To use Object Storage Service (OSS) SDK for iOS to initiate a request, you must configure access credentials. Alibaba Cloud services use access credentials to verify identity information and access permissions. You can select different types of access credentials based on your authentication and authorization requirements.
Prerequisites
OSS SDK for iOS is installed. For more information, see Installation.
Select an initialization method
Select a credential provider
OSS supports multiple methods to initialize a credential provider. You can select a suitable method based on the authentication and authorization requirements of your actual scenario.
Initialization method | Scenario | AccessKey pair or security token required | Underlying logic | Credential validity period | Credential rotation or refresh method |
Initialization method | Scenario | AccessKey pair or security token required | Underlying logic | Credential validity period | Credential rotation or refresh method |
Applications are deployed and run in a secure and stable environment that is not vulnerable to external attacks and need to access cloud services for a long period of time without frequent credential rotation. | Yes | AccessKey pair | Long-term | Manual rotation | |
Applications are deployed and run in an untrusted environment, in which case you want to manage the credential validity period and the resources that can be accessed. | Yes | Security token | Temporary | Custom | |
Applications require access credentials from external systems. | No | Security token | Temporary | Automatic refresh |
Method 1: Use an AccessKey pair
If your application is deployed in a secure and stable environment that is not vulnerable to external attacks and requires long-term access to OSS, you can use an AccessKey pair of your Alibaba Cloud account or a RAM user to initialize a credential provider. The AccessKey pair consists of an AccessKey ID and an AccessKey secret. Take note that this method requires you to manually maintain an AccessKey pair. This poses security risks and increases maintenance complexity. For more information about how to obtain an AccessKey pair, see CreateAccessKey.
Sample code
NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
id<OSSCredentialProvider> credentialProvider = [[OSSPlainTextAKSKPairCredentialProvider alloc] initWithPlainTextAccessKey:ak secretKey:sk];Method 2: Use a security token
If your application needs to access OSS temporarily and manage access control in a fine-grained manner in real time to improve data security and flexibility, you can use temporary access credentials, which consist of an AccessKey pair and a security token, obtained from Security Token Service (STS) to initialize a credential provider. Take note that this method requires you to manually maintain a security token. This poses security risks and increases maintenance complexity. For more information about how to obtain a security token, see AssumeRole.
You can specify the AccessKey pair and security token environment variables to pass access credentials. The following sample code provides examples on how to pass access credentials to update the security token.
NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
NSString *token = @"<ALIBABA_CLOUD_SECURITY_TOKEN>";
id<OSSCredentialProvider> credentialProvider = [[OSSStsTokenCredentialProvider alloc] initWithAccessKeyId:ak
secretKeyId:sk
securityToken:token];id<OSSCredentialProvider> credentialProvider = [[OSSFederationCredentialProvider alloc] initWithFederationTokenGetter:^OSSFederationToken * _Nullable{
// Obtain an AccessKey pair, a security token, and the validity period of these credentials.
/* In this example, the AccessKey pair, security token, and the validity period of these credentials are obtained from the application server.
// Create a request to access your application server.
NSURL * url = [NSURL URLWithString:@"http://localhost:8080/distribute-token.json"];
// Use a request to specify the parameters required by your application server.
NSURLRequest * request = [NSURLRequest requestWithURL:url];
OSSTaskCompletionSource * tcs = [OSSTaskCompletionSource taskCompletionSource];
NSURLSession * session = [NSURLSession sharedSession];
// Send the request.
NSURLSessionTask * sessionTask = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
if (error) {
[tcs setError:error];
return;
}
[tcs setResult:data];
}];
[sessionTask resume];
// Wait until the response to the request is returned.
[tcs.task waitUntilFinished];
// Parse the returned results.
if (tcs.task.error) {
NSLog(@"get token error: %@", tcs.task.error);
return nil;
} else {
// The returned data is in the JSON format. Parse the data to obtain the values of the fields of the token.
NSDictionary * object = [NSJSONSerialization JSONObjectWithData:tcs.task.result
options:kNilOptions
error:nil];
NSString *ak = [object objectForKey:@"AccessKeyId"];
NSString *sk = [object objectForKey:@"AccessKeySecret"];
NSString *token = [object objectForKey:@"SecurityToken"];
NSString *expiration = [object objectForKey:@"Expiration"];
OSSFederationToken * federationToken = [OSSFederationToken new];
federationToken.tAccessKey = ak;
federationToken.tSecretKey = sk;
federationToken.tToken = token;
federationToken.expirationTimeInGMTFormat = expiration;
NSLog(@"get token: %@", federationToken);
return federationToken;
}
*/
NSString *ak = @"<ALIBABA_CLOUD_ACCESS_KEY_ID>";
NSString *sk = @"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>";
NSString *token = @"<ALIBABA_CLOUD_SECURITY_TOKEN>";
NSString *expiration = @"<EXPIRATION>";
OSSFederationToken * federationToken = [OSSFederationToken new];
federationToken.tAccessKey = ak;
federationToken.tSecretKey = sk;
federationToken.tToken = token;
federationToken.expirationTimeInGMTFormat = expiration;
return federationToken;
}];Method 3: Use CredentialsURI
If your application needs to obtain an Alibaba Cloud credential from an external system to implement flexible credential management and keyless access, you can use CredentialsURI to initialize a credential provider. The underlying logic of this method is to use a security token obtained from STS to configure access credentials. The Credentials tool obtains the security token by using the URI that you specify to initialize an OSSClient instance on the client. This method eliminates the risks that may arise when you manually maintain an AccessKey pair or a security token.
To allow the Credentials tool to correctly parse and use a security token, the URI must comply with the following response protocol:
Response status code: 200
Response body structure:
{ "StatusCode":200, "AccessKeyId":"AccessKeyId", "AccessKeySecret":"AccessKeySecret", "Expiration":"2015-11-03T09:52:59Z", "SecurityToken":"SecurityToken" }
Configure the URI as the access credential.
NSString *authServerUrl = @"<authServerUrl>"; id<OSSCredentialProvider> credentialProvider = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:authServerUrl];If data is encrypted, you can decrypt the data by running the following sample code:
NSString *authServerUrl = @"<authServerUrl>"; id<OSSCredentialProvider> credentialProvider = [[OSSAuthCredentialProvider alloc] initWithAuthServerUrl:authServerUrl responseDecoder:^NSData * _Nullable(NSData * _Nonnull data) { NSData *result = nil; // Decrypt the data. // result = ... return result; }];
