ApsaraVideo VOD provides two client authorization solutions: the credential method and the Security Token Service (STS) method. These solutions ensure security during uploads and playback and prevent data breaches. This topic compares the two solutions to help you select the one that best suits your business needs.
Credential method: This is a dedicated authorization solution from ApsaraVideo VOD. It integrates server-side authorization logic and generates one-time temporary credentials for uploads or playback using a simple API. This method is deeply integrated with the software development kit (SDK), is out-of-the-box, and reduces client development effort. It includes upload credentials and playback credentials.
STS method: The Security Token Service (STS) is a general-purpose temporary authorization solution from Alibaba Cloud. STS issues temporary identities with custom validity periods and permissions. These identities can be used to access ApsaraVideo VOD and other Alibaba Cloud services. This method is suitable for complex business scenarios and fine-grained permission management. For more information, see Obtain an STS token.
Solution comparison
Credential-based authorization is recommended for uploads and playback in ApsaraVideo VOD because it offers the following advantages over STS-based authorization:
Comparison item | Core mechanism | Implementation flow | Security | Flexibility | Ease of use |
Credential method | A VOD server-side API, such as CreateUploadVideo, generates a one-time temporary credential. This credential contains encapsulated temporary authorization information. |
| By default, this method provides one-time authorization for a single object. The permission granularity is at the single-video level. | Supports parameter settings, such as webhook addresses and playback domain names. | Simple to configure. You only need to grant VOD permissions to an account's AccessKey. |
STS method | Call an STS API to obtain a temporary credential with a validity period. |
| The permission granularity is coarse. For VOD, permissions are granted at the API level. This allows unlimited uploads or playback of all videos under the account. | You must wait for SDK updates. New features may be delayed. | Complex to configure. The configuration of roles and authorization policies is tedious. |
Solution selection
Scenario 1: Simple VOD upload or playback requirements
For VOD projects that require fast integration without concern for underlying details, use the credential method.
Reason: This method is out-of-the-box and deeply integrated with the official SDK. It is lightweight on the server-side and does not require you to manage complex access policies.
Scenario 2: Requirements to simplify server-side logic
For projects with limited investment in server-side development that aim to simplify server-side logic, use the credential method.
Reason: The ApsaraVideo VOD server-side encapsulates most of the security logic. Developers only need to call an API to generate credentials.
FAQ
How do I configure a more secure STS authorization policy?
Security Token Service (STS) is a highly secure basic service from Alibaba Cloud. Its security depends on the strictness of the authorization policy (Policy). You must follow the principle of least privilege. You can use fine-grained configurations to provide enhanced security. For more information, see Obtain an STS Token.
What is the validity period of a credential?
An upload credential is valid for 3000 seconds by default. After it expires, call RefreshUploadVideo to obtain a new one.
The validity period of a playback credential can be customized using the
AuthInfoTimeoutparameter of GetVideoPlayAuth. The default value is 100 seconds. Set a shorter validity period to improve security.