1.STS的接入流程 参考官方文档
2.工具类
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.http.ProtocolType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse.Credentials;
/**
* @describe: OSS临时访问凭证授权
* @author:houkai
* @Date: 2018/3/7 14:54
* @version 1.0
*/
public class STSUtil {
/**目前只有"cn-hangzhou"这个region可用, 不要使用填写其他region的值*/
private static final String REGION_CN_HANGZHOU = "cn-hangzhou";
/**当前 STS API 版本*/
private static final String STS_API_VERSION = "2015-04-01";
/**必须是https请求*/
private static final ProtocolType PROTOCOL_TYPE = ProtocolType.HTTPS;
/**指定角色的全局资源描述符(Aliyun Resource Name,简称Arn)*/
private static final String ROLE_ARN = "****";
/**用户自定义参数。此参数用来区分不同的Token,可用于用户级别的访问审计*/
private static final String ROLE_SESSION_NAME = "*****";
public static void main(String[] args){
String bucketName = "*****";
String accessKeyId = "*****";
String accessKeySecret = "*****";
String endpoint = "http://oss-cn-hangzhou.aliyuncs.com";
Long expirationTime = 900L;
Credentials credentials = createSTSForPutObject(bucketName, ROLE_ARN,accessKeyId, accessKeySecret, expirationTime);
System.out.println(credentials);
}
/**
* 创建上传临时账号
* @param bucketName
* @param roleArn 需要授权的角色名称
* @param accessKeyId 账号
* @param accessKeySecret 密码
* @param expirationTime 过期时间,单位为秒
* @return
*/
public static Credentials createSTSForPutObject(String bucketName, String roleArn, String accessKeyId, String accessKeySecret, Long expirationTime) {
String policy = STSUtil.getPutObjectPolicy(bucketName);
return createSTS(policy, roleArn,accessKeyId, accessKeySecret, expirationTime);
}
/**
* 创建只读临时授权
* @param bucketName
* @param roleArn 需要授权的角色名称
* @param accessKeyId 账号
* @param accessKeySecret 密码
* @param expirationTime 过期时间,单位为秒
* @return
*/
public static Credentials createSTSForReadOnly(String bucketName, String roleArn, String accessKeyId, String accessKeySecret, Long expirationTime) {
String policy = STSUtil.getOSSReadOnlyAccessPolicy(bucketName);
return createSTS(policy, roleArn, accessKeyId, accessKeySecret, expirationTime);
}
/**
* 创建STS
* @param policy 授权策略
* @param roleArn 需要授权的角色名称
* @param accessKeyId 账号
* @param accessKeySecret 密码
* @param expirationTime 过期时间,单位为秒
* @return
*/
private static Credentials createSTS(String policy, String roleArn, String accessKeyId, String accessKeySecret, Long expirationTime) {
IClientProfile profile = DefaultProfile.getProfile(REGION_CN_HANGZHOU, accessKeyId, accessKeySecret);
DefaultAcsClient client = new DefaultAcsClient(profile);
final AssumeRoleRequest request = new AssumeRoleRequest();
request.setDurationSeconds(expirationTime);
request.setVersion(STS_API_VERSION);
request.setMethod(MethodType.POST);
request.setProtocol(PROTOCOL_TYPE);
request.setRoleArn(roleArn);
request.setRoleSessionName(ROLE_SESSION_NAME);
request.setPolicy(policy);
//实体用户获取角色身份的安全令牌的方法
AssumeRoleResponse response = client.getAcsResponse(request);
Credentials credentials = response.getCredentials();
return credentials;
}
/**
* 自定义授权策略,对当前bucket下的文件夹读写
* @param bucketName
* @return
*/
private static String getPutObjectPolicy(String bucketName) {
return String.format(
"{\n" +
" \"Version\": \"1\", \n" +
" \"Statement\": [\n" +
" {\n" +
" \"Action\": [\n" +
" \"oss:PutObject\" \n" +
" ], \n" +
" \"Resource\": [\n" +
" \"acs:oss:*:*:%s/*\"\n" +
" ], \n" +
" \"Effect\": \"Allow\"\n" +
" }\n" +
" ]\n" +
"}", bucketName);
}
/**
* 只读访问该bucket对象存储服务(OSS)的权限,授权策略
* @param bucketName
* @return
*/
private static String getOSSReadOnlyAccessPolicy(String bucketName) {
return String.format("{\n" +
" \"Statement\": [\n" +
" {\n" +
" \"Action\": [\n" +
" \"oss:Get*\",\n" +
" \"oss:List*\"\n" +
" ],\n" +
" \"Effect\": \"Allow\",\n" +
" \"Resource\": [\n" +
" \"acs:oss:*:*:%s/*\"\n" +
" ]\n" +
" }\n" +
" ],\n" +
" \"Version\": \"1\"\n" +
"}", bucketName);
}
}
代码需要的maven依赖
<!-- sts -->
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-sts</artifactId>
<version>2.1.6</version>
</dependency>
<dependency>
<groupId>com.aliyun</groupId>
<artifactId>aliyun-java-sdk-dysmsapi</artifactId>
<version>1.1.0</version>
</dependency>