云账号登录RAM控制台:https://ram.console.aliyun.com 创建一个可以编程访问的子账号,记录下AccessKey ID和AccessKey Secret。
并添加AliyunSTSAssumeRoleAccess权限
访问:https://ram.console.aliyun.com/policies 创建策略,这里有很多系统策略,都具有比较高的权限,咱们需要创建一个只具备上传到OSS和访问的策略。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "oss:PutObject" //上传权限 ], "Resource": [ //Resource规则为 acs:oss:{region}:{bucket_owner}:{bucket_name}/{object_name} "acs:oss:*:*:ram-test", "acs:oss:*:*:ram-test/*" ] } ] }
RAM Policy概述:https://help.aliyun.com/document_detail/100680.htm
https://ram.console.aliyun.com/roles创建RAM角色,选择可信实体类型为阿里云账号,点击下一步,填写RAM角色名称和备注,选择云账号为当前云账号,单击完成,之后单击为角色授权,在添加权限页面,选择自定义权限策略,添加刚才我们创建的权限策略。
完成后,记录角色的ARN,即需要扮演角色的ID,我这里是acs:ram::1873038809073736:role/ramoss
。
选择下面一个包安装
composer require alibabacloud/sdk //这个包有所有功能 composer require alibabacloud/sts //这个包只有STS授权功能
创建一个aliyun的config
return [ 'access_key_id' => env('ALI_ACCESS_KEY_ID'), //第一步创建的子账号的accessKeyId和accessSecret 'access_secret' => env('ALI_ACCESS_SECRET'), 'region_id' => env('ALI_REGION_ID', 'cn-shenzhen'), ];
AlibabaCloud::accessKeyClient(config('aliyun.access_key_id'), config('aliyun.access_secret')) ->regionId(config('aliyun.region_id')) ->asDefaultClient(); //设置参数,发起请求。 try { $result = AlibabaCloud::rpc() ->product('Sts') ->scheme('https') // https | http ->version('2015-04-01') ->action('AssumeRole') ->method('POST') ->host('sts.aliyuncs.com') ->options([ 'query' => [ //这里还可以添加一个Policy参数,更细化权限,详见https://help.aliyun.com/document_detail/28763.htm 'RegionId' => config('aliyun.region_id'), 'RoleArn' => "acs:ram::1873038809073736:role/ramoss", //角色ARN 'RoleSessionName' => "upload", //此参数用来区分不同的令牌,可用于用户级别的访问审计。 ], ]) ->request(); return $result->toArray(); } catch (ClientException $e) { return $e->getErrorMessage(); } catch (ServerException $e) { return $e->getErrorMessage(); }
使用得到的临时凭证上传文件到OSS,详见最佳实践:https://help.aliyun.com/document_detail/112718.html
{ "RequestId": "23B396C3-50FF-4036-B2F2-61DE8D31B60E", "AssumedRoleUser": { "Arn": "acs:ram::1873038809073736:role/ramoss/upload", "AssumedRoleId": "325808457925295064:upload" }, "Credentials": { "SecurityToken": "CAIS6wF1q6Ft5B2yfSjIr5bjJN75tZwW8aHYZhCEs009eOt8uL/SiDz2IHpJdHFgBe0Zv/4ynmFV7vgelq9uU5tCTECcxX6kG3EQo22beIPkl5Gfz95t0e+IewW6Dxr8w7WhAYHQR8/cffGAck3NkjQJr5LxaTSlWS7OU/TL8+kFCO4aRQ6ldzFLKc5LLw950q8gOGDWKOymP2yB4AOSLjIx6lUn0TgvufzumpLHtUGAtjCglL9J/baWC4O/csxhMK14V9qIx+FsfsLDqnUKtkgSpPsr0/0epG2W44nDX0M/+RyDNPHP4n2XssHc/mlRGoABoyCuIvXt+yVOC0sAzLQyT7HIubO7osqdkT2yc2ZQMHvfuqjCECOo7e44FNFey02xJ97gFJjG9d24V66NLEXmzdqYLj2MeJ4MiRTkUJcqRoDJ6sg80YzmoCQbsOAv3wP2T6pQ+ZLZuDmJUFj5B665N9CfcOLYn8PdLOpTBm+ZkH8=", "AccessKeyId": "STS.NUVodMXC7Fc3d65WMhtdPWzyj", //临时AccessKeyId "AccessKeySecret": "FQaHSnS1k55yMp2rSec9pBTe2NiSdPkDuVSdXieZGMrf", //临时AccessKeySecret "Expiration": "2021-04-15T03:59:36Z" //过期时间 } }