STS即Secure Token Service 是一種(zhong)安全(quan)憑證(zheng)服務，可(ke)(ke)(ke)以使用(yong)STS來完成(cheng)對于(yu)臨(lin)時用(yong)戶(hu)的(de)訪(fang)問(wen)授權(quan)。對于(yu)跨用(yong)戶(hu)短(duan)期訪(fang)問(wen)對象存儲資源時，可(ke)(ke)(ke)以使用(yong)STS服務。這樣就不需要透露主賬(zhang)號AK/SK，只(zhi)需要生成(cheng)一個短(duan)期訪(fang)問(wen)憑證(zheng)給需要的(de)用(yong)戶(hu)使用(yong)即可(ke)(ke)(ke)，避免主賬(zhang)號AK/SK泄露帶來的(de)安全(quan)風險。

初始化STS服務

Aws::String ak = "<your-access-key>";
Aws::String sk = "<your-secret-access-key>";
Aws::String endPoint = "<your-endpoint>";
?
Aws::Auth::AWSCredentials cred(ak, sk);
Aws::Client::ClientConfiguration cfg;
cfg.endpointOverride = endPoint;
cfg.scheme = Aws::Http::Scheme::HTTP;
cfg.verifySSL = false;
sts_client = new Aws::STS::STSClient(cred, cfg);

獲取臨時token

const Aws::String roleArn = "arn:aws:iam:::role/xxxxxx";
const Aws::String roleSessionName = "<your-session-name>";
const Aws::String bucket_name = "<your-bucket-name>";
const Aws::String policy = "{\"Version\":\"2012-10-17\","
    "\"Statement\":" 
    "{\"Effect\":\"Allow\","
    "\"Action\":[\"s3:*\"]," // 允許進行 S3 的所有操作。如果僅需要上傳，這里可以設置為 PutObject
    "\"Resource\":[\"arn:aws:s3:::" + bucket_name + "\",\"arn:aws:s3:::" + bucket_name + "/*\"]"// 允許操作默認桶中的所有文件，可以修改此處來保證操作的文件
    "}}";
Aws::STS::Model::AssumeRoleRequest request;
request.SetPolicy(policy);
request.SetRoleArn(roleArn);
request.SetRoleSessionName(roleSessionName);
std::cout << "policy:" << policy << std::endl;
Aws::STS::Model::AssumeRoleOutcome outcome = sts_client->AssumeRole(request);
if (outcome.IsSuccess())
{
    auto& cred = outcome.GetResult().GetCredentials();
    std::cout << "ak:" << cred.GetAccessKeyId() << std::endl;
    std::cout << "sk:" << cred.GetSecretAccessKey() << std::endl;
    std::cout << "token:" << cred.GetSessionToken() << std::endl;
    return true;
}
else
{
    auto err = outcome.GetError();
    std::cout << "Error: AssumeRole: " <<
        err.GetExceptionName() << ", " << err.GetMessage() << std::endl;
    return false;
}

請求參數