

      The following table describes the parameters in the preceding code.

      Parameter

      Description

      AccessKeyID

      The obtained AccessKey ID.

      AccessKeySecret

      The obtained AccessKey secret.

      RoleArn

      The obtained RoleArn.

      TokenExpireTime

      The validity period of the token obtained by using the Android or iOS app. The default value 900 is the minimum value. Unit: seconds.

      PolicyFile

      The file that lists the permissions of the token. The default value can be retained.

      In the policy directory, the following token files are most commonly used:

      • bucket_read_policy.txt: specifies that the token has the permissions to read data from a specific bucket and objects whose names contain a specific prefix in the current account.

      • bucket_write_policy.txt: specifies that the token has the permissions to write data to a specific bucket and objects whose names contain a specific prefix in the current account.

      To use the token file, replace $BUCKET_NAME and $OBJECT_PREFIX with specific values.

      For more information, see the examples and implementation of policies in Overview.

      Warning

      • Follow the principle of least privilege (PoLP) based on your business requirements. If you specify all resources (resource:*) or all actions (action:*), security risks such as data leaks may arise because of excess permissions.

      • The sample code is only for reference. The online system must implement permission isolation for different users or devices. This way, tokens that are used to grant different permissions are generated.

    7. Run the sample code.

      PHP

      1. Run the following command to generate a token: 

        php sts.php

      2. Deploy the app to the specified application server address.

      Java

      Note

      Java dependency 1.7 is required.

      1. Run the following command to start the service: 

        java -jar app-token-server.jar (port)

        If you do not specify a port, the program starts listening on port 7080. You can specify a port used for listening, but you cannot specify a port that already exists.

      2. Call the AssumeRole operation to obtain the response.

        The response contains the following information: 

        // A successful sample response. 
{
    // The HTTP status code that is returned when the app obtains the token. If the token is obtained, the app returns the HTTP status code 200. 
    "StatusCode":200,
    // The AccessKey ID that can be used by the Android or iOS app to initialize an OSSClient instance. 
    "AccessKeyId":"STS.3p***dgagdasdg",
    // The AccessKey secret that can be used by the Android or iOS app to initialize an OSSClient instance. 
    "AccessKeySecret":"rpnwO9***tGdrddgsR2YrTtI",
    // The token that can be used by the Android or iOS app to initialize an OSSClient instance. 
    "SecurityToken":"CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5sĖ™āˆ‚Ė™āˆ‚3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****",
    // The expiration time of the token. OSS SDK for Android checks whether the token is valid. If the token becomes invalid, a new token is automatically obtained. 
    "Expiration":"2017-12-12T07:49:09Z"
}
// A failed sample response. 
{
    // The HTTP status code that is returned when the app obtains the token. If the token fails to be obtained, the HTTP status code 500 is returned. 
    "StatusCode":500,
    // The cause of the error. 
    "ErrorCode":"InvalidAccessKeyId.NotFound",
    // The error message. 
    "ErrorMessage":"Specified access key is not found."
}

    Step 2: Download and install a mobile app

    1. Download the mobile app source code package.

      Android

      Download URL

      iOS

      Download URL

      You can use the mobile app on devices that run Android or iOS to upload images to OSS. Simple upload and resumable upload are supported. If the network quality is poor, we recommend that you use resumable upload. You can also use IMG to resize an image to obtain a thumbnail and add watermarks to the image.

    2. Open the mobile app and configure the app parameters.

      • App server: the app server address specified in Step 1.

      • Destination bucket: the bucket to which data is uploaded from a mobile app.

      • Region: the region in which the destination bucket is located.

      • OSS object name: The name must contain the prefix specified in the policy configuration file of the app server.

    3. Click Settings.

    Step 3: Configure direct data transfer for the mobile app

    1. Open the mobile app.

    2. Click Select Image. Select the image that you want to upload and specify the object name.

    3. After the object is uploaded, check the upload result in the OSS console.

    Core code parsing

    The following code provides examples on how to use OSS SDK for Android and OSS SDK for iOS to initialize an OSSClient instance:

    Android

    // We recommend that you use OSSAuthCredentialsProvider. The token is automatically updated after it expires. 
String stsServer = "App server address, such as https://example.com:8080"
OSSCredentialProvider credentialProvider = new OSSAuthCredentialsProvider(stsServer);
// Specify the following parameters: 
ClientConfiguration conf = new ClientConfiguration();
conf.setConnectionTimeout(15 * 1000); // The connection timeout period in seconds. Default value: 15. 
conf.setSocketTimeout(15 * 1000); // The socket timeout period in seconds. Default value: 15. 
conf.setMaxConcurrentRequest(5); // The maximum number of concurrent requests. Default value: 5. 
conf.setMaxErrorRetry(2); // The maximum number of retries. Default value: 2. 
OSS oss = new OSSClient(getApplicationContext(), endpoint, credentialProvider, conf);

    iOS

    OSSClient * client;
...
// We recommend that you use OSSAuthCredentialProvider. The token is automatically updated after it expires. 
id<OSSCredentialProvider> credential = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:@"App server address, such as https://example.com:8080"];
client = [[OSSClient alloc] initWithEndpoint:endPoint credentialProvider:credential];