How to configure access credentials for iOS - Object Storage Service

To send requests using the OSS SDK for iOS, you must configure access credentials. Alibaba Cloud services use access credentials to verify your identity and access permissions. You can provide credentials in various ways based on your authentication and authorization requirements.

Prerequisites

Before you configure access credentials, you must install the OSS SDK for iOS. For more information, see Installation.

Initialize the credential provider

Select a credential provider

OSS supports multiple methods for initializing a credential provider. You can select a method based on the authentication and authorization requirements of your scenario.

Initialization method	Scenario	AccessKey pair or STS token required beforehand	Underlying credential	Credential validity period	Credential rotation or refresh method
Method 1: Use an AccessKey pair	For applications that run in a secure environment and need long-term access to cloud services without frequent credential rotation.	Yes	Access key	Long-term	Manual rotation
Method 2: Use an STS token	For applications that run in an untrusted environment where you want to control the validity period and permissions of credentials.	Yes	STS token	Temporary	Custom
Method 3: Use CredentialsURI	For applications that need to obtain access credentials from an external system.	No	STS token	Temporary	Auto-refresh

Method 1: Use an AccessKey pair

If your application requires long-term access to OSS, is deployed in a secure and stable environment, and cannot support frequent credential rotation, you can use an AccessKey pair from your Alibaba Cloud account or a Resource Access Management (RAM) user to initialize the credential provider. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. However, this method requires you to manually maintain an AccessKey pair, which increases security risks and maintenance complexity. For more information about how to obtain an AccessKey pair, see CreateAccessKey.

Warning

Sample code

NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";

id<OSSCredentialProvider> credentialProvider = [[OSSPlainTextAKSKPairCredentialProvider alloc] initWithPlainTextAccessKey:ak secretKey:sk];

Method 2: Use an STS token

If your application requires temporary access to OSS and you want to implement fine-grained access control and adjust permissions in real time for improved security and flexibility, you can use temporary identity credentials from Security Token Service (STS) to initialize the credential provider. These credentials include an AccessKey ID, an AccessKey secret, and an STS token. However, this method requires you to manually maintain an STS token, which increases security risks and maintenance complexity. For more information about how to obtain an STS token, see AssumeRole.

You can specify an AccessKey pair and an STS token in your code to reference the credentials. The following examples show how to update the STS token.

Manually update the STS token

NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
NSString *token = @"<ALIBABA_CLOUD_SECURITY_TOKEN>";

id<OSSCredentialProvider> credentialProvider = [[OSSStsTokenCredentialProvider alloc] initWithAccessKeyId:ak
                                                                                              secretKeyId:sk
                                                                                            securityToken:token];

Automatically update the STS token

id<OSSCredentialProvider> credentialProvider = [[OSSFederationCredentialProvider alloc] initWithFederationTokenGetter:^OSSFederationToken * _Nullable{
    // Obtain the AccessKey ID, AccessKey secret, STS token, and expiration time.

    /* The following example shows how to obtain the AccessKey ID, AccessKey secret, STS token, and expiration time from an application server:
    // Construct a request to access your application server.
    NSURL * url = [NSURL URLWithString:@"http://localhost:8080/distribute-token.json"];
    // Use the request to set the parameters required by your server.
    NSURLRequest * request = [NSURLRequest requestWithURL:url];
    OSSTaskCompletionSource * tcs = [OSSTaskCompletionSource taskCompletionSource];
    NSURLSession * session = [NSURLSession sharedSession];
    // Send the request.
    NSURLSessionTask * sessionTask = [session dataTaskWithRequest:request
                                                completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
        if (error) {
            [tcs setError:error];
            return;
        }
        [tcs setResult:data];
    }];
    [sessionTask resume];
    // Block the thread and wait for the response.
    [tcs.task waitUntilFinished];
    // Parse the result.
    if (tcs.task.error) {
        NSLog(@"get token error: %@", tcs.task.error);
        return nil;
    } else {
        // The returned data is in JSON format. Parse the data to obtain the fields of the token.
        NSDictionary * object = [NSJSONSerialization JSONObjectWithData:tcs.task.result
                                                                options:kNilOptions
                                                                  error:nil];
        NSString *ak = [object objectForKey:@"AccessKeyId"];
        NSString *sk = [object objectForKey:@"AccessKeySecret"];
        NSString *token = [object objectForKey:@"SecurityToken"];
        NSString *expiration = [object objectForKey:@"Expiration"];
     
        OSSFederationToken * federationToken = [OSSFederationToken new];
        federationToken.tAccessKey = ak;
        federationToken.tSecretKey = sk;
        federationToken.tToken = token;
        federationToken.expirationTimeInGMTFormat = expiration;
        NSLog(@"get token: %@", federationToken);
        return federationToken;
    }
    */

    NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
    NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
    NSString *token = @"<ALIBABA_CLOUD_SECURITY_TOKEN>";
    NSString *expiration = @"<EXPIRATION>";

    OSSFederationToken * federationToken = [OSSFederationToken new];
    federationToken.tAccessKey = ak;
    federationToken.tSecretKey = sk;
    federationToken.tToken = token;
    federationToken.expirationTimeInGMTFormat = expiration;

    return federationToken;
}];

Method 3: Use CredentialsURI

If your application needs to obtain and automatically refresh Alibaba Cloud credentials from an external system or a custom configuration for flexible credential management and keyless access, you can use CredentialsURI to initialize the credential provider. This method uses an STS token as the underlying credential. The Credentials tool obtains the STS token from the URI that you provide to initialize the client. This method does not require you to provide an AccessKey pair or an STS token, which eliminates the risks of manual maintenance.

To allow the Credentials tool to correctly parse and use the STS token, the URI must return a response that follows this protocol:

Response status code: 200

Response body structure:

{
  "StatusCode":200,
  "AccessKeyId":"AccessKeyId",
  "AccessKeySecret":"AccessKeySecret",
  "Expiration":"2015-11-03T09:52:59Z",
  "SecurityToken":"SecurityToken"
}

Configure the URI credential as the access credential.

NSString *authServerUrl = @"<authServerUrl>";
id<OSSCredentialProvider> credentialProvider = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:authServerUrl];

If the data is encrypted, use the following method to decrypt it.

NSString *authServerUrl = @"<authServerUrl>";
id<OSSCredentialProvider> credentialProvider = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:authServerUrl responseDecoder:^NSData * _Nullable(NSData * _Nonnull data) {
    NSData *result = nil;
    // Decrypt the data.
    // result = ...
    return result;
}];