Security Token Service (STS) tokens can effectively prevent security risks caused by AccessKey pair leakages of Resource Access Management (RAM) users. To obtain a token from STS, you must create a RAM user and a RAM role, grant them the required permissions, and then use the AccessKey pair of the RAM user as a credential to call the AssumeRole operation to assume the RAM role. This topic describes how to obtain an STS token.
Step 1: Create a RAM user
Create a RAM user. For more information, see Create a RAM user. Take note of the following configurations:
Recommended. Set the Logon Name parameter to vod. The logon name vod is used as an example in subsequent descriptions in this topic.
Set the Access Mode parameter to Using permanent AccessKey to access.
Keep the obtained AccessKey pair confidential.
Step 2: Grant the RAM user the permissions to call the AssumeRole operation of STS
On the Users page in the RAM console, find the RAM user whose logon name is vod and click Add Permissions in the Actions column.
In the Grant Permission panel, grant the required permissions to the RAM user.
NoteTo grant the required permissions, attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This policy allows the RAM user vod to call the AssumeRole operation of STS. To search for the policy, you can select System Policy from the drop-down list and enter
AliyunSTSAssumeRoleAccessin the search box.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select ResourceGroup for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
Click Close.
Step 3: Create a RAM role
In Substep 7, we recommend that you set the Role Name parameter to vodrole. The role name vodrole is used as an example in subsequent descriptions in this topic.
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, set the Principal Type parameter to Cloud Account, specify an Alibaba Cloud account, and then click OK.
Current Account: If you want a RAM user or RAM role that belongs to your Alibaba Cloud account to assume the RAM role, select Current Account.
Other Account: If you want a RAM user or RAM role that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Account and enter the ID of the Alibaba Cloud account. This option is provided to grant permissions on resources that belong to different Alibaba Cloud accounts. For more information, see Use a RAM role to grant permissions across Alibaba Cloud accounts. You can view the ID of your Alibaba Cloud account on the Security Settings page.
Optional. If you want the RAM role to be assumed only by a specific RAM user or RAM role that belongs to the trusted Alibaba Cloud account, click Switch to Policy Editor and modify the trust policy of the RAM role in the editor.
The editor supports the Visual editor and JSON modes. In the following example, only the RAM user
Alicewithin the Alibaba Cloud account whose ID is 100******0719 can assume the RAM role.Visual editor
Specify a RAM user for the Principal element.
JSON
Specify a RAM user for the
RAMfield of thePrincipalparameter.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Principal": { "RAM": "acs:ram::100******0719:user/Alice" }, "Action": "sts:AssumeRole" } ] }
In the Create Role dialog box, configure the Role Name parameter and click OK.
Step 4: Grant the RAM role the permissions to manage ApsaraVideo VOD
On the Roles page in the RAM console, find the created RAM role vodrole and click Grant Permission in the Actions column.
In the Grant Permission panel, grant the required permissions to the RAM role.
NoteTo improve security, we recommend that you grant the minimum required permissions to the RAM role.
If you want the RAM role vodrole to access and manage ApsaraVideo VOD resources, we recommend that you attach the system policy AliyunVODFullAccess to the RAM role. This policy allows the RAM role vodrole to manage all ApsaraVideo VOD resources. To search for the system policy, you can select Syetem Policy from the drop-down list and enter
AliyunVODFullAccessin the search box. For more information about the definitions and permissions of ApsaraVideo VOD system policies, see System policies.
Configure the Resource Scope parameter.
Account: The authorization takes effect on the current Alibaba Cloud account.
ResourceGroup: The authorization takes effect on a specific resource group.
ImportantIf you select ResourceGroup for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
Configure the Principal parameter.
The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
Configure the Policy parameter.
A policy contains a set of permissions. Policies can be classified into system policies and custom policies. You can select multiple policies at a time.
System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.
NoteThe system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. We recommend that you do not grant unnecessary permissions by attaching high-risk policies.
Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.
Click Grant permissions.
After the authorization is complete, a record that indicates a successful authorization is generated.
Click Close.
Step 5: Assume the RAM role and obtain an STS token
Use the RAM user to call the AssumeRole operation of STS to obtain an STS token of the RAM role. This operation obtains a temporary identity credential to assume the role. You can directly use the STS token to access ApsaraVideo VOD API operations or distribute the STS token to clients to perform operations, such as a direct client upload. In this example, the SDK for Java is used. For more examples of other programming languages, see STS SDK overview.
SDK V1.0
In Maven, add the following dependency information:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-sts</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-core</artifactId>
<version>4.7.3</version>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-vod</artifactId>
<version>2.16.32</version>
</dependency>package pop;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
public class TestStsService {
public static void main(String[] args) {
// Obtain the AccessKey pair (AccessKey ID and AccessKey secret) that is generated in Step 1 from the environment variables.
String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// Configure request parameters of the AssumeRole operation, including RoleArn, RoleSessionName, Policy, and DurationSeconds.
// Obtain the value of RoleArn from the RAM console based on Step 3.
String roleArn = "<role-arn>";
// Specify a custom value for RoleSessionName. RoleSessionName specifies the name of the role session.
String roleSessionName = "session-name";
// Specify a custom value for Policy.
String policy = "{\n" +
" \"Version\": \"1\",\n" +
" \"Statement\": [\n" +
" {\n" +
" \"Action\": \"vod:*\",\n" +
" \"Resource\": \"*\",\n" +
" \"Effect\": \"Allow\"\n" +
" }\n" +
" ]\n" +
"}";
try {
AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
System.out.println("Expiration: " + response.getCredentials().getExpiration());
System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
System.out.println("RequestId: " + response.getRequestId());
} catch (ClientException e) {
System.out.println("Failed to get a token.");
System.out.println("Error code: " + e.getErrCode());
System.out.println("Error message: " + e.getErrMsg());
}
}
static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
try {
// Construct a default profile. Leave the regionId parameter empty.
/*
Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the service region. Example: cn-shanghai.
For more information, refer to the endpoint of each STS region.
*/
IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
// Use the profile to construct a client.
DefaultAcsClient client = new DefaultAcsClient(profile);
// Create an AssumeRole request and configure the request parameters.
final AssumeRoleRequest request = new AssumeRoleRequest();
request.setSysEndpoint("sts.aliyuncs.com");
request.setSysMethod(MethodType.POST);
request.setRoleArn(roleArn);
request.setRoleSessionName(roleSessionName);
request.setPolicy(policy);
// Initiate the request and obtain the response.
final AssumeRoleResponse response = client.getAcsResponse(request);
return response;
} catch (ClientException e) {
throw e;
}
}
}SDK V2.0
In Maven, add the following dependency information:
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>sts20150401</artifactId>
<version>1.1.7</version>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>vod20170321</artifactId>
<version>3.6.4</version>
</dependency>import com.aliyun.sts20150401.Client;
import com.aliyun.sts20150401.models.AssumeRoleRequest;
import com.aliyun.sts20150401.models.AssumeRoleResponse;
import com.aliyun.sts20150401.models.AssumeRoleResponseBody;
import com.aliyun.teaopenapi.models.Config;
import com.aliyun.teautil.models.RuntimeOptions;
public class TestStsService {
public static void main(String[] args) {
// Obtain the AccessKey pair (AccessKey ID and AccessKey secret) that is generated in Step 1 from the environment variables.
String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
// Configure request parameters of the AssumeRole operation, including RoleArn, RoleSessionName, Policy, and DurationSeconds.
// Obtain the value of RoleArn from the RAM console based on Step 3.
String roleArn = "<role-arn>";
// Specify a custom value for RoleSessionName.
String roleSessionName = "session-name";
// Specify a custom value for Policy.
String policy = "{\n" +
" \"Version\": \"1\",\n" +
" \"Statement\": [\n" +
" {\n" +
" \"Action\": \"vod:*\",\n" +
" \"Resource\": \"*\",\n" +
" \"Effect\": \"Allow\"\n" +
" }\n" +
" ]\n" +
"}";
try {
AssumeRoleResponse assumeRoleResponse = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
System.out.println("Expiration: " + response.getCredentials().getExpiration());
System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
System.out.println("RequestId: " + response.getRequestId());
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws Exception {
Config config = new Config()
// Obtain the AccessKey ID from the environment variable.
.setAccessKeyId(accessKeyId)
// Obtain the AccessKey secret from the environment variable.
.setAccessKeySecret(accessKeySecret);
config.endpoint = "sts.cn-hangzhou.aliyuncs.com";
Client client = new Client(config);
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
.setRoleArn(roleArn)
.setRoleSessionName(roleSessionName)
.setPolicy(policy);
RuntimeOptions runtime = new RuntimeOptions();
return client.assumeRoleWithOptions(assumeRoleRequest, runtime);
}
}