Help Center/ Object Storage Service/ Best Practices/ Uploading Data to OBS/ Uploading Data from Mobile Apps to OBS/ Using Temporary Security Credentials to Upload Data to OBS and Setting an Upload Callback
Updated on 2025-08-21 GMT+08:00
View PDF
Share

Using Temporary Security Credentials to Upload Data to OBS and Setting an Upload Callback

Scenarios

OBS lets you access resources with temporary security credentials (a temporary AK/SK pair and a security token). You can also configure permissions for the credentials to define which actions are allowed during the access. For details about temporary security credentials, see What Are Temporary Security Credentials?

Mobile app clients can use temporary security credentials with specific permissions configured to directly upload data to OBS and set upload callbacks, as shown in Figure 1. This process does not expose users' permanent AKs/SKs, reducing security risks in the event of account leakage.

Solution Architecture

Figure 1 Process of using temporary security credentials to directly upload data to OBS and setting an upload callback

Role Analysis

  • App client: The end user's mobile app. It requests temporary security credentials from the server, and uploads data to or downloads data from OBS.
  • App server: The backend provided by developers of Android or iOS apps. It manages user accounts and access control, and handles callback requests.
  • OBS: Huawei Cloud's Object Storage Service. It processes data requests from mobile apps.
  • IAM: Huawei Cloud's Identity and Access Management. It generates temporary security credentials.

Workflow

  1. An app client requests temporary security credentials from the app server.
  2. The app server requests temporary security credentials from IAM.
  3. IAM returns the credentials to the app server.
  4. The app server sends the credentials to the app client.
  5. The app client uses the security credentials to upload data to OBS and set callback parameters.
  6. After the upload is complete, OBS sends a callback request to the callback server.
  7. OBS returns the result to the app client.

Prerequisites

You have created a bucket and set its access control to private read/write or public read and private write.

For details, see Creating a Bucket and Creating a Custom Bucket Policy.

Resource Planning

The table below describes the resources that you need in this practice.

Table 1 Resource description

Resource

Description

App client

The end user's mobile app. It requests temporary security credentials from the server, and uploads data to or downloads data from OBS.

App server

The backend provided by developers of Android or iOS apps. It manages user accounts and access control, and handles callback requests.

OBS

Huawei Cloud's Object Storage Service. It processes data requests from mobile apps.

IAM

Huawei Cloud's Identity and Access Management. It generates temporary security credentials.

Procedure

  1. Obtain the OBS SDK and IAM SDK.

    To obtain the OBS SDK, visit SDK Developer Guide.

    To obtain the IAM SDK, visit IAM SDK.

  2. Simulate the app server to request temporary security credentials from IAM and return the credentials.

    The process is as follows:

    1. Obtain the IAM user token.

      If you are using an API, see Obtaining a User Token Through Password Authentication; if you are using an SDK, see SDKs.

    2. Use the token to obtain temporary security credentials (a temporary AK/SK pair and a security token). You need to use the Policy field to specify which actions are allowed by the security credentials.

      If you are using an API, see Obtaining Temporary Access Keys and Security Tokens of an IAM User; if you are using an SDK, see SDKs.

    Example: Obtain the temporary security credentials with a validity period of 900 seconds. The credentials only allow data upload to the APPClient/APP-1/ directory of bucket hi-company.

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
    		 
    {
    "auth":{
        "identity":{
            "policy":{
                "Version":"1.1",
                "Statement":[
                    {
                        "Action":[
                            "obs:object:PutObject"
                        ],
                        "Resource":[
                            "obs:*:*:object:hi-company/APPClient/APP-1/*"
                        ],
                        "Effect":"Allow"
                    }
                ]
            },
            "token":{
                "duration-seconds":900,
                "id":"MIIDkgYJKoZIhvcNAQcCoIIDgzCCA38CAQExDTALMEXXXXX..."
            },
            "methods":[
                "token"
            ]
        }
    }
}

  3. Initialize the ObsClient.

    Initialization examples:

    • Android 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
      		 
      String endPoint = "https://your-endpoint";
// Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK before storing them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables. Before running the code in this example, configure environment variables ACCESS_KEY_ID and SECRET_ACCESS_KEY_ID.
// Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
String ak = System.getenv("ACCESS_KEY_ID");
String sk = System.getenv("SECRET_ACCESS_KEY_ID");
String token = System.getenv("Security_Token");

// Create an ObsConfiguration instance.
ObsConfiguration config = new ObsConfiguration();
config.setEndPoint(endPoint);
config.setSocketTimeout(30000);
config.setConnectionTimeout(10000);

// Create an ObsClient instance.
ObsClient obsClient = new ObsClient(ak, sk,token,config); 

// Use the instance to access OBS.

// Close ObsClient.
obsClient.close();
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).
    • iOS 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
      		 
      NSString *endPoint = @"your-endpoint";
// Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK before storing them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
// Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
NSString *SK = getenv("AccessKeyID");
NSString *AK = getenv("SecretAccessKey");
// Initialize identity authentication.
OBSStaticCredentialProvider *credentailProvider = [[OBSStaticCredentialProvider alloc] initWithAccessKey:AK secretKey:SK];
securityTokencredentailProvider.securityToken = @"*** Provide your Security Token ***";
// Initialize service configuration.
OBSServiceConfiguration *conf = [[OBSServiceConfiguration alloc] initWithURLString:endPoint credentialProvider:credentialProvider];
// Perform initialization.
clientOBSClient *client  = [[OBSClient alloc] initWithConfiguration:conf];
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).
    • Web JavaScript 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
      		 
      // AMD is not imported. Use the constructor to create an ObsClient instance.
var obsClient = new ObsClient({
       // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK before storing them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
       // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
       access_key_id: process.env.AccessKeyID,
       secret_access_key: process.env.SecretAccessKey,
       security_token: process.env.SecurityToken,
       server : 'https://your-endpoint'
});
// Use the instance to access OBS.

// AMD is imported. Use the injected constructor to create an ObsClient instance.
var obsClient;
define(['ObsClient'], function(ObsClient){
    obsClient = new ObsClient({
        // Hard-coded or plaintext AK and SK are risky. For security purposes, encrypt your AK and SK before storing them in the configuration file or environment variables. In this example, the AK and SK are stored in environment variables. Before running the code in this example, configure environment variables AccessKeyID and SecretAccessKey.
       // Obtain an AK and SK pair on the management console. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-ca/ca_01_0003.html.
        access_key_id: process.env.AccessKeyID,
        secret_access_key: process.env.SecretAccessKey,
        security_token: process.env.SecurityToken,
        server : 'https://your-endpoint'
    });    
    // Use the instance to access OBS.
});
      • endPoint indicates an endpoint, which can be queried from Regions and Endpoints.
      • ak and sk indicate the temporary AK and SK, and token indicates the security token. For details about how to obtain them, see Access Keys (AK/SK).

Parent Topic: Uploading Data from Mobile Apps to OBS