STS即Secure Token Service 是一种安全凭证服务，可以使用STS来完成对于临时用户的访问授权。对于跨用户短期访问对象存储资源时，可以使用STS服务。这样就不需要透露主账号AK/SK，只需要生成一个短期访问凭证给需要的用户使用即可，避免主账号AK/SK泄露带来的安全风险。

初始化STS服务

var config = {
    accessKeyId: "<your-access-key>",
    secretAccessKey: "<your-secret-access-key>",
    endpoint: "<your-endpoint>",
    region: "ctyun",// region固定填ctyun
};
var stsClient = new AWS.STS(config);

获取临时token

var params = {
    Policy: `{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::<your-bucket>","arn:aws:s3:::<your-bucket>/*"]}}`,
    RoleArn: "arn:aws:iam:::role/<your-role>",
    RoleSessionName: "<your-role-session-name>",
    DurationSeconds: 900, // 过期时间
}
stsClient.assumeRole(params, function (err, data) {
    if (err) {
        console.log("Error", err);
    } else {
        console.log("Success", data);
    }
});

请求参数

Policy设置例子

• 允许所有的操作

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 限制只能上传和下载

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:PutObject","s3:GetObject"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 使用分片上传

{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["s3:PutObject","s3:AbortMultipartUpload","s3:ListBucketMultipartUploads","s3:ListMultipartUploadParts"],"Resource":["arn:aws:s3:::<your-bucket-name>","arn:aws:s3:::<your-bucket-name>/*"]}}

• 其他常见操作权限：

  • 上传权限：s3:PutObject

  • 下载权限：s3:GetObject

  • 删除权限：s3:DeleteObject

  • 获取列表权限：s3:ListBucket

更多权限可参考：桶策略。

使用临时token

let S3Demo = {
    credentials: {
        accessKeyId: "<your-access-key>",
        secretAccessKey: "<your-secret-access-key>",
        sessionToken: "<your-session-token>",
    },
    s3Client: null,
​
    // 初始化s3Client
    init: function () {
        let config = {
            credentials: this.credentials,
            endpoint: "<your-endpoint>",
        };
        this.s3Client = new AWS.S3(config);
    },
}