STS tokens - ApsaraVideo VOD - Alibaba Cloud Documentation Center

Security Token Service (STS) is an Alibaba Cloud service that provides short-term access credentials for Alibaba Cloud accounts or RAM users. In addition to upload URLs and credentials, specific upload methods allow you to use STS tokens for access control. This topic describes the principles and usage notes of STS tokens. This topic also describes how to obtain STS tokens.

How it works

You can use STS to issue an STS token to a third-party user. An STS token is an access credential with a custom validity period and limited access permissions. Then, the third-party user can use the short-term STS token to call API operations of ApsaraVideo VOD.

Usage notes

Note

You can select STS tokens or upload URLs and credentials based on the benefits of the two access methods. For more information about the comparison between the two methods, see Comparison between credentials and STS. For more information about upload URLs and credentials, see Upload URLs and credentials.

Take note of the following differences when you determine whether to use STS tokens or upload URLs and credentials:

If a user uploads a media file by using an STS token, the user must construct an upload request that includes the STS token and a temporary AccessKey pair.
If a user uploads a media file by using an upload URL and an upload credential, the user can directly specify the AccessKey pair of an Alibaba Cloud account or a RAM user in the upload request.

The following table describes the support for STS tokens by different upload methods.

Upload method	Support for STS tokens	References
Upload from servers	Supported only by the server upload SDK for Java	For more information about how to obtain STS tokens, see Obtain an STS token. For more information about how to use STS tokens to upload media files, see the topics of different upload methods.
Upload from clients	Supported
UploadMediaByURL	N/A
Upload media files by using OSS SDKs	You can use only STS tokens when you upload media files by using OSS SDKs.
Upload OSS objects	N/A

Obtain an STS token

We recommend that you integrate the STS SDK and call AssumeRole to obtain the STS token. This frees you from complex signature calculations. Before you integrate the STS SDK, you must create a RAM user and assign a role that has the permissions to access ApsaraVideo VOD to the RAM user.

Create a RAM user. For more information, see Use STS to upload videos.
Optional. Attach custom authorization policies to the RAM user. For more information, see Create a custom policy.

Integrate the STS SDK and call the AssumeRole operation to obtain an STS token. The substeps of this step vary based on the programming language of the server.

Programming language of the server	References
Java	STS SDK for Java Note The following section provides sample code in Java.
Python	STS SDK for Python
PHP	STS SDK for PHP
.NET	STS SDK for .NET
Node.js	STS SDK for Node.js
Go	STS SDK for Go

Sample code in Java

Sample Java code on how to obtain an STS token

Note

The following sample code describes how to obtain an STS token by using the STS SDK V3.1.1. For more information about how to integrate other versions of the STS SDK, see STS SDK overview.

Integrate the STS SDK.

Add dependencies for the STS SDK.

<dependencies>
  <!--  STS SDK in the earlier version  -->
  <dependency>
    <groupId>com.aliyun</groupId>
    <artifactId>aliyun-java-sdk-sts</artifactId>
    <version>3.1.1</version>
  </dependency>
</dependencies>

Add the core library for the STS SDK.

<dependency>
  <groupId>com.aliyun</groupId>
  <artifactId>aliyun-java-sdk-core</artifactId>
  <version>4.6.1</version>
</dependency>

Call the AssumeRole operation to obtain an STS token.

Show code


import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;


/**
 * @author jack
 * @date 2020/5/25
 */
public class TestStsService {

    public static void main(String[] args) {
        // Only a RAM user can call the AssumeRole operation.
        // AccessKey pairs of Alibaba Cloud accounts cannot be used to initiate AssumeRole requests.
        // Create a RAM user in the RAM console and create an AccessKey pair for the RAM user.
        // Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured. 
        String accessKeyId = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");
        // Request parameters for the AssumeRole operation include RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You must obtain the value of RoleArn in the RAM console.
        String roleArn = "acs:ram::174809843091****:role/vodrole";
        // RoleSessionName specifies the session name of the role. You can specify a custom value for this parameter.
        String roleSessionName = "session-name";// Specify a session name.
        // Specify a policy.
        String policy = "{\n" +
                "  \"Version\": \"1\",\n" +
                "  \"Statement\": [\n" +
                "    {\n" +
                "      \"Action\": \"vod:*\",\n" +
                "      \"Resource\": \"*\",\n" +
                "      \"Effect\": \"Allow\"\n" +
                "    }\n" +
                "  ]\n" +
                "}";
        try {
            AssumeRoleResponse response = assumeRole(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

            createUploadVideo(response.getCredentials().getAccessKeyId(), response.getCredentials().getAccessKeySecret(), response.getCredentials().getSecurityToken());
        } catch (ClientException e) {
            System.out.println("Failed to get a token.");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
        }
    }

    static AssumeRoleResponse assumeRole(String accessKeyId, String accessKeySecret, String roleArn, String roleSessionName, String policy) throws ClientException {
        try {
            // Construct a default profile. Leave the parameters empty. The regionId parameter is not required.
            /*
            Note: If you set SysEndpoint to sts.aliyuncs.com, the regionId parameter is optional. Otherwise, you must set the regionId parameter to the ID of the region in which you use STS. Example: cn-shanghai.
            For more information about the STS endpoints in different regions, see Endpoints. 
             */
            IClientProfile profile = DefaultProfile.getProfile("", accessKeyId, accessKeySecret);
            // Use the profile to construct a client.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            // Create an AssumeRole request and configure the request parameters.
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setSysEndpoint("sts.aliyuncs.com");
            request.setSysMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            // Initiate the request and obtain the response.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            return response;
        } catch (ClientException e) {
            throw e;
        }
    }

Parameter	Description
RoleArn	The Alibaba Cloud Resource Name (ARN) of the role that you want to assign to the RAM user. After you create a role for a RAM user, you can obtain the ARN of the role from the RAM console: In the left-side navigation pane, choose Identities > Roles. On the Roles page, click the name of the role. In the Basic Information section, copy the ARN.
RoleSessionName	The name of the role session. Set this parameter based on your business requirements. In most cases, you can set this parameter to the identity of the API caller. For example, you can specify a username. In ActionTrail logs, you can distinguish the users who assume the same RAM role to perform operations based on the value of the RoleSessionName parameter. This way, you can perform user-specific auditing. The value must be 2 to 64 characters in length, and can contain letters, digits, periods (.), at signs (@), hyphens (-), and underscores (_).
Policy	The permissions added when a role is assumed. Note The Policy parameter is used to control the permissions of the temporary access credentials after the user assumes a role. The final permissions obtained by the temporary access credentials are an intersection of the permissions of the role and the permissions specified by the Policy parameter. The Policy parameter is passed in to improve flexibility. For example, you can set this parameter to specify that only the CreateUploadVideo operation can be called.
DurationSeconds	The validity period of the temporary access credentials. Valid values: 900 to 3600. Unit: seconds.
accessKeyId and accessKeySecret	The AccessKey ID and AccessKey secret of the RAM user that assumes the role.