找了一个下午整理了一下步骤。
首先开通阿里云OSS
然后创建bucket
接下来,创建子用户,如图:
记住保存AccessKeyID和AccessSecret.
再来创建策略
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:Get*",
"oss:Put*",
"oss:List*",
"oss:DeleteObject"
],
"Resource": "acs:oss:*:*:go-your-heart"
},
{
"Effect": "Allow",
"Action": [
"oss:Get*",
"oss:Put*",
"oss:List*",
"oss:DeleteObject"
],
"Resource": "acs:oss:*:*:go-your-heart/*"
}
]
}
第一段的意思是允许用户登录,第二段允许操作bucket,第三段允许操作bucket内的资源。
这样我们的子用户控制Oss某个Bucket配置就完成了(注意!!!go-your-heart是我的bucket名称)
重点,创建RAM角色,并为其添加之前创建的策略
代码环节(请再确认一遍上面的配置是否有误!!!如果有误,下面就不用看了。如果没错,下面也不一定能成功…)
<?php
namespace App\Http\Controllers\Web;
use Illuminate\Http\Request;
use App\Http\Controllers\Controller;
use OSS\OssClient;
use OSS\Core\OssException;
use AlibabaCloud\Sts\Sts;
use AlibabaCloud\Client\AlibabaCloud;
// use AlibabaCloud\Sts\v20150401\AssumeRole;
// use AlibabaCloud\Client\Exception\ServerException;
// use AlibabaCloud\Client\Exception\ClientException;
class OssController extends Controller
{
//
public function index(){
if(is_file(__DIR__.'/../autoload.php')){
require_once __DIR__.'/../autoload.php';
}
if(is_file(__DIR__.'/../vendor/autoload.php')){
require_once __DIR__.'/../vendor/autoload.php';
}
// $url = "https://sts.aliyuncs.com";
// $accessKeyId="LTAI5tLZ6TxyUWVxYMTvMVaS";
// $accessKeySecret="Xq0TZFt9XcjnGtxjA43OXSazgUH62R";
// $endpoint="oss-cn-beijing.aliyuncs.com";
// $durationSeconds = '1800';
// $bucket="go-your-heart";
// $object="/project/abc/mp4/*.jpg";
// $roleArn="acs:ram::1964658688264468:role/aliyunicedefaultrole";
// $roleSessionName='client1';
// $this->sts($accessKeyId,$roleArn,$roleSessionName,$durationSeconds);
$config = [
"AccessKeyID"=>"LTAI5tLZ6TxyUWVxYMTvMVaS", // 子用户ID
"AccessKeySecret"=>"Xq0TZFt9XcjnGtxjA43OXSazgUH62R", //子用户Secret
"RoleArn"=>"acs:ram::1964658688264468:role/hjm", // RAM角色
"BucketName"=>"go-your-heart", // bucket名称
"Endpoint"=>"oss-cn-beijing.aliyuncs.com", // Endpoint
"TokenExpireTime"=>"900",
"PolicyFile"=>"project/abc/mp4/bucket_write_policy.txt"
];
//只有put的权限
$policy = '{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}';
AlibabaCloud::accessKeyClient($config['AccessKeyID'], $config['AccessKeySecret'])->regionId('cn-beijing')->name('default');
$rst = Sts::v20150401()
->assumeRole()
//指定角色ARN
->withRoleArn($config['RoleArn'])
//RoleSessionName即临时身份的会话名称,用于区分不同的临时身份
->withRoleSessionName('test_sts')
//设置权限策略以进一步限制角色的权限
->withPolicy($policy)
->timeout(30)
->connectTimeout(30)
//口令有效期是少900,最大没限制
->withDurationSeconds(900)
->request();
$code = $rst->getStatusCode();
$json = $rst->jsonSerialize();
//这里获取body是得不到有用信息的要用上面的json
$body = $rst->getBody();
//返回从STS服务获取的临时访问密钥(AccessKey ID,AccessKey Secret)
return response()->json($json['Credentials'],$code);
}
}
各位老板如果有错误可以一起讨论讨论…to be continued