All Products
Search
Document Center

:Credential

Last Updated:Apr 17, 2024

This topic describes how to obtain and use a credential.

A credential is a group of information that can be used to verify the identity of a user. When you log on to a system, you must provide a valid credential to complete identity authentication. The following types of credentials are commonly used on Alibaba Cloud:

  1. An AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user. An AccessKey pair is permanently valid. It consists of an AccessKey ID and an AccessKey secret.

  2. A Security Token Service (STS) token of a RAM role. An STS token is a temporary credential. You can specify a validity period and access permissions for an STS token. For more information, see What is STS?

  3. A bearer token. It is used for identity authentication and authorization.

AccessKey pair

AccessKey pair of an Alibaba Cloud account

Each Alibaba Cloud account can have up to five AccessKey pairs, including the AccessKey pairs that are disabled. You can create or delete an AccessKey pair in the RAM console. An AccessKey pair can be enabled or disabled. Only enabled AccessKey pairs can be used for identity authentication.

Warning

An AccessKey pair of an Alibaba Cloud account has full access to all resources within the account. AccessKey pair leaks pose critical threats to the resources within an Alibaba Cloud account.

AccessKey pair of a RAM user

Each RAM user can have up to two AccessKey pairs. To create an AccessKey pair for a RAM user, log on to the RAM console, go to the details page of the RAM user, and then click Create AccessKey.

Note

The leakage risks of an AccessKey pair increase with time. We recommend that you rotate AccessKey pairs on a regular basis.

STS token

A RAM role does not have permanent identity credentials. When you access Alibaba Cloud resources by assuming a RAM role, you can obtain an STS token as a temporary credential.

Note

An STS token has a validity period. You must update an STS token after it expires.

Bearer token

Only Cloud Call Center allows you to use a bearer token to initialize an SDK client. To use a bearer token, select BearerToken for the Configure Authentication Mode parameter.

Suggestions

The leaks of credentials pose critical threats to cloud resources and your business. Pay special attention to credential security during routine O&M. For more information, see AccessKey security solution.