Help Center> Object Storage Service> Best Practices> Uploading Data from Mobile Apps to OBS> Using a Temporary Security Credential to Upload Data to OBS
Updated on 2024-03-25 GMT+08:00

Using a Temporary Security Credential to Upload Data to OBS

Solution Architecture

Upload data from your apps to OBS or download your data from OBS. Figure 1 describes the process.

OBS allows you to use a temporary security credential (temporary AK/SK pair and security token) for access. In addition, you can configure permissions for the credential to specify what actions are allowed during the access with the credential used. To learn more, see What Are Temporary Access Keys?

Mobile apps can use temporary security credentials with specific permissions configured to directly upload data to OBS. This process does not expose users' permanent access keys, reducing security risks in the case of account leakage.

Figure 1 Process of using temporary security credentials to directly upload data to OBS

Role Analysis

  • App client: End user's mobile app. It requests a temporary security credential from the server, and uploads data to or downloads data from OBS.
  • App server: A backend provided by developers of Android or iOS apps. It manages user accounts and authorization.
  • OBS: Huawei Cloud's object storage service. It processes requests from mobile apps.
  • IAM: Huawei Cloud's Identity and Access Management. It generates temporary security credentials.

Workflow

  1. An app client requests a temporary security credential from the app server.
  2. The app server requests the temporary security credential from IAM.
  3. IAM returns the credential to the app server.
  4. The app server sends the credential to the app client.
  5. The app client uses the security credential to upload data to and download data from OBS.

Prerequisites

You have created a bucket and set its access control to private read/write or public read and private write.

For details, see Creating a Bucket and Creating a Custom Bucket Policy.

Resource and Cost Planning

The table below describes the resources that you need in this practice.

Table 1 Resource description

Resource

Description

App client

End user's mobile app. It requests a temporary security credential from the server, and uploads data to or downloads data from OBS.

App server

A backend provided by developers of Android or iOS apps. It manages user accounts and authorization.

OBS

Huawei Cloud's object storage service that processes requests from mobile apps.

IAM

Huawei Cloud's identity and access management service that generates temporary security credentials.

Procedure

  1. Obtain the OBS SDK and IAM SDK.

    To obtain the OBS SDK, visit SDK Developer Guide.

    To obtain the IAM SDK, visit IAM SDK.

  2. Simulate the app server to request a temporary security credential from IAM.

    The process is as follows:

    1. Obtain the user's IAM token.

      For details, see Obtaining a User Token Through Password Authentication or SDKs.

    2. Use a token to obtain a temporary security credential (temporary AK/SK pair and security token). You need to use the Policy field to specify what actions are allowed by the security credential.

      For details, see Obtaining Temporary Access Keys and SecurityToken Through a Token or SDKs.

    Example: Obtain a temporary security credential whose validity period is 900 seconds. This credential allows you to upload data to only the APPClient/APP-1/ directory of bucket hi-company.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    {
        "auth":{
            "identity":{
                "policy":{
                    "Version":"1.1",
                    "Statement":[
                        {
                            "Action":[
                                "obs:object:PutObject"
                            ],
                            "Resource":[
                                "obs:*:*:object:hi-company/APPClient/APP-1/*"
                            ],
                            "Effect":"Allow"
                        }
                    ]
                },
                "token":{
                    "duration-seconds":900,
                    "id":"MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..."
                },
                "methods":[
                    "token"
                ]
            }
        }
    }
    

  3. Initialize the ObsClient.

    Initialization examples:

    • Android
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      String endPoint = "https://your-endpoint";
      // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY_ID.
      // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
      String ak = System.getenv("ACCESS_KEY_ID");
      String sk = System.getenv("SECRET_ACCESS_KEY_ID");
      String token = System.getenv("Security_Token");
      
      // Create an ObsConfiguration instance.
      ObsConfiguration config = new ObsConfiguration();
      config.setEndPoint(endPoint);
      config.setSocketTimeout(30000);
      config.setConnectionTimeout(10000);
      
      // Create an ObsClient instance.
      ObsClient obsClient = new ObsClient(ak, sk,token,config); 
      
      // Use the instance to access OBS.
      
      // Close ObsClient.
      obsClient.close();
      
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).
    • iOS
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      NSString *endPoint = @"your-endpoint";
      // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
      // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
      NSString *SK = getenv("AccessKeyID");
      NSString *AK = getenv("SecretAccessKey");
      // Initialize identity authentication.
      OBSStaticCredentialProvider *credentailProvider = [[OBSStaticCredentialProvider alloc] initWithAccessKey:AK secretKey:SK];
      securityTokencredentailProvider.securityToken = @"*** Provide your Security Token ***";
      // Initialize service configuration.
      OBSServiceConfiguration *conf = [[OBSServiceConfiguration alloc] initWithURLString:endPoint credentialProvider:credentialProvider];
      // Perform initialization.
      clientOBSClient *client  = [[OBSClient alloc] initWithConfiguration:conf];
      
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).
    • web js
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      // AMD is not imported. Use the constructor to create an ObsClient instance.
      var obsClient = new ObsClient({
             // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
             // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
             access_key_id: process.env.AccessKeyID,
             secret_access_key: process.env.SecretAccessKey,
             security_token: process.env.SecurityToken,
             server : 'https://your-endpoint'
      });
      // Use the instance to access OBS.
      
      // AMD is imported. Use the injected constructor to create an ObsClient instance.
      var obsClient;
      define(['ObsClient'], function(ObsClient){
          obsClient = new ObsClient({
             // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
              // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
              access_key_id: process.env.AccessKeyID,
              secret_access_key: process.env.SecretAccessKey,
              security_token: process.env.SecurityToken,
              server : 'https://your-endpoint'
          });    
          // Use the instance to access OBS.
      });
      
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).