Call OpenAPI using STS-Mobile Platform as a Service(mPaaS)-阿里云帮助中心

Use Security Token Service (STS) temporary access credentials to call mPaaS OpenAPI operations securely, without embedding long-term AccessKey pairs in your code.

Prerequisites

Before you begin, make sure you have:

A RAM user with an AccessKey pair. Log on to the RAM console to create a RAM user and note the AccessKey ID and AccessKey secret.
The AliyunSTSAssumeRoleAccess policy attached to the RAM user.

Use your Alibaba Cloud account or a RAM user with RAM administrative permissions to attach the AliyunSTSAssumeRoleAccess policy to the RAM user. This policy allows the user to call the STS AssumeRole operation.

Note
The AliyunSTSAssumeRoleAccess policy only grants access to the AssumeRole STS operation. It does not grant the permissions that the role itself carries, nor does it authorize any mPaaS API calls.

Configure environment variables

Set the MPAAS_AK_ENV and MPAAS_SK_ENV environment variables before running your application. These variables store the AccessKey ID and AccessKey secret of the RAM user that assumes the RAM role.

Linux and macOS:
```
export MPAAS_AK_ENV=<ACCESS_KEY_ID>
export MPAAS_SK_ENV=<ACCESS_KEY_SECRET>
```
Note
Replace <ACCESS_KEY_ID> with your AccessKey ID and <ACCESS_KEY_SECRET> with your AccessKey secret.
Windows:
1. Create the MPAAS_AK_ENV and MPAAS_SK_ENV environment variables and set their values to your AccessKey ID and AccessKey secret.
2. Restart Windows for the changes to take effect.

Create a RAM role

Use an Alibaba Cloud account or a RAM user with RAM administrative permissions to create the RAM role. The role defines the permissions that take effect when it is assumed.

Log on to the RAM console.
In the left navigation pane, choose Identity > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principle Type to Cloud Account and Principle Name to Current Account, then click OK.
In the Create Role panel, enter a role name and click OK.
Click Copy next to the ARN and save the role ARN. You will need it in the code sample.

Grant mPaaS permissions to the RAM role

After the role is created, attach one or more access policies to it. Use an Alibaba Cloud account or a RAM user with RAM administrative permissions to do this. For full mPaaS access, attach the MpaasFullAccess policy. The role carries these permissions whenever it is assumed.

Assume the RAM role and call mPaaS OpenAPI

Important

Do not use the AccessKey pair of an Alibaba Cloud account to call STS API operations. STS rejects such requests with an error. Use the AccessKey pair of the RAM user you created in the prerequisites.

The RAM user calls STS AssumeRole to get temporary access credentials. The credentials contain three values:
- AccessKeyId: a temporary identifier, similar in function to a username.
- AccessKeySecret: a temporary secret used to sign requests, similar in function to a password.
- SecurityToken: an additional token required for all requests made with temporary credentials. Unlike permanent AccessKey pairs, temporary credentials always require all three values.
The credentials also include an expiration time. Use an STS SDK to get them. For STS SDKs in other languages, see STS SDK overview.

The endpoint variable in the sample code specifies the STS service endpoint. Choose an endpoint in or near the region where your server runs to reduce latency. For available STS endpoints, see STS endpoints.

import com.alibaba.fastjson.JSON;
import com.aliyun.mpaas20201028.models.QueryMcubeVhostRequest;
import com.aliyun.mpaas20201028.models.QueryMcubeVhostResponse;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.auth.sts.AssumeRoleRequest;
import com.aliyuncs.auth.sts.AssumeRoleResponse;
import com.aliyun.mpaas20201028.Client;

public class StsServiceSample {

    /**
     * The App ID from the mPaaS console.
     */
    private static final String APP_ID = "ALIPUB40DXXXXXXX";

    /**
     * The workspace ID from the mPaaS console.
     */
    private static final String WORKSPACE_ID = "default";

    /**
     * The tenant ID from the mPaaS console.
     */
    private static final String TENANT_ID = "XVXXXXXF";

    public static void main(String[] args) {
        // STS endpoint, for example, sts.cn-hangzhou.aliyuncs.com.
        // You can access the STS service over the public network or a VPC.
        String endpoint = "sts.cn-hangzhou.aliyuncs.com";
        // Read the RAM user AccessKey ID and secret from environment variables.
        String accessKeyId = System.getenv("ACCESS_KEY_ID");
        String accessKeySecret = System.getenv("ACCESS_KEY_SECRET");
        // Read the RAM role ARN from an environment variable.
        String roleArn = System.getenv("RAM_ROLE_ARN");
        // A custom session name to distinguish different tokens.
        String roleSessionName = "yourRoleSessionName";
        // Set to null to grant all permissions of the role to the temporary credentials.
        String policy = null;
        // Validity period of the temporary credentials in seconds.
        // Minimum: 900. Maximum: the role's maximum session duration (3,600–43,200 seconds). Default: 3,600.
        Long durationSeconds = 3600L;
        try {
            String regionId = "";
            // Add an endpoint (Java SDK 3.12.0 and later).
            DefaultProfile.addEndpoint("", "", "Sts", endpoint);
            // Add an endpoint (Java SDK earlier than 3.12.0).
            // DefaultProfile.addEndpoint("",regionId, "Sts", endpoint);
            IClientProfile profile = DefaultProfile.getProfile(regionId, accessKeyId, accessKeySecret);
            DefaultAcsClient client = new DefaultAcsClient(profile);

            final AssumeRoleRequest request = new AssumeRoleRequest();
            // Required for Java SDK 3.12.0 and later.
            request.setMethod(MethodType.POST);
            request.setRoleArn(roleArn);
            request.setRoleSessionName(roleSessionName);
            request.setPolicy(policy);
            request.setDurationSeconds(durationSeconds);
            final AssumeRoleResponse response = client.getAcsResponse(request);

            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("Access Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("Access Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("Security Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());

            com.aliyun.teaopenapi.models.Config stsConfig = new com.aliyun.teaopenapi.models.Config()
                    .setAccessKeyId(response.getCredentials().getAccessKeyId())
                    .setAccessKeySecret(response.getCredentials().getAccessKeySecret())
                    .setSecurityToken(response.getCredentials().getSecurityToken())
                    .setEndpoint("mpaas.cn-hangzhou.aliyuncs.com");

            Client stsclient = new Client(stsConfig);
            QueryMcubeVhostRequest queryMcubeVhostRequest = new QueryMcubeVhostRequest();
            queryMcubeVhostRequest.setAppId(APP_ID);
            queryMcubeVhostRequest.setWorkspaceId(WORKSPACE_ID);
            queryMcubeVhostRequest.setTenantId(TENANT_ID);
            try {
                QueryMcubeVhostResponse queryMcubeVhostResponse = stsclient.queryMcubeVhost(queryMcubeVhostRequest);
                System.out.println(queryMcubeVhostResponse.getBody().getResultCode());
                System.out.println(JSON.toJSONString(queryMcubeVhostResponse.getBody().getQueryVhostResult()));
            } catch (Exception e) {
                throw new RuntimeException(e);
            }

        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}