When you use an Alibaba Cloud SDK to initiate a request to Tablestore, the authentication system verifies your identity based on credentials after receiving the request. After your identity is verified, you can access the requested Tablestore resources.
Authentication
When you send a request to Tablestore as an individual identity, the system performs the following authentication procedure:
A signature string is generated in the specified format based on the request.
An AccessKey secret is used to encrypt the signature string. Then, a verification code is generated.
After the authentication system receives the request, the authentication system obtains the AccessKey secret based on your AccessKey ID and uses the AccessKey secret to decrypt the signature string and verification code.
If the verification code decrypted by the authentication system is the same as the verification generated by using the AccessKey secret to encrypt the signature string, Tablestore considers the request valid.
If the verification code decrypted by the authentication system is different from the verification generated by using the AccessKey secret to encrypt the signature string, Tablestore rejects the request and returns HTTP status code 403.
Terms
AccessKey pair
An AccessKey pair is used to verify user identities. An AccessKey pair consists of an AccessKey ID and an AccessKey secret that are used together. The AccessKey ID is used to identify a user, and the AccessKey secret is used to authenticate the key of the user. After you pass the authentication, you can perform operations on specific Tablestore resources.
An AccessKey secret of a RAM user is displayed only when you create the RAM user. You cannot query the AccessKey secret in subsequent operations. Store your AccessKey secret in a secure location.
AccessKey pair of an Alibaba Cloud account
Before you use Alibaba Cloud services, you must create an Alibaba Cloud account. The Alibaba Cloud account is the owner of Alibaba Cloud resources. The Alibaba Cloud account is charged for all the resources that it owns. The Alibaba Cloud account has full control over the resources.
By default, only the Alibaba Cloud account can access Alibaba Cloud resources. Other users can access resources only after being explicitly authorized by the Alibaba Cloud account. The Alibaba Cloud account is similar to the administrator or root user of an operating system.
The AccessKey pair of an Alibaba Cloud account has permissions to access all resources that belong to the account. Each Alibaba Cloud account can have up to five AccessKey pairs at the same time. Each AccessKey pair can be in one of the following states:
Active: The AccessKey pair can be used for authentication.
Inactive: The AccessKey pair cannot be used for authentication.
If you use the AccessKey pair of your Alibaba Cloud account to access resources, security risks may occur because the AccessKey pair has permissions to access all resources that belong to your account. We recommend that you use the AccessKey pair of a RAM user that is granted the minimum required permissions to access resources.
AccessKey pair of a RAM user
A physical identity that has a fixed ID and credential information. A RAM user represents a person or an application. A RAM user has the following characteristics:
An Alibaba Cloud account can create multiple RAM users. RAM users can be used to represent employees, systems, and applications within an enterprise.
RAM users do not own resources. Fees that are generated by RAM users are billed to the Alibaba Cloud accounts to which the RAM users belong. RAM users do not receive individual bills and cannot make payments.
RAM users are visible only to the Alibaba Cloud account to which they belong.
Before RAM users can log on to the Alibaba Cloud Management Console or call operations, they must be authorized by Alibaba Cloud accounts. After authorization, RAM users can manage resources that are owned by the Alibaba Cloud accounts.
The AccessKey pair of a RAM user serves as access credentials for the RAM user. You can use the AccessKey pair of a RAM user to access resources in Tablestore instances on which the RAM user is granted access permissions by using Resource Access Management (RAM). You can use the AccessKey pair of a RAM user to manage users, such as employees, systems, and applications, and control the permissions of users to access your resources. For example, you can use the AccessKey pair of a RAM user to specify that the RAM user has read permissions on a specific Tablestore instance.
Temporary access credentials
Alibaba Cloud provides permanent access credentials for RAM users and temporary access credentials for RAM roles. A RAM role is a virtual identity to which policies can be attached. RAM roles do not have logon passwords or AccessKey pairs. A RAM role must be assumed by a trusted entity, which can be a RAM user, an Alibaba Cloud service, or an identity provider (IdP). If a trusted entity assumes a RAM role, the entity can obtain and use a Security Token Service (STS) token of the RAM role to access the resources on which the RAM role has permissions.
Endpoints
Each Tablestore instance has an endpoint. When you use Alibaba Cloud SDKs to initiate a request to Tablestore, you must specify the endpoint of the region in which the Tablestore instance that you want to access resides. Endpoints are classified into public endpoints, dual-stack public endpoints, VPC endpoints, and classic network endpoints. For more information, see Endpoints.
Initiate a request
Use the AccessKey pair of a RAM user to initiate a request to Tablestore
The following procedure describes how to use the AccessKey pair of a RAM user to initiate a request to Tablestore:
Use the AccessKey pair of a RAM user to initialize an OTSClient instance.
Call the method provided by the OTSClient instance to initiate a request to Tablestore.
The OTSClient instance uses the AccessKey pair of the RAM user to generate a signature and adds the signature to the request.
For more information, see Use AccessKey pairs of RAM users to initiate requests.
Use STS temporary access credentials to initiate a request to Tablestore
RAM users can use Alibaba Cloud SDKs to request temporary access credentials from STS and then use the credentials to access Tablestore resources. After the specified validity period ends, the credentials become invalid
The following procedure describes how to use STS temporary access credentials to initiate a request to Tablestore:
Use the AccessKey pair of a RAM user to initialize an STSClient instance.
Call the AssumeRole operation of STS to obtain temporary access credentials for the RAM role to which a specific policy is attached.
Use the STS temporary access credentials to initialize an OTSClient instance.
Use the method provided by the OTSClient instance to initiate a request to Tablestore.
The OTSClient instance uses the STS temporary access credentials to generate a signature and adds the signature to the request.
For more information, see Use temporary access credentials obtained from STS to initiate requests.
Alibaba Cloud SDKs
Alibaba Cloud provides SDKs in the following programming languages: