安全凭证服务(STS)

STS即Secure Token Service 是一种安全凭证服务，可以使用STS来完成对于临时用户的访问授权。对于跨用户短期访问s3资源时，可以使用STS服务。这样就不需要透露主账号AK/SK，只需要生成一个短期访问凭证给需要的用户使用即可，避免主账号AK/SK泄露带来的安全风险。

获取临时token

在服务器端生成临时token，参考：

安全凭证服务 java

安全凭证服务 python

安全凭证服务 nodejs

使用临时token

实现一个MyCredentialsProvider，支持更新ak/sk和token。

// .h
@interface MyCredentialsProvider: NSObject <AWSCredentialsProvider>

- (instancetype)initWithAccessKey:(NSString *)accessKey
                        secretKey:(NSString *)secretKey
                     sessionToken:(NSString *)sessionToken;

- (void)updateCredWithAccessKey:(NSString *)accessKey
                      secretKey:(NSString *)secretKey
                   sessionToken:(NSString *)sessionToken;
@end


// .m
@interface MyCredentialsProvider()
@property (atomic, strong) AWSCredentials *internalCredentials;
@end

@implementation MyCredentialsProvider
- (instancetype)initWithAccessKey:(NSString *)accessKey
                        secretKey:(NSString *)secretKey
                     sessionToken:(NSString *)sessionToken {
    if (self = [super init]) {
        _internalCredentials = [[AWSCredentials alloc] initWithAccessKey:accessKey
                                                               secretKey:secretKey
                                                              sessionKey:sessionToken
                                                              expiration:nil];
    }
    return self;
}

- (AWSTask<AWSCredentials *> *)credentials {
    return [AWSTask taskWithResult:self.internalCredentials];
}

- (void)invalidateCachedTemporaryCredentials {
}

- (void)updateCredWithAccessKey:(NSString *)accessKey
                      secretKey:(NSString *)secretKey
                   sessionToken:(NSString *)sessionToken {
    self.internalCredentials = [[AWSCredentials alloc] initWithAccessKey:accessKey
                                                           secretKey:secretKey
                                                          sessionKey:sessionToken
                                                          expiration:nil];
}
@end

使用临时token初始化sdk

#define ACCESS_KEY @"<your-access-key>"
#define SECRET_KEY @"<your-secret-key>"
#define ENDPOINT @"<your-endpoint>"
#define SESSION_TOKEN @"<your-session-token>"

-(id)initWithToken {
    if (self = [super init]) {
        self.credProvider = [[MyCredentialsProvider alloc] initWithAccessKey:ACCESS_KEY secretKey:SECRET_KEY sessionToken:SESSION_TOKEN];
        
        AWSEndpoint *endPoint = [[AWSEndpoint alloc] initWithURLString:ENDPOINT];
        
        AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc]
                                                  initWithRegion:AWSRegionUSEast1
                                                  endpoint:endPoint
                                                  credentialsProvider:self.credProvider];
        [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
        
        self.s3 = [AWSS3 defaultS3];
    }
    
    return self;
}