Obtaining Temporary Access Keys (AK and SK)
Accessing OBS Through Temporary Authentication
Create a pair of temporary access keys (AK and SK) and security token to access OBS:
You can obtain temporary access keys and security token on IAM, and then access OBS. In this way, you can assign a third-party application and a sub-user the temporary credentials within a validity period to access OBS.
You can obtain the temporary access keys and security token by calling the IAM API Obtaining a Temporary Access Key and Security Token Through a Token.
This API uses the user's token or an agency token to obtain temporary access keys and security token. The authorization complies with the least privilege principle. If you want to access OBS through temporary authentication, you need to use the temporary access keys and security token together, and add the x-obs-security-token field to the request header.
Temporary access keys have the following advantages over permanent access keys of IAM users:
- Temporary access keys are valid for 15 minutes to 24 hours. You do not need to expose the permanent access keys of IAM users, reducing security risks.
- When obtaining temporary access keys, you can pass policy parameters to further restrict the temporary permissions granted to users. This ensures that IAM users can effectively control permissions granted to other users.
For details, see User Signature Authentication.
Permissions of the Temporary Access Keys
When an IAM user calls the IAM API Obtaining a Temporary Access Key and Security Token Through a Token, the user can specify policy parameters to add a temporary policy for the temporary access keys to further restrict the permissions granted to other users. The format and content of a temporary policy are consistent with the IAM policy.
If policy parameters are not specified, no temporary policies are used. The temporary access keys inherit the IAM user's permissions.
If policy parameters are specified, a temporary policy is enabled. Then the temporary access keys confine the granted permissions according to the temporary policy and the IAM user permissions. As shown in the following figure, circle 1 indicates the original permissions of an IAM user, and circle 2 indicates the temporary permissions specified by a temporary policy. The overlapped part 3 is the scope of permissions enabled by the temporary access keys.
Temporary access keys comply with the least privilege principle. Configure a temporary policy within the original permission scope of an IAM user. Otherwise you may be confused why permissions enabled by a temporary policy are not effective. As illustrated by the following figure, the finally effective permissions are the authorized temporary permissions.
A temporary policy authentication starts from the Deny statements. Unspecified permissions are denied by default.
Therefore, you are advised to specify only the allowed permission.
Application Scenarios
Temporary access keys are used to authorize third parties to temporarily access OBS. For example, some companies have their user management systems, which manages device app users and local enterprise users. These users do not have IAM user permissions, so IAM users can grant temporary access keys to these users when they need to access OBS.
Typical application scenario:
A company has a large number of device apps that need to access OBS. Different apps represent different end users who require different access permissions. In this case, temporary access keys can be used to access OBS.
- If the customer's server can obtain permanent access keys for IAM users, the server can send requests to IAM to generate different temporary access keys for different apps.
When an IAM user calls the IAM API Obtaining a Temporary Access Key and Security Token Through a Token, the user can specify policy parameters to add a temporary policy for the temporary access keys. An example is provided as follows:
{ "auth": { "identity": { "methods": [ ... ... ], "policy": { ... ... } } } }The temporary policy has the same syntax and format as an IAM user policy. For details, see Permissions and Supported Actions.
- IAM generates temporary access keys with different permissions and validity periods based on the passed policy parameters and returns the access keys to the customer server.
- Then the customer server distributes the temporary access keys to device apps that require such permissions.
- A device app can use the temporary access keys to access OBS through OBS SDKs or APIs. Temporary access keys are valid for a short period of time. If the device app needs prolong its use of OBS, it should send a request to the customer server for updating temporary access keys before they expire.
Application Cases
In this part, you will learn how to use temporary access keys (with different permissions) to access OBS.
You have an IAM user APPServer that can access the APPClient folder in an OBS bucket. Now you want to apply for two pairs of temporary access keys and assign them to two device apps, APP-1 and APP-2, so that APP-1 can access only files in the APPClient/APP-1 folder while APP-2 can access only files in the APPClient/APP-2 folder. The detailed procedure is as follows:
- Create a bucket and name it as hi-company. In this bucket, create the AppClient folder. For details about how to create a folder, see Creating a Folder.
- Create an IAM user APPServer. For details about how to create an IAM user, see Creating an IAM User in the IAM User Guide.
- Set an IAM user policy for the APPServer user. For details, see Introduction to IAM Policy. The policy content is as follows:
{ "role": { "display_name": "policy's name", "type": "AX", "description": "describe its permissions", "description_cn": "", "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/*" ], "Effect": "Allow" } ] } } }
Before configuring an IAM policy, you need to understand what permissions are required. An IAM user only has the permissions defined by the policy. In this example, user APPServer only has full permissions on objects in the APPClient folder.
- The IAM user (APPServer) obtains two pairs of temporary access keys and security tokens for device apps APP-1 and APP-2. To grant different permissions to the temporary access keys, you need to configure temporary policies by adding the policy parameters in the request body. For details, see Obtaining a Temporary Access Key and Security Token Through a Token.
The following is a sample request for obtaining a pair of temporary access keys. The temporary policy parameters are displayed in bold.
A sample request for obtaining a pair of temporary access keys for the device app APP-1:
{ "auth": { "identity": { "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/APP-1/*" ], "Effect": "Allow" } ] }, "token": { "duration-seconds": 900, "id": "MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..." }, "methods": [ "token" ] } } }A sample request for obtaining a pair of temporary access keys for the device app APP-2:
{ "auth": { "identity": { "policy": { "Version": "1.1", "Statement": [ { "Action": [ "obs:object:*" ], "Resource": [ "obs:*:*:object:hi-company/APPClient/APP-2/*" ], "Effect": "Allow" } ] }, "token": { "duration-seconds": 900, "id": "MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..." }, "methods": [ "token" ] } } } - After APP-1 and APP-2 have the temporary access keys, they can access OBS through OBS SDKs or APIs. APP-1 can access only files in the APPClient/APP-1 folder, and APP-2 can access only files in the APPClient/APP-2 folder.
Last Article: Obtaining Permanent Access Keys (AK and SK)
Next Article: Obtaining an Endpoint
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.