非常想搞明白STS token在端上是如何使用的。因?yàn)镺SS跟STS聯(lián)系比較緊密，所以把這兩個(gè)家伙一起研究了一下。里面有一些環(huán)節(jié)我現(xiàn)在也沒搞太明白，只是記錄一下，以后搞明白了再完善。

配置賬號(hào)及角色

去RAM里面設(shè)置好子賬號(hào)和角色，子賬號(hào)需要AliyunSTSAssumeRoleAccess權(quán)限，角色需要AliyunOSSFullAccess權(quán)限。子賬號(hào)需要有扮演OSS存取這個(gè)角色的能力，成功扮演該角色之后，就具有操作OSS資源的能力了。關(guān)于用戶和角色關(guān)系，RAM和STS介紹里面有比較詳細(xì)的描述。

這里有一個(gè)坑是角色一定要選擇用戶角色。之前錯(cuò)誤選擇了服務(wù)角色，導(dǎo)致AssumeRole一直提示無權(quán)限。

screenshot.png

獲取STS token

• 安裝好Python SDK。Python測(cè)試起來比較方便。

pip install oss2

• 運(yùn)行腳本，獲取STS token。

#!/usr/bin/env python
#coding=utf-8

from aliyunsdkcore import client
from aliyunsdksts.request.v20150401 import AssumeRoleRequest

clt = client.AcsClient('access key id', 'access key secret', 'cn-shanghai')

# 構(gòu)造"AssumeRole"請(qǐng)求
request = AssumeRoleRequest.AssumeRoleRequest()

# 指定角色
request.set_RoleArn('acs:ram::1532770894211314:role/henshaoread2')

# 設(shè)置會(huì)話名稱，審計(jì)服務(wù)使用此名稱區(qū)分調(diào)用者
request.set_RoleSessionName('henshao')

#request.set_method('HMAC-SHA1')

# 發(fā)起請(qǐng)求，并得到response
response = clt.do_action_with_exception(request)

實(shí)際發(fā)出來的請(qǐng)求如下所示。STS API和簽名規(guī)則可以參考STS文檔。

/?RoleSessionName=henshao
&Format=json
&Timestamp=2017-04-28T08%3A16%3A06Z
&RoleArn=acs%3Aram%3A%3A1532770894211314%3Arole%2Fhenshaoread2
&RegionId=cn-shanghai
&SignatureVersion=1.0
&AccessKeyId=LTAIAVqsmhvxNjGN
&SignatureMethod=HMAC-SHA1
&Version=2015-04-01
&Signature=9geUPq00G2g1tInX3XSvk77HZhY%3D
&Action=AssumeRole
&SignatureNonce=cc636798-de57-4c11-beb5-567124635220

• 返回的STS token如下所示，里面包含了AK id、AK secret）和security token。

screenshot.png

另外一種獲取STS token的方式是使用aliyuncli工具，也是非常方便的。

$ aliyuncli sts AssumeRole --AccessKeyId xxx --AccessKeySecret xxx --RoleArn xxx --RoleSessionName xxx
{
    "AssumedRoleUser": {
        "AssumedRoleId": "389053493353396514:henshao", 
        "Arn": "acs:ram::1532770894211314:role/henshaoread2/henshao"
    }, 
    "Credentials": {
        "AccessKeySecret": "4s7GoYW7bbFLqe3XGbiMdjveaHEvU1bNBNxdXPtkgLK2", 
        "SecurityToken": "CAIS8gF1q6Ft5B2yfSjIrIXFet3ArJFY1vamUB/3jHcbdLtt16jJ2jz2IHBFfHRrBeEdtfk0n2FW6/8elq5zRpleRUXDNQG7TybIslHPWZHInuDox55m4cTXNAr+Ihr/29CoEIedZdjBe/CrRknZnytou9XTfimjWFrXWv/gy+QQDLItUxK/cCBNCfpPOwJms7V6D3bKMuu3OROY6Qi5TmgQ41cn0zwgsfTunpfFs0GH0GeXkLFF+97DRbG/dNRpMZtFVNO44fd7bKKp0lQLu0kSqfwq3fcfpGyc74/AWgVLhxWLNfHU+9p1IQZ1PLigomnpBFFI/xqAAazzStWsfFdf3btxxYkakt15g06RJeGi/uKqElMfEGIRJ+vjHtLzFqyjtJJV7gLWgkSeinqglonDuRjcfy/oTPcpQ4u3SCcOh1X/e13jVbc1SuaIGnWOCbDFqtxH68+BcTSMl7rZCd/JfDIKIpWmtWBcL1HFkpRTG3Hd04BmB0PY", 
        "Expiration": "2017-11-02T06:01:53Z", 
        "AccessKeyId": "STS.MFp1gtANya4MR9FhwNx4A8mb8"
    }, 
    "RequestId": "14AA9E4A-EEF0-403A-9367-3255E836F382"
}

OSS客戶端使用STS token獲取文件

拿到STS token，客戶端上就可以操作OSS資源了。

id<OSSCredentialProvider> credential = [[OSSStsTokenCredentialProvider alloc] initWithAccessKeyId:@"STS.DSVjYCefVuXKNP9CTyCfy83Uf" secretKeyId:@"7raTtc4LK3ZtHrw8wWse7sbWAJypWdox3cpp5nYwxdDk" securityToken:@"CAIS8gF1q6Ft5B2yfSjIpZDjIeP3iLl3wpqgTHaIp1QsT+lV1/b+hDz2IHBFfHRrBeEdtfk0n2FW6/8elq5zRpleRUXDNSGpOWeEslHPWZHInuDox55m4cTXNAr+Ihr/29CoEIedZdjBe/CrRknZnytou9XTfimjWFrXWv/gy+QQDLItUxK/cCBNCfpPOwJms7V6D3bKMuu3OROY6Qi5TmgQ41cn0zwgsfTunpfFs0GH0GeXkLFF+97DRbG/dNRpMZtFVNO44fd7bKKp0lQLu0kSqfwq3fcfpGyc74/AWgVLhxWLNfHU+9p1IQZ1PLigomnpBFFI/xqAAU0Ia5eMa0XreO/Uh0K6RXJmk9q8dEKrhhMuDEtCK/EUyb+v/8WSfeYez3z2wl9V5Pi7iUSFRciQKHnGyIVAVmBCGWvAZOad83dI8tft8Ks16/mER/wpysTKOcr+rrdn+JnPJDSFDKD5JBJSr0KXR1bbMU+9b0Nrej0P8kVwbhYd"];

OSSClient *client = [[OSSClient alloc] initWithEndpoint:@"oss-cn-shanghai.aliyuncs.com" credentialProvider:credential];

OSSGetObjectRequest * request = [OSSGetObjectRequest new];

request.bucketName = @"wla-test2";
request.objectKey = @"DragonMedium.png";

request.downloadProgress = ^(int64_t bytesWritten, int64_t totalBytesWritten, int64_t totalBytesExpectedToWrite) {
    NSLog(@"%lld, %lld, %lld", bytesWritten, totalBytesWritten, totalBytesExpectedToWrite);
};

OSSTask * getTask = [client getObject:request];
[getTask continueWithBlock:^id(OSSTask *task) {
    if (!task.error) {
        NSLog(@"download object success!");
        OSSGetObjectResult * getResult = task.result;
        NSLog(@"download result: %@", getResult.downloadedData);

        UIImage *image = [[UIImage alloc] initWithData: getResult.downloadedData];
        image = nil;
    } else {
        NSLog(@"download object failed, error: %@" ,task.error);
    }
    return nil;
}];

成功獲取到DragonMedium.png這張圖片。

screenshot.png

稍微分析了一下OSS SDK里面的細(xì)節(jié)。在header里面有兩個(gè)重要的字段，Authorization = "OSS " + AK.Id + ":" + sign，x-oss-security-token則是security token。

(lldb) po requestMessage.headerParams
{
    Authorization = "OSS STS.DSVjYCefVuXKNP9CTyCfy83Uf:spZmloXZZJZFBCE8st9fvRxKLag=";
    "User-Agent" = "aliyun-sdk-ios/2.6.0/iOS/10.3/en_US";
    "x-oss-security-token" = "CAIS8gF1q6Ft5B2yfSjIpZDjIeP3iLl3wpqgTHaIp1QsT+lV1/b+hDz2IHBFfHRrBeEdtfk0n2FW6/8elq5zRpleRUXDNSGpOWeEslHPWZHInuDox55m4cTXNAr+Ihr/29CoEIedZdjBe/CrRknZnytou9XTfimjWFrXWv/gy+QQDLItUxK/cCBNCfpPOwJms7V6D3bKMuu3OROY6Qi5TmgQ41cn0zwgsfTunpfFs0GH0GeXkLFF+97DRbG/dNRpMZtFVNO44fd7bKKp0lQLu0kSqfwq3fcfpGyc74/AWgVLhxWLNfHU+9p1IQZ1PLigomnpBFFI/xqAAU0Ia5eMa0XreO/Uh0K6RXJmk9q8dEKrhhMuDEtCK/EUyb+v/8WSfeYez3z2wl9V5Pi7iUSFRciQKHnGyIVAVmBCGWvAZOad83dI8tft8Ks16/mER/wpysTKOcr+rrdn+JnPJDSFDKD5JBJSr0KXR1bbMU+9b0Nrej0P8kVwbhYd";
}

參考資料

1. OSS訪問控制
2. OSS訪問控制-iOS端
3. OAuth2.0協(xié)議原理與實(shí)現(xiàn)：TOKEN生成算法
4. 小米帳戶 OAuth 2.0 文檔
5. 百度云訪問控制

最后非常感謝 @周卓 大神的鼎力支持??