This topic describes how to configure access credentials to ensure that you can use SDKs for development in a secure and efficient manner.
Use an AccessKey pair
An AccessKey pair of an Alibaba Cloud account has full access to all resources within the account. AccessKey pair leaks pose critical threats to the resources within an Alibaba Cloud account. We recommend that you use the AccessKey pair of a Resource Access Management (RAM) user and regularly rotate the AccessKey pair. For information about how to create an AccessKey pair for a RAM user, see Create an AccessKey pair.
The following sample code shows how to create a default client named default that uses an AccessKey pair for authentication.
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::accessKeyClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'))->asDefaultClient();
AlibabaCloud::accessKeyClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'))->name('default');Use an STS token
To ensure the security of your business, you can apply for temporary security credentials (TSC) from Security Token Service (STS) to create a temporary client.
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::stsClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), getenv('ALIBABA_CLOUD_SECURITY_TOKEN'))->name('sts');Use a RAM role
You can specify the Alibaba Cloud Resource Name (ARN) of a RAM role for a client. Then, the client can automatically apply for and maintain STS tokens before the client initiates an API request. This way, the client becomes an STS client that has a validity period. You can also manually apply for STS tokens and create an STS client.
The following sample code shows how to create a client named ramRoleArnClient that uses a RAM role for authentication.
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::ramRoleArnClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), 'roleArn', 'roleSessionName')
->name('ramRoleArnClient');Use the RAM role of an ECS instance
A client can use the metadata server of Elastic Compute Service (ECS) to obtain an STS token by using the RAM role attached to an ECS instance. The STS token is then used to initialize the client.
The following sample code shows how to create a client named ecsRamRoleClient that uses the RAM role attached to an ECS instance for authentication.
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::ecsRamRoleClient('roleName')->name('ecsRamRoleClient');Use a bearer token
Only Cloud Call Center (CCC) allows you to use a bearer token to initialize a client. You can manually apply for and maintain bearer tokens.
The following sample code shows how to create a client named bearerTokenClient that uses a bearer token for authentication.
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::bearerTokenClient('bearerToken')->name('bearerTokenClient');Use the default credential provider chain
The default credential provider chain searches for and uses credentials in the following order:
1. Use credentials from environment variables
The credential provider chain searches for credentials from environment variables. If you define the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET and specify non-null values for the environment variables, the credential provider chain uses the environment variables to create a default client. If the client that is specified in a request is not the default client, the credential provider chain searches for and loads clients in the configuration file.
2. Use the configuration file
If the default credential file exists in the home directory, the credential provider chain automatically creates a client based on the specified type and name. The path of the default credential file is ~/.alibabacloud/credentials. In a Windows operating system, the path is C:\Users\USER_NAME\.alibabacloud\credentials. If the default credential file exists but the system fails to parse the file, an exception is thrown. The client name is not case-sensitive. If two clients have the same name, the most recent client overwrites the client that was created earlier. You can also run the AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...); command to manually load a specific configuration file. The configuration file is stored outside projects and cannot be committed to public projects. Therefore, the configuration file can be shared by different projects and tools. In a Windows operating system, you can reference your home directory by using the %UserProfile% environment variable. In Unix-like systems, you can use the $HOME environment variable or a tilde (~). You can modify the directory of the default credential file by defining the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable.
[default] # The default client.
enable = true # Enable the client. By default, the client is enabled if this parameter is not specified.
type = access_key # The authentication is based on AccessKey pairs.
access_key_id = foo # Key
access_key_secret = bar # Secret
region_id = cn-hangzhou # Optional. The region ID.
debug = true # Optional. Specifies whether to enable the debug mode. The detailed information is displayed on the CLI in debug mode.
timeout = 0.2 # Optional. The timeout period. If the value is greater than 1, the unit is seconds. If the value is smaller than 1, the value is multiplied by 1,000 and the unit is milliseconds.
connect_Timeout = 0.03 # Optional. The timeout period for connection requests. If the value is greater than 1, the unit is seconds. If the value is smaller than 1, the value is multiplied by 1,000 and the unit is milliseconds.
cert_file = /path/server.pem # Optional. The certificate file.
cert_password = password # Optional. The password of the certificate.
proxy = tcp://localhost:8125 # Optional. The common proxy.
proxy_http = tcp://localhost:8125 # Optional. The HTTP proxy.
proxy_https = tcp://localhost:9124 # Optional. The HTTPS proxy.
proxy_no = example.com # Optional. The domain name that is ignored by the proxy.
[client1] # The client named client1.
type = ecs_ram_role # The authentication is based on EcsRamRole credentials.
role_name = EcsRamRoleTest # Role Name
#..................................# The other parameters are the same as those of the default client.
[client2] # The client named client2.
enable = false # The client is disabled.
type = ram_role_arn # The authentication is based on RamRoleArn credentials.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn
role_session_name = session_name
#..................................# The other parameters are the same as those of the default client.
[client3] # The client named client3.
type = rsa_key_pair # The authentication is based on Rivest-Shamir-Adleman (RSA) key pairs.
public_key_id = publicKeyId # Public Key ID
private_key_file = /your/pk.pem # The private key file.
#..................................# The other parameters are the same as those of the default client.3. Use an instance RAM role
If you define the ALIBABA_CLOUD_ECS_METADATA environment variable and specify a non-null value for the environment variable, the credential provider chain uses the value of the environment variable as the RAM role name and sends a request to http://100.100.100.200/latest/meta-data/ram/security-credentials/ to obtain temporary security credentials. Then, the temporary security credentials are used to create a default client.
Custom credential provider chain
You can use a custom credential provider chain to obtain credentials, or write a closure to pass the provider.
<?php
use AlibabaCloud\Client\Credentials\Providers\CredentialsProvider;
CredentialsProvider::chain(
CredentialsProvider::ini(),
CredentialsProvider::env(),
CredentialsProvider::instance()
);