All Products
Search
Document Center

Tablestore:AccessKey pair security

Last Updated:May 21, 2024

Tablestore allows you to use the V4 signature algorithm to protect your AccessKey pair. Tablestore uses the derived key generated by the V4 signature algorithm instead of the AccessKey pair for identity authentication to reduce the risk of AccessKey pair leakage. If the derived key is leaked, only resources that belong to a specific service in a specific region are affected on the day that the derived key is leaked. Derived keys are valid for no more than one day.

Background information

The V4 signature algorithm provides a new authentication method. A V4 signature is a string that is calculated based on the AccessKey secret of an Alibaba Cloud account or a RAM user, date, region, and product code.

If you use V4 signatures and one of the signatures is stolen, other regions and services that belong to the Alibaba Cloud account or RAM user are not affected. The stolen V4 signature is valid for no more than one day. You can use V4 signatures to ensure the security of your AccessKey pair.

Usage notes

  • Only Tablestore SDK for Java V5.16.1 and later support the V4 signature algorithm.

  • You can use V4 signatures and keep AccessKey pairs confidential to ensure the security of your AccessKey pairs. For example, you can store AccessKey pairs in environment variables in code.

Request process

  1. The client uses the V4 signature algorithm to calculate the AccessKey pair to generate a derived key and then uses the derived key to initiate a request.

  2. After the server receives the request, the server uses the derived key to authenticate the user.

  3. After identity authentication is passed, the server processes the request and returns the processing result.

    Note

    If identity authentication fails, the server denies access from the client.

  4. The client receives the processing result returned by the server.

Sample code

The following sample code provides an example on how to list tables in a Tablestore instance named myinstance that is located in the China (Hangzhou) region. In this example, the V4 signature algorithm is used to initialize the client.

public static void main(String[] args) {
    // Specify the region ID of the instance. In this example, the China (Hangzhou) region is used. 
    String region = "cn-hangzhou";
    // Specify the endpoint of the instance.   
    String endPoint = "https://myinstance.cn-hangzhou.ots.aliyuncs.com";
    // Specify the name of the instance. 
    String instanceName = "myinstance";
    // Specify the AccessKey pair of your Alibaba Cloud account or RAM user.  
    String accessKeyId = System.getenv("OTS_AK_ENV");
    String accessKeySecret = System.getenv("OTS_SK_ENV");
    /**
     * Use the original AccessKey ID and AccessKey secret to create DefaultCredentials and then generate V4Credentials. 
     */
    DefaultCredentials credentials = new DefaultCredentials(accessKeyId, accessKeySecret);
    V4Credentials credentialsV4 = V4Credentials.createByServiceCredentials(credentials, region);
    CredentialsProvider provider = new DefaultCredentialProvider(credentialsV4);
    /**
     * Use V4Credentials to initialize the Tablestore client. 
     */
    SyncClient client = new SyncClient(endPoint, provider, instanceName, null, new ResourceManager(null, null));
    // Perform the business operation. In this example, the names of tables in the instance are listed. 
    ListTableResponse response = client.listTable();
    System.out.println("request id : " + response.getRequestId());
    System.out.println("tableNames : " + response.getTableNames());
    // Shut down the Tablestore client. 
    client.shutdown();
}