When you call API operations to manage cloud resources by using Alibaba Cloud SDKs, you must configure valid credential information. This topic describes how to configure an access credential for Alibaba Cloud SDK V1.0 for C#. The access credential ensures access security when you use the SDK for development.
Use an AccessKey pair
If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you use the AccessKey pair of a Resource Access Management (RAM) user. For more information, see Create an AccessKey pair.
Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured in the code runtime environment. For more information, see Configure environment variables in Linux, macOS, and Windows.
Configure an AccessKey pair for client initialization by using IClientProfile.
using Aliyun.Acs.Core; using Aliyun.Acs.Core.Profile; namespace AlibabaCloud.SDK.Sample { public class Sample { public static void Main(string[] args) { IClientProfile profile = DefaultProfile.GetProfile( // Specify the region ID. "<REGION_ID>", // Obtain the AccessKey ID of the RAM user from an environment variable. Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID"), // Obtain the AccessKey secret of the RAM user from an environment variable. Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); DefaultAcsClient client = new DefaultAcsClient(profile); // The step of calling an API operation is omitted. } } }Configure an AccessKey pair for client initialization by using AlibabaCloudCredentialsProvider.
using Aliyun.Acs.Core; using Aliyun.Acs.Core.Profile; using Aliyun.Acs.Core.Auth; namespace AlibabaCloud.SDK.Sample { public class Sample { public static void Main(string[] args) { AlibabaCloudCredentialsProvider provider = new AccessKeyCredentialProvider( // Obtain the AccessKey ID of the RAM user from an environment variable. Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID"), // Obtain the AccessKey secret of the RAM user from an environment variable. Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET")); IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>"); DefaultAcsClient client = new DefaultAcsClient(profile, provider); // The step of calling an API operation is omitted. } } }
Use an STS token
Use a temporary Security Token Service (STS) token for client initialization.
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Auth;
using Aliyun.Acs.Core.Profile;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
AlibabaCloudCredentialsProvider provider = new StsCredentialProvider(
// Obtain the AccessKey ID of the RAM user from an environment variable.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID"),
// Obtain the AccessKey secret of the RAM user from an environment variable.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET"),
// Obtain the security token of the RAM user from an environment variable.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_SECURITY_TOKEN"));
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
DefaultAcsClient client = new DefaultAcsClient(profile, provider);
// The step of calling an API operation is omitted.
}
}
}
Use RamRoleArn
Call the AssumeRole operation of STS as a RAM user to obtain an STS token.
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Auth;
using Aliyun.Acs.Core.Profile;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
AlibabaCloudCredentialsProvider provider = new AccessKeyCredentialProvider(
// Obtain the AccessKey ID of the RAM user from an environment variable.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_ID"),
// Obtain the AccessKey secret of the RAM user from an environment variable.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
// Use RamRoleArn for client initialization.
STSAssumeRoleSessionCredentialsProvider stsProvider = new STSAssumeRoleSessionCredentialsProvider(
provider,
"<ROLE_ARN>",
profile
);
DefaultAcsClient client = new DefaultAcsClient(profile, stsProvider);
// The step of calling an API operation is omitted.
}
}
}
Use EcsRamRole
To deploy applications in a secure and convenient manner, the SDK allows you to use the RAM role attached to an Elastic Compute Service (ECS) instance to obtain a temporary authorization token. You can use the token to access the resources and services that are available for the RAM role attached to the ECS instance. For more information, see the "Step 5: (Optional) Obtain a temporary authorization token" section of the Use an instance RAM role by calling API operations topic. This way, the applications that are deployed on the ECS instance can call API operations without the need to use an AccessKey pair. After you configure this type of credentials in the SDK, the SDK is granted the permissions of the RAM role attached to the ECS instance.
Make sure that the RAM role that you want to use is attached to the ECS instance on which the SDK is installed.
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Profile;
using Aliyun.Acs.Core.Auth;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
// Use EcsRamRole for client initialization.
InstanceProfileCredentialsProvider provider = new InstanceProfileCredentialsProvider(
"<ROLE_NAME>");
DefaultAcsClient client = new DefaultAcsClient(profile, provider);
// The step of calling an API operation is omitted.
}
}
}
Use OIDCRoleArn
After you assign RAM roles to worker nodes in a Container Service for Kubernetes (ACK) cluster, you can use the RAM Roles for Service Accounts (RRSA) feature to allow different applications in the ACK cluster to assume different RAM roles. Applications can assume specific RAM roles, obtain STS tokens, and then use the tokens to access cloud services. This enforces the principle of least privilege and allows applications to call API operations without the need to use AccessKey pairs, which prevents AccessKey pair leaks.
ACK creates a service account OpenID Connect (OIDC) token file, associates the token file with a pod, and then injects relevant environment variables into the pod. The SDK uses the environment variables and calls the AssumeRoleWithOIDC operation of STS to obtain an STS token of the RAM role. For more information, see Use RRSA to authorize different pods to access different cloud services.
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Auth;
using Aliyun.Acs.Core.Profile;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
AlibabaCloudCredentialsProvider provider = new OIDCCredentialsProvider(
// Specify the Alibaba Cloud Resource Name (ARN) of the RAM role.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_ROLE_ARN"),
// Specify the ARN of the OIDC provider.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"),
// Specify the path of the OIDC token file.
Environment.GetEnvironmentVariable("ALIBABA_CLOUD_OIDC_TOKEN_FILE"),
// Specify a temporary session name.
"<ROLE_SESSION_NAME>",
// Specify the region ID of STS.
"<REGION_ID>");
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
DefaultAcsClient client = new DefaultAcsClient(profile, provider);
// The step of calling an API operation is omitted.
}
}
}
Use a bearer token
Only Cloud Call Center (not available on alibabacloud.com) allows you to configure a bearer token as an access credential in the SDK.
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Auth;
using Aliyun.Acs.Core.Profile;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
AlibabaCloudCredentialsProvider provider = new BearerTokenCredentialProvider("<BEARER_TOKEN>");
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
DefaultAcsClient client = new DefaultAcsClient(profile, provider);
// The step of calling an API operation is omitted.
}
}
}
Use the default credential provider chain
using Aliyun.Acs.Core;
using Aliyun.Acs.Core.Auth.Provider;
using Aliyun.Acs.Core.Profile;
namespace AlibabaCloud.SDK.Sample
{
public class Sample
{
public static void Main(string[] args)
{
IClientProfile profile = DefaultProfile.GetProfile("<REGION_ID>");
var alibabaCloudClientCredential = new DefaultCredentialProvider();
var client = new DefaultAcsClient(profile,alibabaCloudClientCredential);
// The step of calling an API operation is omitted.
}
}
}The default credential provider chain searches for and uses credentials in the following order:
1. Environment variables
The credential provider chain searches for credentials from environment variables. If the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are defined and non-null values are specified for the environment variables, the credential provider chain uses the values of the environment variables to create default credentials.
2. RAM role of an OIDC provider
If no credentials are found in the previous step, the Credentials tool obtains the values of the following environment variables:
ALIBABA_CLOUD_ROLE_ARN: the ARN of the RAM role.
ALIBABA_CLOUD_OIDC_PROVIDER_ARN: the ARN of the OIDC provider.
ALIBABA_CLOUD_OIDC_TOKEN_FILE: the path of the OIDC token file.
If the preceding three environment variables are specified, the Credentials tool uses the environment variables to call the AssumeRoleWithOIDC operation of STS to obtain an STS token as the default credential.
3. Configuration file
If the default credential file is stored in the home directory of the user, the credential provider chain automatically creates a credential based on the specified type and name. The path of the default credential file is ~/.alibabacloud/credentials.ini. In Windows, the path is C:\Users\USER_NAME\.alibabacloud\credentials.ini. You can change the path of the default credential file by using the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable. You can also configure the ALIBABA_CLOUD_PROFILE environment variable to specify a profile. If you do not specify a value for the ALIBABA_CLOUD_PROFILE environment variable, the default profile is used.
[default] # The default profile.
type = access_key # Use AccessKey pairs for authentication.
access_key_id = foo # The AccessKey ID.
access_key_secret = bar # The AccessKey secret.
[client1] # The profile named `client1`.
type = ecs_ram_role # Use EcsRamRole credentials for authentication.
role_name = EcsRamRoleTest # The name of the RAM role.
[client2] # The profile named `client2`.
type = ram_role_arn # Use RamRoleArn credentials for authentication.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn # The ARN of the RAM role.
role_session_name = role_session_name # The custom session name.4. RAM role of an ECS instance
If no credentials are found in the previous step, the Credentials tool obtains the value of the ALIBABA_CLOUD_ECS_METADATA environment variable that specifies the RAM role name of an ECS instance. If the RAM role exists, the application obtains an STS token of the RAM role as the default credential by using the metadata server of ECS.