On this page

Show all

Help Center/ Object Storage Service/ Best Practices/ Uploading Data to OBS/ Uploading Data from Mobile Apps to OBS/ Using a Temporary Security Credential to Upload Data to OBS

Using a Temporary Security Credential to Upload Data to OBS

Updated on 2024-10-17 GMT+08:00

View PDF

Solution Architecture

Upload data from your apps to OBS or download your data from OBS. Figure 1 describes the process.

OBS allows you to use a temporary security credential (temporary AK/SK pair and security token) for access. In addition, you can configure permissions for the credential to specify what actions are allowed during the access with the credential used. To learn more, see What Are Temporary Access Keys?

Mobile apps can use temporary security credentials with specific permissions configured to directly upload data to OBS. This process does not expose users' permanent access keys, reducing security risks in the case of account leakage.

Figure 1 Process of using temporary security credentials to directly upload data to OBS

Role Analysis

App client: End user's mobile app. It requests a temporary security credential from the server, and uploads data to or downloads data from OBS.
App server: A backend provided by developers of Android or iOS apps. It manages user accounts and authorization.
OBS: Huawei Cloud's object storage service. It processes requests from mobile apps.
IAM: Huawei Cloud's Identity and Access Management. It generates temporary security credentials.

Workflow

An app client requests a temporary security credential from the app server.
The app server requests the temporary security credential from IAM.
IAM returns the credential to the app server.
The app server sends the credential to the app client.
The app client uses the security credential to upload data to and download data from OBS.

Prerequisites

You have created a bucket and set its access control to private read/write or public read and private write.

For details, see Creating a Bucket and Creating a Custom Bucket Policy.

Resource and Cost Planning

The table below describes the resources that you need in this practice.

**Table 1** Resource description
Resource	Description
App client	End user's mobile app. It requests a temporary security credential from the server, and uploads data to or downloads data from OBS.
App server	A backend provided by developers of Android or iOS apps. It manages user accounts and authorization.
OBS	Huawei Cloud's object storage service that processes requests from mobile apps.
IAM	Huawei Cloud's identity and access management service that generates temporary security credentials.

Procedure

Obtain the OBS SDK and IAM SDK.

To obtain the OBS SDK, visit SDK Developer Guide.

To obtain the IAM SDK, visit IAM SDK.

Simulate the app server to request a temporary security credential from IAM.

The process is as follows:

Obtain the user's IAM token.
For details, see Obtaining a User Token Through Password Authentication or SDKs.
Use a token to obtain a temporary security credential (temporary AK/SK pair and security token). You need to use the Policy field to specify what actions are allowed by the security credential.
For details, see Obtaining Temporary Access Keys and SecurityToken Through a Token or SDKs.

Example: Obtain a temporary security credential whose validity period is 900 seconds. This credential allows you to upload data to only the APPClient/APP-1/ directory of bucket hi-company.

       
        
          
          {
    "auth":{
        "identity":{
            "policy":{
                "Version":"1.1",
                "Statement":[
                    {
                        "Action":[
                            "obs:object:PutObject"
                        ],
                        "Resource":[
                            "obs:*:*:object:hi-company/APPClient/APP-1/*"
                        ],
                        "Effect":"Allow"
                    }
                ]
            },
            "token":{
                "duration-seconds":900,
                "id":"MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..."
            },
            "methods":[
                "token"
            ]
        }
    }
}

         

       
      

Initialize the ObsClient.

Initialization examples:

Android

         
            String endPoint = "https://your-endpoint";
// Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY_ID.
// Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
String ak = System.getenv("ACCESS_KEY_ID");
String sk = System.getenv("SECRET_ACCESS_KEY_ID");
String token = System.getenv("Security_Token");

// Create an ObsConfiguration instance.
ObsConfiguration config = new ObsConfiguration();
config.setEndPoint(endPoint);
config.setSocketTimeout(30000);
config.setConnectionTimeout(10000);

// Create an ObsClient instance.
ObsClient obsClient = new ObsClient(ak, sk,token,config); 

// Use the instance to access OBS.

// Close ObsClient.
obsClient.close();

NOTE:

endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).

iOS

         
          
            
            NSString *endPoint = @"your-endpoint";
// Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
// Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
NSString *SK = getenv("AccessKeyID");
NSString *AK = getenv("SecretAccessKey");
// Initialize identity authentication.
OBSStaticCredentialProvider *credentailProvider = [[OBSStaticCredentialProvider alloc] initWithAccessKey:AK secretKey:SK];
securityTokencredentailProvider.securityToken = @"*** Provide your Security Token ***";
// Initialize service configuration.
OBSServiceConfiguration *conf = [[OBSServiceConfiguration alloc] initWithURLString:endPoint credentialProvider:credentialProvider];
// Perform initialization.
clientOBSClient *client  = [[OBSClient alloc] initWithConfiguration:conf];

           

         
        

NOTE:

endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).

web js

         
          
            
            // AMD is not imported. Use the constructor to create an ObsClient instance.
var obsClient = new ObsClient({
       // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
       // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
       access_key_id: process.env.AccessKeyID,
       secret_access_key: process.env.SecretAccessKey,
       security_token: process.env.SecurityToken,
       server : 'https://your-endpoint'
});
// Use the instance to access OBS.

// AMD is imported. Use the injected constructor to create an ObsClient instance.
var obsClient;
define(['ObsClient'], function(ObsClient){
    obsClient = new ObsClient({
       // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK and store them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables for identity authentication. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
       // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
        access_key_id: process.env.AccessKeyID,
        secret_access_key: process.env.SecretAccessKey,
        security_token: process.env.SecurityToken,
        server : 'https://your-endpoint'
    });    
    // Use the instance to access OBS.
});

           

         
        

NOTE:

endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).

Parent Topic: Uploading Data from Mobile Apps to OBS

Previous topic: Overview

Next topic: Using a Presigned URL to Upload Data to OBS

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot