Security Token Service (STS) can be used to grant temporary access permissions to prevent security risks caused by leaks of RAM user passwords. This topic describes how to create RAM users and RAM roles, and how to use STS to grant temporary access permissions.

Prerequisites

An Alibaba Cloud account is created and real-name verification is complete. To create an Alibaba Cloud account, visit the Alibaba Cloud official website. For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Background information

Permissions granted to RAM users can be used indefinitely, which may lead to security risks. For security purposes, we recommend that you generate STS temporary AccessKey pairs with custom validity periods, and attach complex policies to grant only the minimum permissions to RAM users.

Procedure

  1. Create a RAM user that will assume a RAM role. For more information, see Create a RAM user.
  2. Attach the AliyunSTSAssumeRoleAccess policy, which allows users to call the AssumeRole operation of STS, to the RAM user. For more information, see Authorize the RAM user to call AssumeRole.
  3. Create a RAM role. For more information, see Create a RAM role.
  4. Attach the AliyunVODFullAccess policy to the RAM role. For more information, see Authorize the RAM user to manage ApsaraVideo VOD resources.
  5. Specify the RAM user to assume the RAM role, obtain an STS token, and use the token to access ApsaraVideo VOD resources. For more information, see Access ApsaraVideo VOD by using STS.

Create a RAM user

Note
  • We recommend that you set Logon Name to vod in Step 4. In this topic, vod is used as an example.
  • We recommend that you set Access Mode to OpenAPI Access in Step 5.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Enable an MFA device for a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.
Important After you click OK, the system generates the logon password and the Accesskey pair of the RAM user. Keep the logon password and AccessKey pair secure.

Authorize the RAM user to call AssumeRole

  1. Log on to the RAM console and choose Identities > Users. On the page that appears, find the RAM user that you created (vod) and click Add Permissions in the Actions column.
  2. In the Add Permissions panel, grant permissions to the RAM user.
    Note Attach the AliyunSTSAssumeRoleAccess policy to the vod user. This allows the user to call the AssumeRole operation. You can enter AliyunSTSAssumeRoleAccess in the search box to search for the system policy.
    Select a policy
    1. Select the authorization scope.
      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
      • Specific Resource Group: The authorization takes effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified. You can also specify another RAM user.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  3. Click OK.
  4. Click Complete.

Create a RAM role

Note We recommend that you set Role Name that is mentioned in Step 5 to vodrole. In this topic, vodrole is used as an example.
  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Roles.
  3. On the Roles page, click Create Role.
  4. In the Create Role panel, select Alibaba Cloud Account for the Select Trusted Entity parameter and click Next.
  5. Configure parameters for the RAM role.
    1. Specify RAM Role Name.
    2. Optional:Specify Note.
    3. Select Current Alibaba Cloud Account or Other Alibaba Cloud Account.
      • Current Alibaba Cloud Account: If you want a RAM user that belongs to your Alibaba Cloud account to assume the RAM role, select Current Alibaba Cloud Account.
      • Other Alibaba Cloud Account: If you want a RAM user that belongs to a different Alibaba Cloud account to assume the RAM role, select Other Alibaba Cloud Account and enter the ID of the Alibaba Cloud account. This option is provided to authorize different Alibaba Cloud accounts.
        Note You can view the ID of an Alibaba Cloud account on the Security Settings page.
  6. Click OK.
  7. Click Close.

Authorize the RAM user to manage ApsaraVideo VOD resources

  1. Log on to the RAM console and choose Identities > Role. On the page that appears, find the RAM role that you created (vodrole) and click Add Permissions in the Actions column.
  2. In the Add Permissions panel, grant permissions to the RAM role.
    Note
    • To improve security, we recommend that you grant only the minimum required permissions to RAM roles.
    • If you want vodrole to access and manage ApsaraVideo VOD resources, we recommend that you attach the AliyunVODFullAccess policy to the vodrole role. This allows vodrole to manage and perform operations on all ApsaraVideo VOD resources. You can enter AliyunVODFullAccess in the search box to search for the system policy. For more information about definitions and permissions of system policies in ApsaraVideo VOD, see Overview.
    Authorization
    1. Set the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM role at a time. If you need to attach more than five policies to a RAM role, perform the operation multiple times.
    After permissions are granted, a record is generated. Permissions granted

Access ApsaraVideo VOD by using STS

Note This topic describes only how to assume a RAM role to obtain an STS token and use the token to access ApsaraVideo VOD resources by calling an API operation. For more information about how to assume a RAM role to access ApsaraVideo VOD resources by using the ApsaraVideo VOD console, see Use the Alibaba Cloud Management Console.

Use the RAM user to call the AssumeRole operation to obtain an STS token. Then, you can use the STS token to call API operations in ApsaraVideo VOD.

To skip the signature process, we recommend that you integrate the STS SDK and call the AssumeRole operation to obtain a temporary STS token.

The following sample code provides an example on how to obtain an STS token in Java. For more information about sample code in other languages, see STS SDK overview.

Sample code in Java

package pop;

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
import com.aliyuncs.vod.model.v20170321.CreateUploadVideoRequest;
import com.aliyuncs.vod.model.v20170321.CreateUploadVideoResponse;

/**
 * @author jack
 * @date 2020/5/25
 */
public class TestStsService {

    public static void main(String[] args) {
        // Only a RAM user can call the AssumeRole operation.
        // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
        // Create a RAM user in the RAM console and create an AccessKey pair for the RAM user.
        String accessKeyId = "<access-key-id>";
        String accessKeySecret = "<access-key-secret>";
        // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You must obtain the value of RoleArn in the RAM console.
        String roleArn = "<role-arn>";
        // RoleSessionName specifies the session name of the role. You can specify a custom value for this parameter.
        String roleSessionName = "session-name";// Specify a session name.
        // Specify a policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

            createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
        } catch (ClientException e) {
            System.out.println("Failed to get a token.");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
        }
    }

    static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
        try {
            // Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
            /*
            Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the region in which you use STS. Example: cn-shanghai.
            For more information, see the STS endpoints in different regions. 
             */
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Use the profile to construct a client.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            // Create an AssumeRole request and configure the request parameters.
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setSysEndpoint("sts.aliyuncs.com");
            request.setSysMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            // Initiate the request and obtain the response.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            return response;
        } catch (ClientException e) {
            throw e;
        }
    }

    static void createUploadVideo(String accessKeyId, String accessKeySecret, String token) {
        // Specify the region of ApsaraVideo VOD. For example, if the service region is Shanghai, set regionId to cn-shanghai.
        String regionId = "cn-shanghai";
        IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
        DefaultAcsClient client = new DefaultAcsClient(profile);

        CreateUploadVideoRequest request = new CreateUploadVideoRequest();
        request.setSecurityToken(token);
        request.setTitle("t5");
        request.setFileName("D:\\TestVideo\\t4.mp4");
        request.setFileSize(10240L);

        try {
            CreateUploadVideoResponse response = client.getAcsResponse(request);
            System.out.println("CreateUploadVideoRequest, " + request.getUrl());
            System.out.println("CreateUploadVideoRequest, requestId:" + response.getRequestId());
            System.out.println("UploadAddress, " + response.getUploadAddress());
            System.out.println("UploadAuth, " + response.getUploadAuth());
            System.out.println("VideoId, " + response.getVideoId());
        } catch (ClientException e) {
            System.out.println("action, error:" + e);
            e.printStackTrace();
        }
    }
}