Why STS Login Slows Down SLS and How a New Ticket Scheme Fixes It

Background

Alibaba Cloud Log Service (SLS) traditionally supports password‑less login via Security Token Service (STS). While STS leverages RAM for permission control, it introduces several technical drawbacks.

Limitations of the STS Approach

Performance : The login flow requires three sequential interactions and multiple iframe redirects, resulting in load times of ≈ 6 seconds compared with ≈ 2 seconds for direct console access.

Session duration : Generated links are limited to a default 1‑hour session (max 24 hours) and cannot be refreshed, causing tabs to become unusable after the session expires.

Error diagnosis : The multi‑module flow (STS → RAM → SLS) makes troubleshooting difficult; failures often surface as generic error pages.

Cross‑origin restrictions : Embedding SLS via iframe depends on third‑party cookies, which modern browsers (Safari, Chrome 2024) increasingly block.

Ticket‑Based Password‑Less Login Architecture

SLS introduces a ticket‑based login that eliminates the STS drawbacks. The flow consists of two steps:

Call the SLS SDK (or REST API) to obtain a one‑time ticket link.

Navigate directly to the SLS console using the ticket URL; no browser redirects or iframe embedding are required.

Advantages of the Ticket Scheme

Speed : Two‑step process typically completes in <2 seconds.

Session control : The ticket’s expiration can be extended via SLS API, removing the fixed 1‑hour limit.

Security : Tickets are created using RAM accounts and RAM policies, allowing fine‑grained permission scoping.

Detailed error reporting : SLS returns explicit error codes and messages, simplifying debugging.

No cross‑origin dependency : The flow does not rely on browser cookies, avoiding third‑party cookie restrictions.

Dashboard Password‑Free Sharing

The same ticket mechanism powers a one‑click “share” button on SLS dashboard pages. Clicking the button generates a read‑only link that can be distributed without SDK integration. The link respects RAM policies and supports additional constraints such as:

Time window (start/end timestamps)

IP address range whitelist

Specific Alibaba Cloud account restrictions

Getting Started

To integrate the ticket‑based login or use dashboard sharing, follow the official documentation:

Embedding and sharing guide (new version): https://help.aliyun.com/zh/sls/developer-reference/console-embedding-and-sharing-new-version-2

Dashboard secret‑free sharing guide: https://help.aliyun.com/zh/sls/user-guide/dashboard-secret-free-sharing

Demo dashboards (e.g., Nginx access‑log) are available via share links that include a sls_ticket parameter, demonstrating end‑to‑end usage.