DocsICP FilingConsole
官方文档
首页

Create a RAM role for STS authorization

更新时间:
复制 MD 格式
产品详情
我的收藏

When accessing Intelligent Media Services (IMS) from mobile or web applications, you can use Security Token Service (STS) for temporary authorization. This approach helps prevent security risks from leaked AccessKey pairs. This topic describes how to use STS for authorization.

Background

An AccessKey pair for a RAM user provides long-term access, which poses a security risk if leaked. We recommend that you use Security Token Service (STS) to grant temporary access. With STS, you can create temporary identity credentials with a custom expiration time and a specific policy that limits permissions. This approach lets you follow the principle of least privilege and enhances service access security.

Step 1: Create a RAM user and grant AssumeRole API access

  1. Log on to the RAM console by using your Alibaba Cloud account or as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. On the Create User page, in the User Account Information section, configure the user's basic information.

    • Logon Name: Enter a logon name. The name can contain letters, digits, periods (.), hyphens (-), and underscores (_). The name can be up to 64 characters long.

    • Display Name: Enter a display name. The name can be up to 128 characters long.

    • Tag: Click edit, and then enter a tag key and tag value. Attach tags to the RAM user for easier management.

    Note

    Click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the parameters.

  6. Click OK and complete the phone verification. The system automatically generates an AccessKey pair for the RAM user.

    001

  7. In the Actions column, click Copy to save the logon name, password, and AccessKey information of the user.

    Important

    Make sure to save the logon password and AccessKey information (AccessKey ID and AccessKey Secret). Otherwise, you will not be able to retrieve them later.

  8. Return to the user list. In the Actions column of the created RAM user, click Add Permissions.

  9. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select an authorization scope.

      For Authorization Scope, select Alibaba Cloud Account. Intelligent Media Services (IMS) does not support granting permissions to a specific resource group. For more information about resource groups, see Differences and relationships among Resource Directory, resource groups, and tags.

    2. Specify the principal.

      The principal is the RAM user that receives the permissions.

    3. Select a policy.

      Under System Policies, enter AliyunSTS in the search box and select the AliyunSTSAssumeRoleAccess policy.

    4. Click OK to complete the authorization.

Step 2: Create a RAM role and grant IMS permissions

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, set Principal Type to Cloud Account, specify the details of the Alibaba Cloud account, and then click OK.

    • Current Account: When you want to allow all RAM users and RAM roles under the current Alibaba Cloud account to assume the RAM role that is being created, you can select Current Account.

    • Other Account: If you want to allow all RAM users and RAM roles from another Alibaba Cloud account to assume the RAM role that you are creating, you can select Other Account and then enter the ID of the other Alibaba Cloud account (main account). This option is mainly for scenarios that involve accessing resources across Alibaba Cloud accounts. For more information, see Access resources across Alibaba Cloud accounts.You can find your Alibaba Cloud account (main account) ID on the Security Settings page.

  5. (Optional) To restrict the role to specific RAM users or RAM roles, click Switch to Policy Editor to modify the trust policy.

    The editor supports two modes: Visual Editor and JSON Editor. You can choose either one. The following example indicates that the created RAM role can only be assumed by the RAM user Alice under the current Alibaba Cloud account (AccountID=100******0719).

    • Visual Editor

      In the Principal section, add the RAM user.

      Click the Edit link next to Cloud Account and enter the ID of the trusted account.

      In the Add Principal dialog box, select Current Account for Cloud Account and RAM User for Identity Type. Enter the target username, such as Alice, in the User Name field, and then click OK.

    • JSON Editor

      In the RAM field of the Principal object, enter the full ARN of the RAM user.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "RAM": "acs:ram::100******0719:user/Alice"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  6. On the Grant Permission panel, grant permissions to the RAM role.

    1. Select an authorization scope.

      For Authorization Scope, select Alibaba Cloud Account. IMS does not support granting permissions to a specific resource group. For more information about resource groups, see Differences and relationships among Resource Directory, resource groups, and tags.

    2. Specify the principal.

      The principal is the RAM role to which permissions are granted. By default, the current RAM role is specified. You can also specify a different RAM role.

    3. Select permission policies.

      • Use system policies

        In the search box under System Policy, enter AliyunICE and select a policy based on your needs.

        Policy

        Description

        API operation

        AliyunICEFullAccess

        Permissions to manage and operate all IMS resources

        This policy grants permissions on all operations of IMS.

        AliyunICEReadOnlyAccess

        Read-only permissions on all IMS resources

        This policy grants permissions on all read-only operations of IMS, such as Get, Describe, Search, and List operations.

      • Use custom policies

        Under Custom Policy, select a policy based on your needs. If no custom policy is available, you can create one. For more information, see Create a custom permission policy and Custom policy examples.

      Note

      • You can add up to five policies at a time. To add more, repeat the operation.

      • To control risks, we recommend that you follow the principle of least privilege.

      • If you need to use the IMS server-side SDK for iOS or Android, you must also grant OSS permissions because files need to be uploaded to OSS. You can grant the AliyunOSSFullAccess permission or customize an OSS permission policy based on your needs.

    4. Click OK to complete the authorization.

Step 3: Call AssumeRole to obtain temporary credentials

  1. Download and integrate an STS SDK. For download links, see STS SDK overview.

  2. Call the AssumeRole API to obtain temporary identity credentials for the role.

    This topic provides a Java code sample. For sample code in other languages, see SDK sample code.

    Java

    import com.aliyun.tea.*;

public class Sample {

    /**
     * <b>description</b> :
     * <p>Use a credential to initialize the client.</p>
     * @return Client
     * 
     * @throws Exception
     */
    public static com.aliyun.sts20150401.Client createClient() throws Exception {
        // We recommend that you use a credential-free method to run your project code. For more information about how to configure credentials, see https://help.aliyun.com/document_detail/378657.html.
        com.aliyun.credentials.Client credential = new com.aliyun.credentials.Client();
        com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
                .setCredential(credential);
        // For more information about endpoints, see https://api.aliyun.com/product/Sts.
        config.endpoint = "sts.us-west-1.aliyuncs.com";
        return new com.aliyun.sts20150401.Client(config);
    }

    public static void main(String[] args_) throws Exception {

        com.aliyun.sts20150401.Client client = Sample.createClient();
        // The request parameters for the AssumeRole API include RoleArn, RoleSessionName, Policy, and DurationSeconds.
        // You can obtain the RoleArn parameter from the RAM console.
        com.aliyun.sts20150401.models.AssumeRoleRequest assumeRoleRequest = new com.aliyun.sts20150401.models.AssumeRoleRequest()
                .setDurationSeconds(3600L)
                // Customize your policy.
                .setPolicy("{\n" +
                        "  \"Version\": \"1\",\n" +
                        "  \"Statement\": [\n" +
                        "    {\n" +
                        "      \"Action\": \"ice:*\",\n" +
                        "      \"Resource\": \"*\",\n" +
                        "      \"Effect\": \"Allow\"\n" +
                        "    }\n" +
                        "  ]\n" +
                        "}")
                .setRoleArn("<role-arn>")
                // RoleSessionName is a custom name for the session, used to identify the user for auditing purposes.
                .setRoleSessionName("session-name");// Specify a custom name.
        com.aliyun.teautil.models.RuntimeOptions runtime = new com.aliyun.teautil.models.RuntimeOptions();
        try {
            com.aliyun.sts20150401.models.AssumeRoleResponse resp = client.assumeRoleWithOptions(assumeRoleRequest, runtime);
            com.aliyun.teaconsole.Client.log(com.aliyun.teautil.Common.toJSONString(resp));
        } catch (TeaException error) {
            // This is for printing and demonstration purposes only. Handle exceptions with caution. Do not ignore exceptions in your project.
            // Error message
            System.out.println(error.getMessage());
            // Diagnostic address
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        } catch (Exception _error) {
            TeaException error = new TeaException(_error.getMessage(), _error);
            // This is for printing and demonstration purposes only. Handle exceptions with caution. Do not ignore exceptions in your project.
            // Error message
            System.out.println(error.getMessage());
            // Diagnostic address
            System.out.println(error.getData().get("Recommend"));
            com.aliyun.teautil.Common.assertAsString(error.message);
        }
    }
}

Next steps

After you obtain the AccessKey information, you can install the server-side SDK and call API operations to implement your business features. For more information, see Call API operations.

References

AssumeRole - Obtain temporary identity credentials for a role

Previous:Create and authorize a RAM userNext:Media asset management