Cloud oss ​​obtains temporary access credentials - method TST

Alibaba Cloud OSS (Object Storage Service) provides you with network-based data access services. Using OSS, you can store and recall various data files including text, pictures, audio and video through the network at any time.

In a previous tweet, I wrote about Ali's oss cloud upload technology, but if it is an external project, the security key of the cloud library will be designed, so here is a supplement to the cloud library key

1. Backend data code:

Mainly set the intervention address, generate access keys, identify access roles, and customize names for roles to distinguish different tokens, data security and prevent the storage of some useless information, occupying storage resources, and roles and keys need to be strictly controlled control

by Java SDK For example:

package com.aliyun.sts.sample;
import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.http.MethodType;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.profile.IClientProfile;
import com.aliyuncs.sts.model.v20150401.AssumeRoleRequest;
import com.aliyuncs.sts.model.v20150401.AssumeRoleResponse; public **class** StsServiceSample {
    **public** static **void** main(String[] args) { 
        // STS access address, such as 
        String endpoint = "<sts-endpoint>";
        // Fill in the access key AccessKey ID and AccessKey Secret generated in step 1.
        String AccessKeyId = "<yourAccessKeyId>"";
        String accessKeySecret = "<yourAccessKeySecret>";
        // Fill in the role ARN obtained in step 3.
        String roleArn = "<yourRoleArn>";
        // Custom role session name, used to distinguish different tokens, for example, it can be filled in as SessionTest. 
        String roleSessionName = "<yourRoleSessionName>";
        // The following Policy is used to restrict file uploads to the target storage space examplebucket using only temporary access credentials.
        // The final permission obtained by the temporary access credential is the intersection of the role permission set in step 4 and the Policy setting permission, that is, only files are allowed to be uploaded to the exampledir directory under the examplebucket of the target storage space.
        String policy = "{\n" +
                "    \"Version\": \"1\", \n" +
                "    \"Statement\": [\n" +
                "        {\n" +
                "            \"Action\": [\n" +
                "                \"oss:PutObject\"\n" +
                "            ], \n" +
                "            \"Resource\": [\n" +
                "                \"acs:oss:*:*:examplebucket/*\" \n" +
                "            ], \n" +
                "            \"Effect\": \"Allow\"\n" +
                "        }\n" +
                "    ]\n" +
        try {
            // Add endpoint s.
            DefaultProfile.addEndpoint("", "", "Sts", endpoint);
            // Construct a default profile.
            IClientProfile profile = DefaultProfile.getProfile("", AccessKeyId, accessKeySecret);
            // Construct client.
            DefaultAcsClient client = new DefaultAcsClient(profile);
            final AssumeRoleRequest request = new AssumeRoleRequest();
            request.setPolicy(policy); // If the policy is empty, the user will get all permissions under the role.
            request.setDurationSeconds(3600L); // Set the validity period of the temporary access credentials to 3600 seconds.
            final AssumeRoleResponse response = client.getAcsResponse(request);
            System.out.println("Expiration: " + response.getCredentials().getExpiration());
            System.out.println("**Access** Key Id: " + response.getCredentials().getAccessKeyId());
            System.out.println("**Access** Key Secret: " + response.getCredentials().getAccessKeySecret());
            System.out.println("**Security** Token: " + response.getCredentials().getSecurityToken());
            System.out.println("RequestId: " + response.getRequestId());
        } catch (ClientException e) {
            System.out.println("Failed: ");
            System.out.println("Error code: " + e.getErrCode());
            System.out.println("Error message: " + e.getErrMsg());
            System.out.println("RequestId: " + e.getRequestId());

2. Front-end key data interaction

The front-end mainly accepts the temporary key through the data interface. The channel used to upload information and the temporary key are generally effective. It is necessary to discuss with the back-end the actual effect control and the front-end interface data request method, whether to use a fixed request method or The global request method depends on the company's project needs, but I use a relatively primitive and stupid method, requesting each time I upload, so that I don't need to consider the effectiveness of the key, and I can request the latest key at any time.

//First introduce the oss basic library
import OSS from 'ali-oss'; //Create an oss class method and set its request information (similar to the request header)
 new OSS({ //yourRegion fills in the region where the Bucket is located. Take East China 1 (Hangzhou) as an example, fill in Region as .  region: 'oss-cn-hangzhou', //The temporary access key (AccessKey ID and AccessKey Secret) obtained from the STS service/.  accessKeyId: '', accessKeySecret: '', //Security token obtained from STS service, valid, backend setting.  stsToken: '', //Fill in the Bucket name, which is generally the upload address interface name of your company.  bucket: ''

Interface data request axios, or fetch can be, see your own project technical architecture design, get the information and set the accessKeyId, accessKeySecret, stsToken of oss, respectively

3. After setting the oss, the oss object looks like this

4. After uploading oss

It will return the file address of the specified folder in the Alibaba Cloud library, the domain name of Alibaba Cloud plus the custom named copy name and file type when uploading. The address can be referenced inside the code or directly checked in the browser url. correct

5. Advantages of companies choosing Alibaba Cloud storage

The storage space of OSS is flat inside, and there is no concept such as a file system directory, and all objects directly belong to their corresponding storage spaces. If you want to use OSS storage services like local folders and disks, you can configure cloud storage gateways. Through the NFS, SMB (CIFS), and iSCSI protocols provided by the cloud storage gateway, OSS storage resources will be mapped to local folders or disks on the basis of Bucket s. You can access OSS resources through file read and write operations, seamlessly connect applications based on POSIX and block access protocols, and reduce application transformation and learning costs.

Network Security Growth Roadmap

This direction is relatively easy to get started in the early stage, master some basic technologies, and pick up various ready-made tools to hack. However, if you want to change from a script kiddie to a master hacker, the further you go in this direction, the more things you need to learn and master. The following is the direction you need to take to learn network security:

# Cyber ​​Security Learning Methods

​ The technical classification and learning route are introduced above. Here are some learning methods:
​ ## Video learning

​ Whether you go to B ilibili or Youtube, there are many videos related to network security that you can learn. Of course, if you still don’t know which set of learning to choose, I have also compiled a set of video tutorials linked to the above growth roadmap. The full version of the video has been uploaded to the CSDN official website. If you need it, you can click this link to get it for free. Network security heavy benefits: entry & advanced full set of 282G learning resource packs to share for free!

Tags: Java Cyber Security programming language

Posted by GamingWarrior on Sun, 05 Mar 2023 03:51:58 +1030