Obtain an STS token

Before you upload media files from a client to Object Storage Service (OSS) buckets allocated by ApsaraVideo VOD, you must obtain a temporary Security Token Service (STS) token. This topic describes how to obtain an STS token. This prepares you for the initialization of an upload instance when you use the client upload SDK to upload files.

Background information

Client upload SDKs support the following authorization methods:

Use an upload URL and credential.
Use an STS token.

STS is a common authentication method used by Alibaba Cloud. A client SDK for uploading media files by using STS tokens encapsulates all the upload logic. You need to only focus on the configurations for obtaining the STS token, updating the STS token when it expires, and setting the callback for upload completion. For more information about whether to upload media files by using upload URLs and credentials or STS tokens, see Comparison between credentials and STS. For more information about how to upload media files by using upload URLs and credentials, see Obtain upload URLs and credentials.

Upload process

The following figure shows the complete process of uploading a media file by using an STS token.

A user deploys an authorization service on an application server, such as ApsaraVideo VOD sever operation SDK, to obtain temporary STS tokens.
A client sends a request to the application server to request an STS token.
The application server sends a request to STS to request the STS token.
STS returns the STS token.
The application server returns the STS token to the client.
The client uses the STS token to initialize an upload instance.
The client constructs upload parameters to send an upload request.
OSS returns the upload result.
Note You can also set callbacks in advance to receive notifications about upload events.

We recommend that you integrate the STS SDK and call AssumeRole to obtain the STS token. This frees you from complex signature calculations. Before you integrate the STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the RAM user.

Create a RAM user. For more information, see Use STS to upload videos.
Optional. Attach custom authorization policies to the RAM user. For more information, see Create a custom policy.

Integrate the STS SDK and call the AssumeRole operation to obtain an STS token. The substeps of this step vary based on the programming language of the server.

Programming language of the server	References
Java	STS SDK for Java Note The following section provides sample code in Java.
Python	STS SDK for Python
PHP	STS SDK for PHP
.NET	STS SDK for .NET
Node.js	STS SDK for Node.js
Go	STS SDK for Go

Sample code in Java

Sample Java code on how to obtain an STS token

Note

The following sample code describes how to obtain an STS token by using the STS SDK V3.1.1. For more information about how to integrate other versions of the STS SDK, see STS SDK overview.

Integrate the STS SDK.

Add dependencies for the STS SDK.

<dependencies>
  <!--  STS SDK in the earlier version  -->
  <dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>aliyun-java-sdk-sts</artifactId>
    <version>3.1.1</version>
  </dependency>
</dependencies>

Add the core library for the STS SDK.

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aliyun-java-sdk-core</artifactId>
  <version>4.6.1</version>
</dependency>

Call the AssumeRole operation to obtain an STS token.

Show code


import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;


/**
 * @author jack
 * @date 2020/5/25
 */
public class TestStsService {

    public static void main(String[] args) {
        // Only a RAM user can call the AssumeRole operation.
        // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
        // Create a RAM user in the RAM console and create an AccessKey pair for the RAM user.
        // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured. 
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You must obtain the value of RoleArn in the RAM console.
        String roleArn = "acs:ram::174809843091****:role/vodrole";
        // RoleSessionName specifies the session name of the role. You can specify a custom value for this parameter.
        String roleSessionName = "session-name";// Specify a session name.
        // Specify a policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

            createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
        } catch (ClientException e) {
            System.out.println("Failed to get a token.");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
        }
    }

    static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
        try {
            // Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
            /*
            Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the ID of the region in which you use STS. Example: cn-shanghai.
            For more information about the STS endpoints in different regions, see Endpoints. 
             */
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Use the profile to construct a client.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            // Create an AssumeRole request and configure the request parameters.
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setSysEndpoint("sts.aliyuncs.com");
            request.setSysMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            // Initiate the request and obtain the response.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            return response;
        } catch (ClientException e) {
            throw e;
        }
    }

Parameter	Description
RoleArn	The Alibaba Cloud Resource Name (ARN) of the role that you want to assign to the RAM user. After you create a role for a RAM user, you can obtain the ARN of the role from the RAM console: In the left-side navigation pane, choose Identities > Roles. On the Roles page, click the name of the role. In the Basic Information section, copy the ARN.
RoleSessionName	The name of the role session. Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the API caller. For example, you can specify a username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length, and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).
Policy	The permissions added when a role is assumed. Note The Policy parameter is used to control the permissions of the temporary access credentials after the user assumes a role. The final permissions obtained by the temporary access credentials are an intersection of the permissions of the role and the permissions specified by the Policy parameter. The Policy parameter is passed in to improve flexibility. For example, you can set this parameter to specify that only the CreateUploadVideo operation can be called.
DurationSeconds	The validity period of the temporary access credentials. Valid values: 900 to 3600. Unit: seconds.
accessKeyId and accessKeySecret	The AccessKey ID and AccessKey secret of the RAM user that assumes the role.

Use STS tokens to upload media files

Each media file requires an STS token. Therefore, you must obtain the STS token from the AppServer and specify the STS token for the upload instance in the onUploadStarted callback. The specific settings vary based on different clients.

Client	References
Web	Use the upload SDK for JavaScript
Android	Upload a file by using the upload SDK for Android
iOS	Upload a file by using the upload SDK for iOS
WeChat mini program	Upload SDK for WeChat mini programs