Security Token Service (STS) is an Alibaba Cloud service that provides short-term access credentials for Alibaba Cloud accounts or RAM users. In addition to upload URLs and credentials, specific upload methods allow you to use STS tokens for access control. This topic describes the principles and usage notes of STS tokens. This topic also describes how to obtain STS tokens.
How it works
You can use STS to issue an STS token to a third-party user. An STS token is an access credential with a custom validity period and limited access permissions. Then, the third-party user can use the short-term STS token to call API operations of ApsaraVideo VOD.
Usage notes
- If a user uploads a media file by using an STS token, the user must construct an upload request that includes the STS token and a temporary AccessKey pair.
- If a user uploads a media file by using an upload URL and an upload credential, the user can directly specify the AccessKey pair of an Alibaba Cloud account or a RAM user in the upload request.
Upload method | Support for STS tokens | References |
---|---|---|
Supported only by the server upload SDK for Java |
For more information about how to obtain STS tokens, see Obtain an STS token. For more information about how to use STS tokens to upload media files, see the topics of different upload methods. |
|
Supported | ||
N/A | ||
You can use only STS tokens when you upload media files by using OSS SDKs. | ||
N/A |
Obtain an STS token
To skip the signature process, we recommend that you integrate the STS SDK and call the AssumeRole operation to obtain a temporary STS token. Before you integrate the STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the RAM user.
- Create a RAM user. For more information, see Create a RAM role and grant temporary access permissions to the role by using STS.
- Optional. Attach custom authorization policies to the RAM user. For more information, see Create a custom policy.
- Integrate STS SDK and call the AssumeRole operation to obtain an STS token. The substeps of this step vary based on the programming language of the server.
Programming language of the server Operation guide Java STS SDK for Java Note The following section provides sample code in Java.Python STS SDK for Python PHP STS SDK for PHP .NET STS SDK for .NET Node.js STS SDK for Node.js Go STS SDK for Go
Sample code in Java
Sample Java code on how to obtain an STS token
- Integrate the STS SDK. Add dependencies for the STS SDK.
<dependencies> <!-- STS SDK in the earlier version --> <dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-sts</artifactId> <version>3.1.1</version> </dependency> </dependencies>
Add the core library for the STS SDK.<dependency> <groupId>com.aliyun</groupId> <artifactId>aliyun-java-sdk-core</artifactId> <version>4.6.1</version> </dependency>
- Call the AssumeRole operation to obtain an STS token.
import com.aliyuncs.DefaultAcsClient; import com.aliyuncs.exceptions.ClientException; import com.aliyuncs.http.MethodType; import com.aliyuncs.profile.DefaultProfile; import com.aliyuncs.profile.IClientProfile; import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest; import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse; /** * @author jack * @date 2020/5/25 */ public class TestStsService { public static void main(String[] args) { // Only a RAM user can call the AssumeRole operation. // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests. // Create a RAM user in the RAM console and create an AccessKey pair for the RAM user. String accessKeyId = "LTAI5tKtf6vKccbinQu****"; String accessKeySecret = "D47l1yBPgjdqe3JzVASSF9yrje****"; // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds. // You must obtain the value of RoleArn in the RAM console. String roleArn = "acs:ram::174809843091****:role/vodrole"; // RoleSessionName specifies the session name of the role. You can specify a custom value for this parameter. String roleSessionName = "session-name";// Specify a session name. // Specify a policy. String policy = "{\n" + " \"Version\": \"1\",\n" + " \"Statement\": [\n" + " {\n" + " \"Action\": \"vod:*\",\n" + " \"Resource\": \"*\",\n" + " \"Effect\": \"Allow\"\n" + " }\n" + " ]\n" + "}"; try { AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy); System.out.println("Expiration: " + response.getCredentials().getExpiration()); System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId()); System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret()); System.out.println("Security Token: " + response.getCredentials().getSecurityToken()); System.out.println("RequestId: " + response.getRequestId()); createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken()); } catch (ClientException e) { System.out.println("Failed to get a token."); System.out.println("Error code: " + e.getErrCode()); System.out.println("Error message: " + e.getErrMsg()); } } static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException { try { // Construct a default profile. Leave the parameters empty. The regionId parameter is not required. /* Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the ID of the region in which you use STS. Example: cn-shanghai. For more information, see the STS endpoints in different regions. */ IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret); // Use the profile to construct a client. DefaultAcsClient client = new DefaultAcsClient(profile); // Create an AssumeRole request and configure the request parameters. final AssumeRoleRequest request = new AssumeRoleRequest(); request.setSysEndpoint("sts.aliyuncs.com"); request.setSysMethod(MethodType.POST); request.setRoleArn(roleArn); request.setRoleSessionName(roleSessionName); request.setPolicy(policy); // Initiate the request and obtain the response. final AssumeRoleResponse response = client.getAcsResponse(request); return response; } catch (ClientException e) { throw e; } }
Parameters
Parameter | Description |
---|---|
RoleArn | The Alibaba Cloud Resource Name (ARN) of the role that you want to assign to the RAM user. After you create a role for a RAM user, you can obtain the ARN of the role from the RAM console: In the left-side navigation pane, choose Basic Information section, view or copy the ARN. | . On the Roles page, click the name of the role. In the
RoleSessionName | The custom name of the role session. Set this parameter based on your business requirements. In most cases, this parameter is set to the identity of the user who calls the operation, for example, the username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_). |
Policy | The policy that specifies the permissions added when a role is assumed. Note
|
DurationSeconds | The validity period of the temporary access credential. Valid values: 900 to 3600. Unit: seconds. |
accessKeyId and accessKeySecret | The AccessKey ID and AccessKey secret of the RAM user that assumes the role. |