CodeSample小助手 2022-02-16
企业A开发了一款移动App,并购买了OSS服务。移动App需要直连OSS上传或下载数据,但是移动App运行在用户自己的终端设备上,这些设备并不受A的控制。
oss-readonly
,并选择当前云账号作为受信云账号,即只允许云账号A下的RAM用户来扮演该角色。角色创建成功后,在角色详情中可以查看到该角色的基本信息:
acs:ram::11223344:role/oss-readonly
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::11223344:root"
]
}
}
],
"Version": "1"
}
AliyunSTSAssumeRoleAccess
(调用STS AssumeRole接口)的系统策略。 $ aliyuncli sts AssumeRole --RoleArn acs:ram::11223344:role/oss-readonly --RoleSessionName client-001
{
"AssumedRoleUser": {
"AssumedRoleId": "<your-assumedRole-id>",
"Arn": "acs:ram::11223344:role/oss-readonly/client-001"
},
"Credentials": {
"AccessKeySecret": "<your-access-key-secret>",
"SecurityToken": "<your-security-token>",
"Expiration": "2016-01-13T15:02:37Z",
"AccessKeyId": "<your-access-key-id>"
},
"RequestId": "E1779AAB-E7AF-47D6-A9A4-53128708B6CE"
}
$ aliyuncli oss Config --host --accessid --accesskey --sts_token
$ aliyuncli oss Config --host oss.aliyuncs.com --accessid <your-access-key-id> --accesskey <your-access-key-secret> --sts_token <your-sts-token>
$ aliyuncli oss Get oss://sample-bucket/2015/01/01/grass.jpg grass.jpg
oss-readonly
的所有权限。如果需要进一步限制STS token的权限(例如:只允许访问sample-bucket/2015/01/01/*.jpg),那么可以通过设置如下Policy参数:
$ aliyuncli sts AssumeRole --RoleArn acs:ram::11223344:role/oss-readonly --RoleSessionName client-002 --Policy "{\"Version\":\"1\", \"Statement\": [{\"Effect\":\"Allow\", \"Action\":\"oss:GetObject\", \"Resource\":\"acs:oss:*:*:sample-bucket/2015/01/01/*.jpg\"}]}"
{
"AssumedRoleUser": {
"AssumedRoleId": "<your-assumedRole-id>",
"Arn": "acs:ram::11223344:role/oss-readonly/client-002"
},
"Credentials": {
"AccessKeySecret": "<your-access-key-secret>",
"SecurityToken": "<your-security-token>",
"Expiration": "2016-01-13T15:03:39Z",
"AccessKeyId": "<your-access-key-id>"
},
"RequestId": "98835D9B-86E5-4BB5-A6DF-9D3156ABA567"
}
上述STS token的默认过期时间为3600秒,用户还可以通过DurationSeconds参数来限制STS token的过期时间(最长不超过3600秒)。