This topic describes how to set up a direct data transfer service for a mobile app in less than 30 minutes by using the Security Token Service (STS) policy. Direct data transfer allows you to use a mobile app to connect to Object Storage Service (OSS). This way, you can upload and download data, and send only the control flow to the application server

Prerequisites

Background information

In the mobile Internet era, large volumes of data are uploaded by using mobile apps. Direct data transfer allows developers to ignore data storage issues related to OSS and focus on app development

OSS-based direct data transfer for mobile apps provides the following benefits:
  • Data security: OSS allows mobile apps to upload and download data based on flexible authorization and authentication methods, This helps ensure the security of data.
  • Cost-effectiveness: A smaller number of app servers are required. This helps reduce costs. The mobile app is directly connected to OSS for data uploads and downloads, while only the control flow is sent to the app server.
  • High concurrency: OSS supports concurrent access requests that are sent from a large number of users.
  • Elastic scalability: OSS provides storage space that can be scaled.
  • Data processing: OSS provides Image Processing (IMG) and audio and video transcoding to allow users to process data in a flexible manner.

Process

The following figure shows the development process of the direct data transfer service for mobile apps.Time series chart
Role description:
  • Android or iOS app: an app on a mobile device that applies for an STS credential from the app server and uses the STS credential.
  • OSS: processes data requests from the mobile app.
  • Resource Access Management (RAM)/STS: generates a temporary upload credential, which is a token.
  • App server: a backend service developed for the Android or iOS app. The app server is used to manage the tokens used for data uploads and downloads by using the app and the metadata of the app-uploaded data.

Procedure:

  1. The mobile app applies for a temporary upload credential from the app server.
    The mobile app applies for a temporary upload credential from the app server. The app must apply for a token from the app server. The token is valid for a specified period of time. If the app server developer sets the validity period of the token to 30 minutes, the Android or iOS app can use this token to upload data to or download data from OSS in 30 minutes after the token is issued. After 30 minutes, the app must request a new token to upload or download data.
  2. The app server checks the validity of the request and then returns a token to the app.
  3. The Android or iOS app uses this token to upload data to or download data from OSS.

The following section describes how the app server generates a token and how to use the Android or iOS app to obtain a token.

Step 1: Activate STS

  1. Log on to the OSS console.
  2. In the left-side navigation pane, click Overview.
  3. In the Common Features section, choose Security Token (Authorization for RAM User) > RAM Console.
    sts
  4. Click Start, and complete authorization.
    After the authorization is complete, save the AccessKey ID, AccessKey secret, and RoleArn parameters of the RAM user.

Step 2: Configure the app server

  1. Download and extract the application server code.
  2. Modify the configuration file named config.json.
    The following code provides an example on how to modify the configuration file:
    {
    "AccessKeyID" : "",
    "AccessKeySecret" : "",
    "RoleArn" : "",
    "TokenExpireTime" : "900",
    "PolicyFile": "policy/bucket_write_policy.txt"
    }

    The following table describes the parameters that are used in the preceding statements.

    Parameter Description
    AccessKeyID Specifies the obtained AccessKey ID.
    AccessKeySecret Specifies the obtained AccessKey secret.
    RoleArn Specifies the obtained RoleArn.
    TokenExpireTime Specifies the validity period of the token obtained by using the Android or iOS app. The default value 900 seconds is the minimum value
    PolicyFile Specifies the file that lists the permissions of the token. The default value can be retained.

    The following token files are most commonly used in the policy directory:

    • bucket_read_policy.txt: specifies to use the token to grant permissions to read data from the specified bucket and objects whose names contain the specified prefix for the account.
    • bucket_write_policy.txt: specifies to use the token to grant permissions to write data to the specified bucket and objects whose names contain the specified prefix for the account.

    To use the token file, replace $BUCKET_NAME and $OBJECT_PREFIX with specified values.

    For more information, see examples and implementation of policies in Overview.

    Warning
    • Follow the principle of least privilege (PoLP) based on business requirements. If you specify all resources (resource:*) or all actions (action:*), security risks such as data leaks may arise because of excess permissions.
    • The sample code is only for reference. The online system must implement permission isolation for different users or devices. This way, tokens that are used to grant different permissions are generated.
  3. Run the sample code.
    In the following code, OSS SDK for PHP and OSS SDK for Java are used:
    • PHP
      1. Run the following command to generate a token:
        php sts.php
      2. Deploy the application to the specified application server address.
    • Java (Add Java 1.7 dependencies.)
      1. Run the following command to start the service:
        java -jar app-token-server.jar (port)

        If you do not specify a port, the program starts listening on port 7080 by default. You can specify the port used for listening, but you cannot specify a port that already exists.

      2. Call AssumeRole to obtain the response.
        The response contains the following information:
        // Successful sample response. 
        {
            // The HTTP status code that is returned when the app obtains the token. If the token is obtained, the app returns the HTTP status code 200. 
            "StatusCode":200,
            // The AccessKey ID that can be used by the Android and iOS app to initialize an OSSClient instance. 
            "AccessKeyId":"STS.3p***dgagdasdg",
            // The AccessKey secret that can be used by the iOS app to initialize an OSSClient instance. 
            "AccessKeySecret":"rpnwO9***tGdrddgsR2YrTtI",
            // The token that can be used by the Android and iOS app to initialize an OSSClient instance. 
            "SecurityToken":"CAES+wMIARKAAZhjH0EUOIhJMQBMjRywXq7MQ/cjLYg80Aho1ek0Jm63XMhr9Oc5s˙∂˙∂3qaPer8p1YaX1NTDiCFZWFkvlHf1pQhuxfKBc+mRR9KAbHUefqH+rdjZqjTF7p2m1wJXP8S6k+G2MpHrUe6TYBkJ43GhhTVFMuM3BZajY3VjZWOXBIODRIR1FKZjIiEjMzMzE0MjY0NzM5MTE4NjkxMSoLY2xpZGSSDgSDGAGESGTETqOio6c2RrLWRlbW8vKgoUYWNzOm9zczoqOio6c2RrLWRlbW9KEDExNDg5MzAxMDcyNDY4MThSBTI2ODQyWg9Bc3N1bWVkUm9sZVVzZXJgAGoSMzMzMTQyNjQ3MzkxMTg2OTExcglzZGstZGVt****",
            // The time when the token expires. OSS SDK for Android checks whether the token is valid. If the token becomes invalid, a new token is automatically obtained. 
            "Expiration":"2017-12-12T07:49:09Z"
        }
        // Failed sample response. 
        {
            // The HTTP status code that is returned when the app obtains the token. If the token fails to be obtained, the HTTP status code 500 is returned. 
            "StatusCode":500,
            // The cause of the error. 
            "ErrorCode":"InvalidAccessKeyId.NotFound",
            // Obtain the error message. 
            "ErrorMessage":"Specified access key is not found."
        }

Step 3: Download and install the mobile app

  1. Download the app source code.
    Download link:

    You can use the mobile app on devices that run Android or iOS to upload images to OSS. Simple upload and resumable upload are supported. If the network quality is poor, we recommend that you use resumable upload. You can also use IMG to resize an image to obtain a thumbnail and add watermarks to the image.

  2. Open the mobile app and configure the app parameters.
    • App server: the app server address specified in Step 2: Configure the app server.
    • Destination bucket: the bucket to which the data is uploaded from a mobile app.
    • Region: the region in which the destination bucket is located.
    • OSS object name: The name must contain the prefix specified in the policy configuration file of the app server.
  3. Click Configure.

Step 4: Configure direct data transfer for mobile apps

  1. Open the mobile app.
  2. Click Select Image. Select the image to upload and specify the object name.
  3. After the object is uploaded, check the upload result in the OSS console.

Core code analysis

The following code provides examples on how to use OSS SDK for Android and OSS SDK for iOS to initialize OSSClient instances.

  • For Android apps:
    // We recommend that you use OSSAuthCredentialsProvider. The token is automatically updated after it expires. 
    String stsServer = "App server address such as https://example.com:8080"
    OSSCredentialProvider credentialProvider = new OSSAuthCredentialsProvider(stsServer);
    // Configure the following parameters. 
    ClientConfiguration conf = new ClientConfiguration();
    conf.setConnectionTimeout(15 * 1000); // The connection timeout period in seconds. Default value: 15. 
    conf.setSocketTimeout(15 * 1000); // The socket timeout period in seconds. Default value: 15. 
    conf.setMaxConcurrentRequest(5); // The maximum number of concurrent requests. Default value: 5. 
    conf.setMaxErrorRetry(2); // The maximum number of retry attempts. Default value: 2. 
    OSS oss = new OSSClient(getApplicationContext(), endpoint, credentialProvider, conf);
  • For iOS apps:
    OSSClient * client;
    ...
    // We recommend that you use OSSAuthCredentialProvider. The token is automatically updated after it expires. 
    id<OSSCredentialProvider> credential = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:@"App server address such as https://example.com:8080"];
    client = [[OSSClient alloc] initWithEndpoint:endPoint credentialProvider:credential];