use cos_rust_sdk::sts::{StsClient, GetCredentialsRequest, Policy};
use std::env;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let secret_id = env::var("COS_SECRET_ID")
.expect("请设置环境变量 COS_SECRET_ID");
let secret_key = env::var("COS_SECRET_KEY")
.expect("请设置环境变量 COS_SECRET_KEY");
let region = env::var("COS_REGION")
.unwrap_or_else(|_| "ap-beijing".to_string());
let bucket = env::var("COS_BUCKET")
.expect("请设置环境变量 COS_BUCKET");
let sts_client = StsClient::new(secret_id, secret_key, region);
println!("=== STS Policy 使用示例 ===");
println!("存储桶: {}", bucket);
println!();
println!("1. 仅允许上传权限 (uploads/ 前缀)");
let upload_policy = Policy::allow_put_object(&bucket, Some("uploads/"));
let request = GetCredentialsRequest {
name: Some("upload-only-credentials".to_string()),
policy: upload_policy,
duration_seconds: Some(1800), };
match sts_client.get_credentials(request).await {
Ok(credentials) => {
println!(" ✅ 获取上传凭证成功");
println!(" 临时 SecretId: {}...", &credentials.tmp_secret_id[..10]);
println!(" SessionToken: {}...", &credentials.token[..20]);
}
Err(e) => println!(" ❌ 获取上传凭证失败: {}", e),
}
println!();
println!("2. 仅允许下载权限 (public/ 前缀)");
let download_policy = Policy::allow_get_object(&bucket, Some("public/"));
let request = GetCredentialsRequest {
name: Some("download-only-credentials".to_string()),
policy: download_policy,
duration_seconds: Some(3600), };
match sts_client.get_credentials(request).await {
Ok(credentials) => {
println!(" ✅ 获取下载凭证成功");
println!(" 临时 SecretId: {}...", &credentials.tmp_secret_id[..10]);
println!(" SessionToken: {}...", &credentials.token[..20]);
}
Err(e) => println!(" ❌ 获取下载凭证失败: {}", e),
}
println!();
println!("3. 仅允许删除权限 (temp/ 前缀)");
let delete_policy = Policy::allow_delete_object(&bucket, Some("temp/"));
let request = GetCredentialsRequest {
name: Some("delete-only-credentials".to_string()),
policy: delete_policy,
duration_seconds: Some(900), };
match sts_client.get_credentials(request).await {
Ok(credentials) => {
println!(" ✅ 获取删除凭证成功");
println!(" 临时 SecretId: {}...", &credentials.tmp_secret_id[..10]);
println!(" SessionToken: {}...", &credentials.token[..20]);
}
Err(e) => println!(" ❌ 获取删除凭证失败: {}", e),
}
println!();
println!("4. 允许读写权限 (media/ 前缀)");
let readwrite_policy = Policy::allow_read_write(&bucket, Some("media/"));
let request = GetCredentialsRequest {
name: Some("readwrite-credentials".to_string()),
policy: readwrite_policy,
duration_seconds: Some(7200), };
match sts_client.get_credentials(request).await {
Ok(credentials) => {
println!(" ✅ 获取读写凭证成功");
println!(" 临时 SecretId: {}...", &credentials.tmp_secret_id[..10]);
println!(" SessionToken: {}...", &credentials.token[..20]);
println!(" 过期时间: {:?}", credentials.expired_time);
}
Err(e) => println!(" ❌ 获取读写凭证失败: {}", e),
}
println!();
println!("5. 允许读写整个存储桶 (无前缀限制)");
let full_policy = Policy::allow_read_write(&bucket, None);
let request = GetCredentialsRequest {
name: Some("full-access-credentials".to_string()),
policy: full_policy,
duration_seconds: Some(3600), };
match sts_client.get_credentials(request).await {
Ok(credentials) => {
println!(" ✅ 获取完整权限凭证成功");
println!(" 临时 SecretId: {}...", &credentials.tmp_secret_id[..10]);
println!(" SessionToken: {}...", &credentials.token[..20]);
}
Err(e) => println!(" ❌ 获取完整权限凭证失败: {}", e),
}
println!();
println!("=== 策略使用建议 ===");
println!("• 前端文件上传: 使用 allow_put_object,限制上传目录");
println!("• 公共资源访问: 使用 allow_get_object,限制下载目录");
println!("• 临时文件清理: 使用 allow_delete_object,限制删除目录");
println!("• 完整文件管理: 使用 allow_read_write,根据需要限制前缀");
println!("• 最小权限原则: 总是使用最小必要权限,设置合适的前缀和过期时间");
Ok(())
}