All Products
Search

This Product

    Tablestore:Configure access credentials

    Document Center

    Tablestore:Configure access credentials

    Last Updated:Sep 26, 2024

    To use Tablestore SDK for PHP to initiate a request, you must configure access credentials. Alibaba Cloud services use access credentials to verify identity information and access permissions. You can select different types of access credentials based on your authentication and authorization requirements.

    Prerequisites

    Tablestore SDK for PHP is installed. For more information, see Install Tablestore SDK for PHP.

    Access credentials

    Access credential types

    • Temporary access credentials: For scenarios that require high security, we recommend that you use temporary access credentials. Temporary access credentials are valid only within a specific period of time, which helps prevent credential leaks. Temporary access credentials also support fine-grained access control, which prevents security risks caused by excessive permissions.

    • Long-term access credentials: To ensure security, we recommend that you do not use long-term access credentials. For scenarios that require convenience, long-term access credentials eliminate the need for multiple refreshes within an extended period of time.

      Important

      • We recommend that you change your long-term access credentials every three months to ensure the security of your Alibaba Cloud account.

      • If long-term access credentials are leaked or no longer used, you can delete or disable the long-term access credentials to reduce security risks.

    Configure temporary access credentials

    If you want to use SDK for PHP to temporarily access Tablestore, you can use Security Token Service (STS) to generate temporary access credentials. When you use temporary access credentials, you do not need to disclose the AccessKey pair of your Resource Access Management (RAM) user. This ensures secure access to Tablestore.

    1. Create a RAM user. For more information, see the Step 1: Create a RAM user section of the "Use temporary access credentials obtained from STS to initiate requests" topic.

    2. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user. For more information, see the Step 2: Grant the RAM user the permissions to call the AssumeRole operation section of the "Use temporary access credentials obtained from STS to initiate requests" topic.

    3. Create a RAM role and attach custom policies to the RAM role. For more information, see the Step 3: Create a RAM role and Step 4: Grant Tablestore read-only access to the RAM role sections of the "Use temporary access credentials obtained from STS to initiate requests" topic.

    4. Assume the RAM role as the RAM user to obtain temporary access credentials from STS. For more information, see the Step 5: Use the RAM user to assume the RAM role to obtain temporary access credentials section of the "Use temporary access credentials obtained from STS to initiate requests" topic.

    5. Configure the temporary access credentials obtained from STS.

      Environment variables

      1. Use temporary access credentials to specify environment variables.

        Mac OS X, Linux, and Unix
        export OTS_AK_ENV=<OTS_AK_ENV>
export OTS_SK_ENV=<OTS_SK_ENV>
export OTS_SESSION_TOKEN=<OTS_SESSION_TOKEN>
        Windows

        Open Command Prompt and run the following commands as the administrator: 

        setx OTS_AK_ENV <OTS_AK_ENV> /m
setx OTS_SK_ENV <OTS_SK_ENV> /m
setx OTS_SESSION_TOKEN <OTS_SESSION_TOKEN> /m
        Note

        After you specify the environment variables, you may need to restart the relevant services or development tools such as Integrated Development Environment (IDE) to ensure that the new settings are applied as expected.

      2. Specify environment variables to pass temporary access credentials. 

        $accessKeyId = getenv('OTS_AK_ENV');
$accessKeySecret = getenv('OTS_SK_ENV');
$securityToken = getenv('OTS_SESSION_TOKEN');

      Static credentials

      You can reference credentials by specifying variables in your code. In a runtime environment, the variables are passed by actual credential values from environment variables, configuration files, or other external data sources.

      The following procedure describes how to use a configuration file to pass credentials.

      1. Create a configuration file named config.ini. 

        [configName]
OTS_AK_ENV = <OTS_AK_ENV>
OTS_SK_ENV = <OTS_SK_ENV>
OTS_SESSION_TOKEN = <OTS_SESSION_TOKEN>

      2. Use the configuration file to pass credentials. 

        try {
    // Read the configuration file. In this example, the configuration file is stored in the same directory as the script. 
    $config = parse_ini_file('config.ini');
    // Obtain the AccessKey pair and STS token.
    $accessKeyId = $config['OTS_AK_ENV'];
    $accessKeySecret = $config['OTS_SK_ENV'];
    $securityToken = $config['OTS_SESSION_TOKEN'];
}catch (Exception $e) {
    printf($e->getMessage() . "\n");
    return;
}

    Configure long-term access credentials

    If your application is deployed in a secure and stable environment that is not vulnerable to external attacks and requires long-term access to Tablestore, you can use an AccessKey pair of your Alibaba Cloud account or a RAM user. For more information about how to obtain an AccessKey pair, see Use AccessKey pairs of RAM users to initiate requests.

    Warning

    An Alibaba Cloud account has full permissions on resources within the account. AccessKey pair leaks of an Alibaba Cloud account pose critical threats to the system. Therefore, we recommend that you use the AccessKey pair of a RAM user that is granted permissions based on the principle of least privilege.

    Environment variables

    1. Use the AccessKey pair to specify environment variables.

      Mac OS X, Linux, and Unix
      export OTS_AK_ENV=<OTS_AK_ENV>
export OTS_SK_ENV=<OTS_SK_ENV>
      Windows

      Open Command Prompt and run the following commands as the administrator: 

      setx OTS_AK_ENV <OTS_AK_ENV> /m
setx OTS_SK_ENV <OTS_SK_ENV> /m
      Note

      After you specify the environment variables, you may need to restart the relevant services or development tools such as IDE to ensure that the new settings are applied as expected.

    2. Use environment variables to pass credentials. 

      $accessKeyId = getenv('OTS_AK_ENV');
$accessKeySecret = getenv('OTS_SK_ENV');

    Static credentials

    You can reference credentials by specifying variables in your code. In a runtime environment, the variables are passed by actual credential values from environment variables, configuration files, or other external data sources.

    The following procedure describes how to use a configuration file to pass credentials.

    1. Create a configuration file named config.ini. 

      [configName]
OTS_AK_ENV = <OTS_AK_ENV>
OTS_SK_ENV = <OTS_SK_ENV>

    2. Use the configuration file to pass credentials. 

      try {
    // Read the configuration file. In this example, the configuration file is stored in the same directory as the script. 
    $config = parse_ini_file('config.ini');
    // Obtain the AccessKey ID and AccessKey secret.
    $accessKeyId = $config['OTS_AK_ENV'];
    $accessKeySecret = $config['OTS_SK_ENV'];
}catch (Exception $e) {
    printf($e->getMessage() . "\n");
    return;
}

    What to do next

    After the credential provider is initialized, you need to use the credential provider to create an OTSClient instance. For more information, see Initialize an OTSClient instance.