All Products
Search
Document Center

ApsaraVideo VOD:Obtain an STS token

Last Updated:Jun 15, 2026

STS tokens let you grant temporary access to ApsaraVideo VOD without exposing a RAM user’s AccessKey pair. To obtain an STS token, create a RAM user and a RAM role, grant the required permissions to both, and then call the AssumeRole operation with the RAM user’s AccessKey pair to assume the RAM role.

Step 1: Create a RAM user

Create a RAM user, and note the following:

  1. Set the Logon Name parameter to vod. This topic uses vod as the logon name in all subsequent examples.

  2. Set the Access Mode parameter to Using permanent AccessKey to access.

  3. Keep the obtained AccessKey pair secure.

Step 2: Grant the RAM user permissions to call the AssumeRole operation of STS

  1. In the RAM console, go to the Users page. Find the RAM user named vod and click Add Permissions in the Actions column.

  2. In the Grant Permission panel, grant permissions to the RAM user.

    Note

    Attach the AliyunSTSAssumeRoleAccess policy to the vod user. This policy allows the user to call the STS AssumeRole operation. To find the policy, select System Policy and enter AliyunSTSAssumeRoleAccess in the search box.

    截屏2025-06-03 09

    • Select the Resource Scope:

      • Account level: The permission applies to the current Alibaba Cloud account.

      • Resource group level: The permission applies to a specific resource group. If you grant resource group–level permissions to a RAM user, the user must switch the resource scope to that resource group in the top navigation bar after logging on to the console. Only then can the user access and manage resources in that group.

        Note
        1. The system automatically flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. These policies often grant full control over all cloud resources or full management of Resource Access Management (RAM). Grant them with caution.

        2. For an example of resource group authorization, see Use a resource group to restrict a RAM user to managing only specific ECS instances.

    • Select the principal:

      The principal is the RAM user that receives the permissions. If you start from the Users page, the system selects the current RAM user automatically. If you start from the Grant Permission page, select one or more RAM users manually.

    • Select the Permission Policy:

      • System policy: Search and select directly. Search tips: Use the search box to locate policies quickly. You can search by product name (such as ECS or OSS), permission level (such as ReadOnly or FullAccess), or the full policy name.

      • Custom policy: First create a custom policy. For more information, see Create a custom policy.

    • Click Confirm Grant Permission.

  3. Review the authorization result and click Close.

Step 3: Create a RAM role

Note

In Step 5 below, set the Role Name parameter to vodrole. This topic uses vodrole as the role name in all subsequent examples.

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, set Principal Type to Cloud Account, specify the details of the Alibaba Cloud account, and then click OK.

    • Current Account: When you want to allow all RAM users and RAM roles under the current Alibaba Cloud account to assume the RAM role that is being created, you can select Current Account.

    • Other Account: If you want to allow all RAM users and RAM roles from another Alibaba Cloud account to assume the RAM role that you are creating, you can select Other Account and then enter the ID of the other Alibaba Cloud account (main account). This option is mainly for scenarios that involve accessing resources across Alibaba Cloud accounts. For more information, see Access resources across Alibaba Cloud accounts.You can find your Alibaba Cloud account (main account) ID on the Security Settings page.

  5. (Optional) To restrict the role to specific RAM users or RAM roles, click Switch to Policy Editor to modify the trust policy.

    The editor supports two modes: Visual Editor and JSON Editor. You can choose either one. The following example indicates that the created RAM role can only be assumed by the RAM user Alice under the current Alibaba Cloud account (AccountID=100******0719).

    • Visual Editor

      In the Principal section, add the RAM user.

      Click the Edit link next to Cloud Account and enter the ID of the trusted account.

      In the Add Principal dialog box, select Current Account for Cloud Account and RAM User for Identity Type. Enter the target username, such as Alice, in the User Name field, and then click OK.

    • JSON Editor

      In the RAM field of the Principal object, enter the full ARN of the RAM user.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "RAM": "acs:ram::100******0719:user/Alice"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
  6. In the Create Role dialog box, enter a Role Name, and then click OK.

Step 4: Grant the RAM role permissions to manage ApsaraVideo VOD

  1. In the RAM console, go to the Roles page. Find the RAM role named vodrole and click Grant Permission in the Actions column.

  2. In the Grant Permission panel, grant permissions to the RAM role.

    Note
    • To reduce risk, apply the principle of least privilege.

    • If the vodrole role needs to access and manage ApsaraVideo VOD resources, attach the system policy AliyunVODFullAccess to the role. This policy grants full access to all ApsaraVideo VOD resources. To find the policy, select System Policy and enter AliyunVODFullAccess in the search box. For more information about ApsaraVideo VOD system policies and their permissions, see System policies.

    授权

    • Select the Resource Scope:

      • Account level: The permission applies to the current Alibaba Cloud account.

      • Resource group level: The permission applies to a specific resource group. If you grant resource group–level permissions to a RAM user, the user must switch the resource scope to that resource group in the top navigation bar after logging on to the console. Only then can the user access and manage resources in that group.

        Note
        1. The system automatically flags high-risk system policies such as AdministratorAccess and AliyunRAMFullAccess. These policies often grant full control over all cloud resources or full management of Resource Access Management (RAM). Grant them with caution.

        2. For an example of resource group authorization, see Use a resource group to restrict a RAM user to managing only specific ECS instances.

    • Select the principal:

      The principal is the RAM user that receives the permissions. If you start from the Users page, the system selects the current RAM user automatically. If you start from the Grant Permission page, select one or more RAM users manually.

    • Select the Permission Policy:

      • System policy: Search and select directly. Search tips: Use the search box to locate policies quickly. You can search by product name (such as ECS or OSS), permission level (such as ReadOnly or FullAccess), or the full policy name.

      • Custom policy: First create a custom policy. For more information, see Create a custom policy.

    • Click Confirm Grant Permission.

    After authorization completes, a success record appears. 授权成功

  3. Review the authorization result and click Close.

Step 5: Assume the RAM role and obtain an STS token

Call the STS AssumeRole – Obtain temporary credentials to assume a role operation as the RAM user. The returned STS token can be used to call ApsaraVideo VOD API operations or distributed to clients for tasks such as direct uploads. The following Java SDK example demonstrates the process. For other languages, see STS SDK overview.

SDK V1.0

In Maven, add the following dependency information:

<dependency>
   <groupId>com.aliyun</groupId>
   <artifactId>aliyun-java-sdk-sts</artifactId>
   <version>3.1.2</version>
</dependency>
<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aliyun-java-sdk-core</artifactId>
  <version>4.7.3</version>
</dependency>
<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aliyun-java-sdk-vod</artifactId>
  <version>2.16.32</version>
</dependency>
package pop;

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;

public class TestStsService {

    public static void main(String[] args) {
        // Get the AccessKey pair (AccessKey ID and AccessKey secret) for the RAM user created in Step 1 from environment variables.
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        // Configure request parameters for the AssumeRole operation: RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // Get the RoleArn value from the RAM console based on Step 3.
        String roleArn = "<role-arn>";
        // Set a custom value for RoleSessionName. RoleSessionName specifies the name of the role session.
        String roleSessionName = "session-name";
        // Customize the policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

        } catch (ClientException e) {
            System.out.println("Failed to get a token.");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
        }
    }

    static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
        try {
            // Build a default profile. Leave the regionId parameter empty.
            /*
            Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set regionId to the service region. Example: cn-shanghai.
            For more information, see the endpoint for each STS region.
             */
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Build a client using the profile.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            // Create an AssumeRoleRequest and configure the request parameters.
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setSysEndpoint("sts.aliyuncs.com");
            request.setSysMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            // Send the request and get the response.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            return response;
        } catch (ClientException e) {
            throw e;
        }
    }
}

SDK V2.0

In Maven, add the following dependency information:

<dependency>
   <groupId>com.aliyun</groupId>
   <artifactId>sts20150401</artifactId>
   <version>1.1.7</version>
</dependency>
<dependency>
   <groupId>com.aliyun</groupId>
   <artifactId>vod20170321</artifactId>
   <version>3.6.4</version>
</dependency>
import com.aliyun.sts20150401.Client;
import com.aliyun.sts20150401.models.AssumeRoleRequest;
import com.aliyun.sts20150401.models.AssumeRoleResponse;
import com.aliyun.sts20150401.models.AssumeRoleResponseBody;
import com.aliyun.teaopenapi.models.Config;
import com.aliyun.teautil.models.RuntimeOptions;

public class TestStsService {
    public static void main(String[] args) {
        // Get the AccessKey pair (AccessKey ID and AccessKey secret) for the RAM user created in Step 1 from environment variables.
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        // Configure request parameters for the AssumeRole operation: RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // Get the RoleArn value from the RAM console based on Step 3.
        String roleArn = "<role-arn>";
        // Set a custom value for RoleSessionName.
        String roleSessionName = "session-name";
        // Customize the policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse assumeRoleResponse = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws Exception {
        Config config = new Config()
                // Get the AccessKey ID from the environment variable.
                .setAccessKeyId(accessKeyId)
                // Get the AccessKey secret from the environment variable.
                .setAccessKeySecret(accessKeySecret);
        config.endpoint = "sts.cn-hangzhou.aliyuncs.com";
        Client client = new Client(config);
        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
                .setRoleArn(roleArn)
                .setRoleSessionName(roleSessionName)
                .setPolicy(policy);
        RuntimeOptions runtime = new RuntimeOptions();
        return client.assumeRoleWithOptions(assumeRoleRequest, runtime);
    }
}