All Products
Search

This Product

    Object Storage Service:How to configure access credentials for OSS SDK for Android

    Document Center

    Object Storage Service:How to configure access credentials for OSS SDK for Android

    Last Updated:Aug 12, 2024

    To use Object Storage Service (OSS) SDK for Android to initiate a request, you must configure access credentials. Alibaba Cloud services use access credentials to verify identity information and access permissions. You can select different types of access credentials based on your authentication and authorization requirements.

    Prerequisites

    OSS SDK for Android is installed. For more information, see Installation.

    Select an initialization method

    Select a credential provider

    OSS supports multiple methods to initialize a credential provider. You can select a suitable method based on the authentication and authorization requirements of your actual scenario.

    Initialization method

    Scenario

    AccessKey pair or security token required

    Underlying logic

    Credential validity period

    Credential rotation or refresh method

    Method 1: Use an AccessKey pair

    Applications are deployed and run in a secure and stable environment that is not vulnerable to external attacks and need to access cloud services for a long period of time without frequent credential rotation.

    Yes

    AccessKey pair

    Long-term

    Manual rotation

    Method 2: Use a security token

    Applications are deployed and run in an untrusted environment, in which case you want to manage the credential validity period and the resources that can be accessed.

    Yes

    Security token

    Temporary

    Custom

    Method 3: Use CredentialsURI

    Applications require access credentials from external systems.

    No

    Security token

    Temporary

    Automatic refresh

    Method 1: Method 1: Use an AccessKey pair

    If your application is deployed in a secure and stable environment that is not vulnerable to external attacks and requires long-term access to OSS, you can use an AccessKey pair of your Alibaba Cloud account or a RAM user to initialize a credential provider. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. Take note that this method requires you to manually maintain an AccessKey pair. This poses security risks and increases maintenance complexity. For more information about how to obtain an AccessKey pair, see CreateAccessKey.

    Warning

    This method has security risks and is not recommended for mobile devices. An Alibaba Cloud account has full access to all resources of the account. Leaks of the Alibaba Cloud account AccessKey pair pose critical threats to the system. Therefore, we recommend that you use the AccessKey pair of a RAM user that is granted the minimum required permissions to initialize a credential provider.

    Sample code 

    String ak = "<ALIBABA_CLOUD_ACCESS_KEY_ID>";
String sk = "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";

OSSCredentialProvider credentialProvider = new OSSPlainTextAKSKCredentialProvider(ak, sk);

    Method 2: Use a security token

    If your application needs to access OSS temporarily and manage access control in a fine-grained manner in real time to improve data security and flexibility, you can use temporary access credentials, which consist of an AccessKey pair and a security token, obtained from Security Token Service (STS) to initialize a credential provider. Take note that this method requires you to manually maintain a security token. This poses security risks and increases maintenance complexity. For more information about how to obtain a security token, see AssumeRole.

    You can specify the AccessKey pair and security token environment variables to pass access credentials. The following sample code provides examples on how to pass access credentials to update the security token.

    Manually update the security token

    String ak = "<ALIBABA_CLOUD_ACCESS_KEY_ID>";
String sk = "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
String token = "<ALIBABA_CLOUD_SECURITY_TOKEN>";

OSSCredentialProvider credentialProvider = new OSSStsTokenCredentialProvider(ak, sk, token);

    Automatically update the security token

    OSSCredentialProvider credentialProvider = new OSSFederationCredentialProvider() {
    @Override
    public OSSFederationToken getFederationToken() {

        /* Obtain an AccessKey pair, a security token, and the validity period of these credentials. 
         * In this example, the AccessKey pair, security token, and the validity period of these credentials are obtained from the application server.
         * URL stsUrl = new URL("<server_url>");
         * HttpURLConnection conn = (HttpURLConnection) stsUrl.openConnection();
         * InputStream input = conn.getInputStream();
         * String jsonText = IOUtils.readStreamAsString(input, OSSConstants.DEFAULT_CHARSET_NAME);
         * JSONObject jsonObjs = new JSONObject(jsonText);
         * String ak = jsonObjs.getString("AccessKeyId");
         * String sk = jsonObjs.getString("AccessKeySecret");
         * String token = jsonObjs.getString("SecurityToken");
         * String expiration = jsonObjs.getString("Expiration");
         */
        String ak = "<ALIBABA_CLOUD_ACCESS_KEY_ID>";
        String sk = "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
        String token = "<ALIBABA_CLOUD_SECURITY_TOKEN>";
        String expiration = "<ALIBABA_CLOUD_EXPIRATION>";

        // Create SSFederationToken by using the ak, sk, token, and expiration parameters.
        OSSFederationToken federationToken = new OSSFederationToken(ak, sk, token, expiration);
        return federationToken;
    }
};

    Method 3: Use CredentialsURI

    If your application needs to obtain an Alibaba Cloud credential from an external system to implement flexible credential management and keyless access, you can use CredentialsURI to initialize a credential provider. The underlying logic of this method is to use a security token obtained from STS to configure access credentials. The Credentials tool obtains the security token by using the URI that you specify to initialize an OSSClient instance on the client. This method eliminates the risks that may arise when you manually maintain an AccessKey pair or a security token.

    1. To allow the Credentials tool to correctly parse and use a security token, the URI must comply with the following response protocol:

      • Response status code: 200

      • Response body structure:

        {
  "StatusCode":200,
  "AccessKeyId":"AccessKeyId",
  "AccessKeySecret":"AccessKeySecret",
  "Expiration":"2015-11-03T09:52:59Z",
  "SecurityToken":"SecurityToken"
}

    2. Configure the URI as the access credential. 

      String authServerUrl = "<remote_url>";
OSSAuthCredentialsProvider credentialProvider = new OSSAuthCredentialsProvider(authServerUrl);
/* If data is encrypted, you can decrypt the data by running the following sample code:
 * credentialProvider.setDecoder(new OSSAuthCredentialsProvider.AuthDecoder() {
 *     @Override
 *     public String decode(String data) {
 *         String result = null;
 *         // Decrypt the data.
 *         // result = ...
 *         return result;
 *     }
 * });
 */