文章目录
创建子账号
云账号登录RAM控制台:https://ram.console.aliyun.com 创建一个可以编程访问的子账号,记录下AccessKey ID和AccessKey Secret。
并添加AliyunSTSAssumeRoleAccess权限
创建策略
访问:https://ram.console.aliyun.com/policies 创建策略,这里有很多系统策略,都具有比较高的权限,咱们需要创建一个只具备上传到OSS和访问的策略。
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:PutObject" //上传权限
],
"Resource": [ //Resource规则为 acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}
"acs:oss:*:*:ram-test",
"acs:oss:*:*:ram-test/*"
]
}
]
}
RAM Policy概述:https://help.aliyun.com/document_detail/100680.htm
创建角色
https://ram.console.aliyun.com/roles创建RAM角色,选择可信实体类型为阿里云账号,点击下一步,填写RAM角色名称和备注,选择云账号为当前云账号,单击完成,之后单击为角色授权,在添加权限页面,选择自定义权限策略,添加刚才我们创建的权限策略。
完成后,记录角色的ARN,即需要扮演角色的ID,我这里是acs:ram::1873038809073736:role/ramoss。
安装SDK
选择下面一个包安装
composer require alibabacloud/sdk //这个包有所有功能
composer require alibabacloud/sts //这个包只有STS授权功能
创建一个aliyun的config
return [
'access_key_id' => env('ALI_ACCESS_KEY_ID'), //第一步创建的子账号的accessKeyId和accessSecret
'access_secret' => env('ALI_ACCESS_SECRET'),
'region_id' => env('ALI_REGION_ID', 'cn-shenzhen'),
];
获取临时凭证
AlibabaCloud::accessKeyClient(config('aliyun.access_key_id'), config('aliyun.access_secret'))
->regionId(config('aliyun.region_id'))
->asDefaultClient();
//设置参数,发起请求。
try {
$result = AlibabaCloud::rpc()
->product('Sts')
->scheme('https') // https | http
->version('2015-04-01')
->action('AssumeRole')
->method('POST')
->host('sts.aliyuncs.com')
->options([
'query' => [ //这里还可以添加一个Policy参数,更细化权限,详见https://help.aliyun.com/document_detail/28763.htm
'RegionId' => config('aliyun.region_id'),
'RoleArn' => "acs:ram::1873038809073736:role/ramoss", //角色ARN
'RoleSessionName' => "upload", //此参数用来区分不同的令牌,可用于用户级别的访问审计。
],
])
->request();
return $result->toArray();
} catch (ClientException $e) {
return $e->getErrorMessage();
} catch (ServerException $e) {
return $e->getErrorMessage();
}
使用得到的临时凭证上传文件到OSS,详见最佳实践:https://help.aliyun.com/document_detail/112718.html
{
"RequestId": "23B396C3-50FF-4036-B2F2-61DE8D31B60E",
"AssumedRoleUser": {
"Arn": "acs:ram::1873038809073736:role/ramoss/upload",
"AssumedRoleId": "325808457925295064:upload"
},
"Credentials": {
"SecurityToken": "CAIS6wF1q6Ft5B2yfSjIr5bjJN75tZwW8aHYZhCEs009eOt8uL/SiDz2IHpJdHFgBe0Zv/4ynmFV7vgelq9uU5tCTECcxX6kG3EQo22beIPkl5Gfz95t0e+IewW6Dxr8w7WhAYHQR8/cffGAck3NkjQJr5LxaTSlWS7OU/TL8+kFCO4aRQ6ldzFLKc5LLw950q8gOGDWKOymP2yB4AOSLjIx6lUn0TgvufzumpLHtUGAtjCglL9J/baWC4O/csxhMK14V9qIx+FsfsLDqnUKtkgSpPsr0/0epG2W44nDX0M/+RyDNPHP4n2XssHc/mlRGoABoyCuIvXt+yVOC0sAzLQyT7HIubO7osqdkT2yc2ZQMHvfuqjCECOo7e44FNFey02xJ97gFJjG9d24V66NLEXmzdqYLj2MeJ4MiRTkUJcqRoDJ6sg80YzmoCQbsOAv3wP2T6pQ+ZLZuDmJUFj5B665N9CfcOLYn8PdLOpTBm+ZkH8=",
"AccessKeyId": "STS.NUVodMXC7Fc3d65WMhtdPWzyj", //临时AccessKeyId
"AccessKeySecret": "FQaHSnS1k55yMp2rSec9pBTe2NiSdPkDuVSdXieZGMrf", //临时AccessKeySecret
"Expiration": "2021-04-15T03:59:36Z" //过期时间
}
}