All Products
Search

This Product

    MaxCompute:Configure access credentials of the Go SDK

    Document Center

    MaxCompute:Configure access credentials of the Go SDK

    Last Updated:Oct 30, 2024

    Before using the Go SDK to send MaxCompute requests, you must configure the access credentials to initialize the credential provider. Alibaba Cloud services use these access credentials to authenticate identity and access privileges. MaxCompute offers several configuration methods to suit different authentication and authorization needs.

    Prerequisites

    The Go SDK is installed. For more information, see Install the Go SDK.

    Comparison of access credential configuration methods

    Configuration method

    Scenario

    Requires pre-provided AccessKey or STS token

    Underlying implementation

    Validity period

    Credential rotation or refresh method

    Method 1: AccessKey

    Applications deployed in a secure, stable, and less susceptible environment to external attacks. Such applications have long-term access to cloud services without the need for frequent credential rotation.

    Yes

    AccessKey

    Long-term

    Manual rotation

    Method 2: STS token

    Applications deployed in an untrusted environment. These applications require controlled access validity and permissions.

    Yes

    STS token

    Temporary

    Manual refresh

    Method 3: RAMRoleARN

    Applications that require authorized cloud service access, such as in cross-account scenarios.

    Yes

    STS token

    Temporary

    Auto-refresh

    Method 4: ECSRAMRole

    Applications deployed on Alibaba Cloud ECS instances, ECI instances, or Container Service for Kubernetes worker nodes.

    No

    STS token

    Temporary

    Auto-refresh

    Method 5: CredentialsURI

    Applications that require retrieving access credentials from external systems.

    No

    STS token

    Temporary

    Auto-refresh

    Method 6: Custom access credentials

    Alternatively, you can also customize your access credentials.

    Custom

    STS token

    Custom

    Custom

    Method 1: AccessKey

    If your application is deployed and runs within a secure and stable environment that is less vulnerable to external attacks and requires long-term access to MaxCompute, but does not need frequent credential updates, you can initialize a credential provider by using the AccessKey ID and AccessKey Secret from an Alibaba Cloud account or a RAM user. However, manually managing the AccessKey may introduce security risks and further complicate maintenance. For guidance on acquiring an AccessKey, see CreateAccessKey.

    Environment variables

    1. Add the credentials dependency in your project.

      go get github.com/aliyun/credentials-go/credentials

    2. Configure environment variables for the AK.

      • For macOS X, Linux, and Unix systems:

        export ALIBABA_CLOUD_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID>
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>

      • For Windows systems:

        set ALIBABA_CLOUD_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID>
set ALIBABA_CLOUD_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>

    3. Pass the credential information by using environment variables.

      package main

import (
	"fmt"
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	// Read AccessKey information from environment variables: “ALIBABA_CLOUD_ACCESS_KEY_ID” and “ALIBABA_CLOUD_ACCESS_KEY_SECRET”
	credential, err := credentials.NewCredential(nil)
	if err != nil {
		return
	}

	aliyunAccount := account.NewStsAccountWithCredential(credential)
	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"
        // Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(aliyunAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    Configuration files

    1. Create a configuration file with an .ini suffix, such as config.ini. The following code shows an example:

      Important

      You cannot add comments after key-value pairs in the file.

      [odps]
access_id = ""
access_key = ""
endpoint = ""
project = ""

    2. Pass the configuration information by using the configuration file.

      package main

import (
    "fmt"
    "github.com/aliyun/aliyun-odps-go-sdk/odps"
    "github.com/aliyun/aliyun-odps-go-sdk/odps/account"
    "log"
)

func main() {
    // Configuration file path
    configPath := "./config.ini"
    conf, err := odps.NewConfigFromIni(configPath)
    if err != nil {
        log.Fatalf("%+v", err)
    }

    aliAccount := account.NewAliyunAccount(conf.AccessId, conf.AccessKey)
    odpsIns := odps.NewOdps(aliAccount, conf.Endpoint)
    // Set the default MaxCompute project
    odpsIns.SetDefaultProjectName(conf.ProjectName)

    fmt.Printf("odps:%#v\n", odpsIns)
}

    Method 2: STS token

    If your application needs to temporarily access MaxCompute, you can initialize a credential provider with temporary identity credentials (AccessKey ID, AccessKey Secret, and Security Token) acquired by the STS service. If you use this approach, you need to manage the STS token manually, which may introduce security risks and further complicate maintenance. Furthermore, if your application requires repeated temporary access to MaxCompute, you need to manually refresh the STS token each time. For more information on acquiring an STS token, refer to AssumeRole.

    Environment variables

    1. Add the credentials dependency in your project.

      go get github.com/aliyun/credentials-go/credentials

    2. Configure environment variables for the STS token.

      • For macOS X, Linux, and Unix systems:

        export ALIBABA_CLOUD_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID>
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>
export ALIBABA_CLOUD_SECURITY_TOKEN=<ALIBABA_CLOUD_SECURITY_TOKEN>

      • For Windows systems:

        set ALIBABA_CLOUD_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID>
set ALIBABA_CLOUD_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>
set ALIBABA_CLOUD_SECURITY_TOKEN=<ALIBABA_CLOUD_SECURITY_TOKEN>

    3. Pass credential information by environment variables.

      package main

import (
	"fmt"
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	// Read AccessKey information from environment variables: "ALIBABA_CLOUD_ACCESS_KEY_ID","ALIBABA_CLOUD_ACCESS_KEY_SECRET", "ALIBABA_CLOUD_SECURITY_TOKEN"
	credential, err := credentials.NewCredential(nil)
	if err != nil {
	    return
	}

	aliyunAccount := account.NewStsAccountWithCredential(credential)

	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"

	// Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(aliyunAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    Configuration files

    1. Create a configuration file with an .ini suffix, such as config.ini. The following code shows an example:

      Important

      You cannot add comments after key-value pairs in the file.

      [odps]
access_id = ""
access_key = ""
sts_token = ""
endpoint = ""
project = ""

    2. Pass the configuration information by using the configuration file.

      package main

import (
    "fmt"
    "github.com/aliyun/aliyun-odps-go-sdk/odps"
    "github.com/aliyun/aliyun-odps-go-sdk/odps/account"
    "log"
)

func main() {
    // Configuration file path
    configPath := "./config.ini"
    conf, err := odps.NewConfigFromIni(configPath)
    if err != nil {
        log.Fatalf("%+v", err)
    }

    aliAccount := account.NewAliyunAccount(conf.AccessId, conf.AccessKey)
    odpsIns := odps.NewOdps(aliAccount, conf.Endpoint)
    // Set the default MaxCompute project
    odpsIns.SetDefaultProjectName(conf.ProjectName)

    fmt.Printf("odps:%#v\n", odpsIns)
}

    Method 3: RAMRoleARN

    If your application requires authorized access to MaxCompute, such as cross-Alibaba Cloud account access to OSS, you can initialize a credential provider by using RAMRoleARN. The underlying implementation of this approach is the STS service. By specifying the ARN of the RAM role, the credentials tool calls the STS service to obtain an STS token and automatically refreshes the STS token before the session expires. Additionally, you can limit the RAM role to a smaller set of permissions by assigning a Policy. However, this method requires you to provide either an AccessKey or an STS token, which can introduce security risks and increase maintenance complexity. For more information on acquiring an AccessKey or STS token, see CreateAccessKey or AssumeRole. For details on obtaining RAMRoleARN, see CreateRole.

    1. Add the credentials dependency in your project.

      go get github.com/aliyun/credentials-go/credentials

    2. Configure the access credentials.

      package main

import (
	"fmt"
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"
	"log"
)

func main() {
        // Obtain AccessKey information
	accessKeyId := ""
	accessKeySecret := ""
	
	config := new(credentials.Config).
		// Required credential type
		SetType("ram_role_arn").
		// AccessKey ID of the cloud account
		SetAccessKeyId(accessKeyId).
		// AccessKey Secret of the cloud account
		SetAccessKeySecret(accessKeySecret).
		// RoleArn format: acs:ram::USER_Id:role/ROLE_NAME
		SetRoleArn("RoleArn").
		// RoleSession name
		SetRoleSessionName("RoleSessionName").
		// Optional, restrict the permissions of the STS token
		SetPolicy("Policy").
		// Optional, restrict the validity period of the STS token
		SetRoleSessionExpiration(3600)

	credential, err := credentials.NewCredential(config)
	if err != nil {
		log.Fatalf("%+v", err)
	}

	stsAccount := account.NewStsAccountWithCredential(credential)

	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"
	// Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(stsAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    Method 4: ECSRAMRole

    If your applications run on ECS instances, ECI instances, or Container Service for Kubernetes worker nodes, we recommend using ECSRAMRole to initialize a credential provider. The underlying implementation of this approach is the STS token. This method does not require an AccessKey or an STS token, which eliminates the risks associated with manually managing AccessKeys or STS tokens. For more information on how to acquire ECSRAMRole, see CreateRole.

    1. Add the credentials dependency in your project.

      go get github.com/aliyun/credentials-go/credentials

    2. Configure ECSRAMRole as the access credential.

      package main

import (
	"fmt"
	"log"
	
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"	
)

func main(){
	config := new(credentials.Config).
		// Credential type
		SetType("ecs_ram_role").
		// "roleName" is optional. If not set, it will be automatically search. We recommended to set it for reducing requests
		SetRoleName("RoleName").
		// "DisableIMDSv1" is optional and recommended to be enabled. It can be replaced by configuring the environment variable: ALIBABA_CLOUD_IMDSV1_DISABLED
		SetDisableIMDSv1(true)

	credential, err := credentials.NewCredential(config)
	if err != nil {
		log.Fatalf("%+v", err)
	}

	stsAccount := account.NewStsAccountWithCredential(credential)

	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"

	// Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(stsAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    Method 5: CredentialsURI

    If your application needs to obtain Alibaba Cloud credentials through an external system to achieve flexible credential management and keyless access, you can initialize the credential provider by using CredentialsURI. The underlying implementation of this method is based on the STS token. The Credentials tool acquires an STS token via the URI you provide, completing the initialization of the credential client. This method does not require you to provide an AccessKey or an STS token, which eliminates the risks associated with manually managing AccessKeys or STS tokens. The backend service responsible for responding to the CredentialsURI must implement the automatic refresh logic for STS tokens to ensure that your application always obtains valid credentials.

    1. For the Credentials tool to correctly parse and utilize an STS token, the URI must adhere to the following response protocol:

      • Response status code: 200

      • Response body structure:

        {
    "Code": "Success",
    "AccessKeySecret": "AccessKeySecret",
    "AccessKeyId": "AccessKeyId",
    "Expiration": "2024-10-09T16:39:33Z",
    "SecurityToken": "SecurityToken"
}

    2. Add the credentials dependency in your project.

      go get github.com/aliyun/credentials-go/credentials

    3. Configure CredentialsURI as the access credential.

      package main

import (
	"fmt"
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	config := new(credentials.Config).SetType("credentials_uri").SetURLCredential("<yourCredentialsURI>")
	credential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}

	stsAccount := account.NewStsAccountWithCredential(credential)
	
	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"

	// Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(stsAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    Method 6: Custom access credentials

    If none of the above credential configuration methods meet your requirements, you can also customize the credential provision method by implementing the CredentialProvider interface. This allows you to define your own logic for how credentials are provided to your application, giving you greater flexibility and control over credential management.

    package main

import (
	"fmt"
	"github.com/aliyun/aliyun-odps-go-sdk/odps"
	"github.com/aliyun/aliyun-odps-go-sdk/odps/account"
	"github.com/aliyun/credentials-go/credentials"
)

type CustomCredentialProvider struct {
}

func (cp *CustomCredentialProvider) GetType() (*string, error) {
	s := "CustomProvider"
	return &s, nil
}

func (cp *CustomCredentialProvider) GetCredential() (*credentials.CredentialModel, error) {

	accessKeyId := ""
	accessKeySecurity := ""
	accessKeyToken := ""

	return &credentials.CredentialModel{
		AccessKeyId:     &accessKeyId,
		AccessKeySecret: &accessKeyToken,
		SecurityToken:   &accessKeySecurity,
	}, nil
}

func main() {
	provider := &CustomCredentialProvider{}

	stsAccount := account.NewStsAccountWithProvider(provider)

	// Get the specific endpoint, using Hangzhou as an example
	endpoint := "http://service.cn-hangzhou.maxcompute.aliyun.com/api"

	// Default MaxCompute project
	defaultProject := ""

	odpsIns := odps.NewOdps(stsAccount, endpoint)
	odpsIns.SetDefaultProjectName(defaultProject)

	fmt.Printf("odps:%#v\n", odpsIns)
}

    What to do next?

    After you configure your access credentials, you can initialize the MaxCompute SDK. For detailed instructions, see Initialize the MaxCompute SDK.