Before you upload media files from a client to Object Storage Service (OSS) buckets allocated by ApsaraVideo VOD, you must obtain a temporary Security Token Service (STS) token. This topic describes how to obtain an STS token. This prepares you for the initialization of an upload instance when you use the client upload SDK to upload files.
Background information
Client upload SDKs support the following authorization methods:
Use an upload URL and credential.
Use an STS token.
STS is a common authentication method used by Alibaba Cloud. A client SDK for uploading media files by using STS tokens encapsulates all the upload logic. You need to only focus on the configurations for obtaining the STS token, updating the STS token when it expires, and setting the callback for upload completion. For more information about whether to upload media files by using upload URLs and credentials or STS tokens, see Comparison between credentials and STS. For more information about how to upload media files by using upload URLs and credentials, see Obtain upload URLs and credentials.
Upload process
- A user deploys an authorization service on an application server, such as ApsaraVideo VOD sever operation SDK, to obtain temporary STS tokens.
- A client sends a request to the application server to request an STS token.
- The application server sends a request to STS to request the STS token.
- STS returns the STS token.
- The application server returns the STS token to the client.
- The client uses the STS token to initialize an upload instance.
- The client constructs upload parameters to send an upload request.
- OSS returns the upload result. Note You can also set callbacks in advance to receive notifications about upload events.
Obtain an STS token
We recommend that you integrate the STS SDK and call AssumeRole to obtain the STS token. This frees you from complex signature calculations. Before you integrate the STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the RAM user.
Create a RAM user. For more information, see Use STS to upload videos.
Optional. Attach custom authorization policies to the RAM user. For more information, see Create a custom policy.
Integrate the STS SDK and call the AssumeRole operation to obtain an STS token. The substeps of this step vary based on the programming language of the server.
Programming language of the server
References
Java
NoteThe following section provides sample code in Java.
Python
PHP
.NET
Node.js
Go
Sample code in Java
Sample Java code on how to obtain an STS token
The following sample code describes how to obtain an STS token by using the STS SDK V3.1.1. For more information about how to integrate other versions of the STS SDK, see STS SDK overview.
Integrate the STS SDK.
Call the AssumeRole operation to obtain an STS token.
Parameter
Description
RoleArn
The Alibaba Cloud Resource Name (ARN) of the role that you want to assign to the RAM user. After you create a role for a RAM user, you can obtain the ARN of the role from the RAM console: In the left-side navigation pane, choose
. On the Roles page, click the name of the role. In the Basic Information section, copy the ARN.RoleSessionName
The name of the role session. Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the API caller. For example, you can specify a username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length, and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).
Policy
The permissions added when a role is assumed.
NoteThe Policy parameter is used to control the permissions of the temporary access credentials after the user assumes a role. The final permissions obtained by the temporary access credentials are an intersection of the permissions of the role and the permissions specified by the Policy parameter.
The Policy parameter is passed in to improve flexibility. For example, you can set this parameter to specify that only the CreateUploadVideo operation can be called.
DurationSeconds
The validity period of the temporary access credentials. Valid values: 900 to 3600. Unit: seconds.
accessKeyId and accessKeySecret
The AccessKey ID and AccessKey secret of the RAM user that assumes the role.
Use STS tokens to upload media files
Each media file requires an STS token. Therefore, you must obtain the STS token from the AppServer and specify the STS token for the upload instance in the onUploadStarted callback. The specific settings vary based on different clients.
Client | References |
Web | |
Android | |
iOS | |
WeChat mini program |