PHP&Laravel通过阿里STS临时授权访问OSS

文章目录

创建子账号

云账号登录RAM控制台:https://ram.console.aliyun.com 创建一个可以编程访问的子账号,记录下AccessKey ID和AccessKey Secret。
PHP&Laravel通过阿里STS临时授权访问OSS
并添加AliyunSTSAssumeRoleAccess权限
PHP&Laravel通过阿里STS临时授权访问OSS

创建策略

访问:https://ram.console.aliyun.com/policies 创建策略,这里有很多系统策略,都具有比较高的权限,咱们需要创建一个只具备上传到OSS和访问的策略。

{
    "Version": "1",
    "Statement": [
     {
           "Effect": "Allow",
           "Action": [
             "oss:PutObject" //上传权限
           ],
           "Resource": [ //Resource规则为 acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name}
             "acs:oss:*:*:ram-test",
             "acs:oss:*:*:ram-test/*"
           ]
     }
    ]
}

RAM Policy概述:https://help.aliyun.com/document_detail/100680.htm
PHP&Laravel通过阿里STS临时授权访问OSS

创建角色

https://ram.console.aliyun.com/roles创建RAM角色,选择可信实体类型为阿里云账号,点击下一步,填写RAM角色名称和备注,选择云账号为当前云账号,单击完成,之后单击为角色授权,在添加权限页面,选择自定义权限策略,添加刚才我们创建的权限策略。
PHP&Laravel通过阿里STS临时授权访问OSS
完成后,记录角色的ARN,即需要扮演角色的ID,我这里是acs:ram::1873038809073736:role/ramoss
PHP&Laravel通过阿里STS临时授权访问OSS

安装SDK

选择下面一个包安装

composer require alibabacloud/sdk //这个包有所有功能
composer require alibabacloud/sts //这个包只有STS授权功能

创建一个aliyun的config

return [
    'access_key_id' => env('ALI_ACCESS_KEY_ID'), //第一步创建的子账号的accessKeyId和accessSecret
    'access_secret' => env('ALI_ACCESS_SECRET'),
    'region_id' => env('ALI_REGION_ID', 'cn-shenzhen'),
];

获取临时凭证

AlibabaCloud::accessKeyClient(config('aliyun.access_key_id'), config('aliyun.access_secret'))
                ->regionId(config('aliyun.region_id'))
                ->asDefaultClient();
        //设置参数,发起请求。
        try {
            $result = AlibabaCloud::rpc()
                    ->product('Sts')
                    ->scheme('https') // https | http
                    ->version('2015-04-01')
                    ->action('AssumeRole')
                    ->method('POST')
                    ->host('sts.aliyuncs.com')
                    ->options([
                        'query' => [ //这里还可以添加一个Policy参数,更细化权限,详见https://help.aliyun.com/document_detail/28763.htm
                            'RegionId' => config('aliyun.region_id'),
                            'RoleArn' => "acs:ram::1873038809073736:role/ramoss", //角色ARN
                            'RoleSessionName' => "upload", //此参数用来区分不同的令牌,可用于用户级别的访问审计。
                        ],
                    ])
                    ->request();
            return $result->toArray();
        } catch (ClientException $e) {
            return $e->getErrorMessage();
        } catch (ServerException $e) {
            return $e->getErrorMessage();
        }

使用得到的临时凭证上传文件到OSS,详见最佳实践:https://help.aliyun.com/document_detail/112718.html

{
    "RequestId": "23B396C3-50FF-4036-B2F2-61DE8D31B60E", 
    "AssumedRoleUser": {
        "Arn": "acs:ram::1873038809073736:role/ramoss/upload", 
        "AssumedRoleId": "325808457925295064:upload"
    }, 
    "Credentials": {
        "SecurityToken": "CAIS6wF1q6Ft5B2yfSjIr5bjJN75tZwW8aHYZhCEs009eOt8uL/SiDz2IHpJdHFgBe0Zv/4ynmFV7vgelq9uU5tCTECcxX6kG3EQo22beIPkl5Gfz95t0e+IewW6Dxr8w7WhAYHQR8/cffGAck3NkjQJr5LxaTSlWS7OU/TL8+kFCO4aRQ6ldzFLKc5LLw950q8gOGDWKOymP2yB4AOSLjIx6lUn0TgvufzumpLHtUGAtjCglL9J/baWC4O/csxhMK14V9qIx+FsfsLDqnUKtkgSpPsr0/0epG2W44nDX0M/+RyDNPHP4n2XssHc/mlRGoABoyCuIvXt+yVOC0sAzLQyT7HIubO7osqdkT2yc2ZQMHvfuqjCECOo7e44FNFey02xJ97gFJjG9d24V66NLEXmzdqYLj2MeJ4MiRTkUJcqRoDJ6sg80YzmoCQbsOAv3wP2T6pQ+ZLZuDmJUFj5B665N9CfcOLYn8PdLOpTBm+ZkH8=", 
        "AccessKeyId": "STS.NUVodMXC7Fc3d65WMhtdPWzyj", //临时AccessKeyId
        "AccessKeySecret": "FQaHSnS1k55yMp2rSec9pBTe2NiSdPkDuVSdXieZGMrf", //临时AccessKeySecret
        "Expiration": "2021-04-15T03:59:36Z" //过期时间
    }
}
上一篇:eclipse安装STS插件遇到的问题


下一篇:Eclipse安装springboot支持(sts)