Security Token Service (STS) is an Alibaba Cloud service that provides short-term access credentials for Alibaba Cloud accounts or RAM users. In addition to upload URLs and credentials, specific upload methods allow you to use STS tokens for access control. This topic describes the principles and usage notes of STS tokens. This topic also describes how to obtain STS tokens.

How it works

You can use STS to issue an STS token to a third-party user. An STS token is an access credential with a custom validity period and limited access permissions. Then, the third-party user can use the short-term STS token to call API operations of ApsaraVideo VOD.

Usage notes

Note You can select STS tokens or upload URLs and credentials based on the benefits of the two access methods. For more information about the comparison between the two methods, see Comparison between credentials and STS. For more information about upload URLs and credentials, see Upload URLs and credentials.
Take note of the following differences when you determine whether to use STS tokens or upload URLs and credentials:
  • If a user uploads a media file by using an STS token, the user must construct an upload request that includes the STS token and a temporary AccessKey pair.
  • If a user uploads a media file by using an upload URL and an upload credential, the user can directly specify the AccessKey pair of an Alibaba Cloud account or a RAM user in the upload request.
The following table describes the support for STS tokens by different upload methods.
Upload method Support for STS tokens References

Upload from servers

 Supported only by the server upload SDK for Java

For more information about how to obtain STS tokens, see Obtain an STS token.

For more information about how to use STS tokens to upload media files, see the topics of different upload methods.

Upload from clients

 Supported

UploadMediaByURL

 N/A

Upload media files by using OSS SDKs

 You can use only STS tokens when you upload media files by using OSS SDKs.

Upload OSS objects

 N/A

Obtain an STS token

To skip the signature process, we recommend that you integrate the STS SDK and call the AssumeRole operation to obtain a temporary STS token. Before you integrate the STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the RAM user.

  1. Create a RAM user. For more information, see Create a RAM role and grant temporary access permissions to the role by using STS.
  2. Optional. Attach custom authorization policies to the RAM user. For more information, see Create a custom policy.
  3. Integrate STS SDK and call the AssumeRole operation to obtain an STS token. The substeps of this step vary based on the programming language of the server.
    Programming language of the serverOperation guide
    JavaSTS SDK for Java
    Note The following section provides sample code in Java.
    PythonSTS SDK for Python
    PHPSTS SDK for PHP
    .NETSTS SDK for .NET
    Node.jsSTS SDK for Node.js
    GoSTS SDK for Go

Sample code in Java

Sample Java code on how to obtain an STS token

Note The following sample code describes how to obtain an STS token by using the STS SDK V3.1.1. For more information about how to integrate other versions of STS SDK, see STS SDK overview.
  1. Integrate the STS SDK.
    Add dependencies for the STS SDK. 
    <dependencies>
  <!--  STS SDK in the earlier version  -->
  <dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>aliyun-java-sdk-sts</artifactId>
    <version>3.1.1</version>
  </dependency>
</dependencies>
    Add the core library for the STS SDK. 
    <dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aliyun-java-sdk-core</artifactId>
  <version>4.6.1</version>
</dependency>
  2. Call the AssumeRole operation to obtain an STS token. 
    
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;


/**
 * @author jack
 * @date 2020/5/25
 */
public class TestStsService {

    public static void main(String[] args) {
        // Only a RAM user can call the AssumeRole operation.
        // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
        // Create a RAM user in the RAM console and create an AccessKey pair for the RAM user.
        String accessKeyId = "LTAI5tKtf6vKccbinQu****";
        String accessKeySecret = "D47l1yBPgjdqe3JzVASSF9yrje****";
        // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You must obtain the value of RoleArn in the RAM console.
        String roleArn = "acs:ram::174809843091****:role/vodrole";
        // RoleSessionName specifies the session name of the role. You can specify a custom value for this parameter.
        String roleSessionName = "session-name";// Specify a session name.
        // Specify a policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

            createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
        } catch (ClientException e) {
            System.out.println("Failed to get a token.");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
        }
    }

    static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
        try {
            // Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
            /*
            Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the ID of the region in which you use STS. Example: cn-shanghai.
            For more information, see the STS endpoints in different regions. 
             */
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Use the profile to construct a client.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            // Create an AssumeRole request and configure the request parameters.
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setSysEndpoint("sts.aliyuncs.com");
            request.setSysMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            // Initiate the request and obtain the response.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            return response;
        } catch (ClientException e) {
            throw e;
        }
    }

Parameters

ParameterDescription
RoleArnThe Alibaba Cloud Resource Name (ARN) of the role that you want to assign to the RAM user. After you create a role for a RAM user, you can obtain the ARN of the role from the RAM console: In the left-side navigation pane, choose Identities > Roles. On the Roles page, click the name of the role. In the Basic Information section, view or copy the ARN.
RoleSessionNameThe custom name of the role session. Set this parameter based on your business requirements. In most cases, this parameter is set to the identity of the user who calls the operation, for example, the username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).
PolicyThe policy that specifies the permissions added when a role is assumed.
Note
  • The policy is used to control the permissions of the temporary access credential after the user assumes a role. The final permissions obtained by the temporary access credentials are an intersection of the permissions of the role and the permissions specified by the policy.
  • The Policy parameter is passed in to improve flexibility. For example, you can set this parameter to specify that only the CreateUploadVideo operation can be called.
DurationSecondsThe validity period of the temporary access credential. Valid values: 900 to 3600. Unit: seconds.
accessKeyId and accessKeySecretThe AccessKey ID and AccessKey secret of the RAM user that assumes the role.