STS即Secure Token Service 是一種安全憑證服務，可以使用STS來完成對于臨時用戶的訪問授權。對于跨用戶短期訪問對象存儲資源時，可以使用STS服務。這樣就不需要透露主賬號AK/SK，只需要生成一個短期訪問憑證給需要的用戶使用即可，避免主賬號AK/SK泄露帶來的安全風險。

初始化STS服務

private const string AK = "<your-access-key>";
private const string SK = "<your-secret-access-key>";
private const string ENDPOINT = "<your-endpoint>"; // e.g. //endpoint or //endpoint
private readonly AmazonSecurityTokenServiceClient stsClient;
?
public S3ClientToCtyun()
{
    var credentials = new BasicAWSCredentials(AK, SK);
    var confSts = new AmazonSecurityTokenServiceConfig
    {
        ServiceURL = ENDPOINT
    };
    this.stsClient = new AmazonSecurityTokenServiceClient(credentials, confSts);
}

獲取臨時token

public void AssumeRole()
{
    var bucket = "<your-bucket-name>";
    var roleSessionName = "<your-session-name>";
    var roleArn = "arn:aws:iam:::role/xxxxxx";
    var policy = "{\"Version\":\"2012-10-17\"," + "\"Statement\":" + "{\"Effect\":\"Allow\","
    + "\"Action\":[\"s3:*\"]," // 允許進行 S3 的所有操作。如果僅需要上傳，這里可以設置為 PutObject
    + "\"Resource\":[\"arn:aws:s3:::" + bucket + "\",\"arn:aws:s3:::" + bucket + "/*\"]"// 允許操作默認桶中的所有文件，可以修改此處來保證操作的文件
    + "}}";
?
    AssumeRoleRequest req = new AssumeRoleRequest();
    req.Policy = policy;
    req.RoleArn = roleArn;
    req.RoleSessionName = roleSessionName;
    var task = this.stsClient.AssumeRoleAsync(req);
    try
    {
        var result = task.Result;
        Console.Out.WriteLine("AssumeRole, ak={0}, sk={1}, token={2}", result.Credentials.AccessKeyId, 
            result.Credentials.SecretAccessKey, result.Credentials.SessionToken);
    }
    catch (Exception ex)
    {
        Console.Out.WriteLine("exception: {0}", ex.Message);
    }
}

參數說明：

使用臨時token

實現一個CredentialsProvider，支持更新ak/sk和token。

public class MyCredProvider : AWSCredentials
{
    private readonly object syncRoot = new object();
    private ImmutableCredentials creds;
?
    public MyCredProvider(string ak, string sk, string token)
    {
        creds = new ImmutableCredentials(ak, sk, token);
    }
?
    public override ImmutableCredentials GetCredentials()
    {
        lock (syncRoot)
        {
            return creds.Copy();
        }
    }
?
    // 更新token
    public void UpdateCred(string ak, string sk, string token)
    {
        lock (syncRoot)
        {
            creds = new ImmutableCredentials(ak, sk, token);
        }
    }
}

使用臨時token

var ak = "<temporary-access-key>";
var sk = "<temporary-secret-access-key>";
var endPoint = "<your-endpoint>"; // e.g. //endpoint or //endpoint
var token = "<your-session-token>";            
var credentials = new MyCredProvider(ak, sk, token);
var conf = new AmazonS3Config
{
    ServiceURL = endPoint
};
AmazonS3Client s3 = new AmazonS3Client(credentials, conf);