Tablestore supports the V4 signature algorithm to protect AccessKey pairs. Tablestore uses the derived key generated by the V4 signature algorithm instead of the AccessKey pair for identity authentication to reduce the risk of AccessKey pair leakage. If the derived key is leaked, only resources that belong to a specific service in a specific region are affected on the day when the derived key is leaked. The derived key automatically expires and becomes invalid on the next day.
Background information
The V4 signature algorithm provides a new authentication method. A V4 signature is a string that is calculated based on the AccessKey secret of an Alibaba Cloud account or a RAM user, date, region, and product code.
If you use V4 signatures and one of the signatures is stolen, other regions and services that belong to the Alibaba Cloud account or RAM user are not affected. The stolen V4 signature is valid for no more than one day. You can use V4 signatures to ensure the security of your AccessKey pair.
You can use V4 signatures and keep AccessKey pairs confidential to ensure the security of your AccessKey pairs. For example, you can store AccessKey pairs in environment variables in code.
Request process
The client uses the V4 signature algorithm to calculate the AccessKey pair to generate a derived key and then uses the derived key to initiate a request.
After the server receives the request, the server uses the derived key to authenticate the user.
After identity authentication is passed, the server processes the request and returns the processing result.
If identity authentication fails, the server denies access from the client.
The client receives the processing result returned by the server.
Sample code
Tablestore SDK for Java V5.16.1 and later support the V4 signature algorithm. Before you use the V4 signature algorithm, make sure that the SDK that you use supports this algorithm.
In this example, the AccessKey pair of an Alibaba Cloud account or RAM user is used to describe how to configure access credentials. For more information, see How do I obtain an AccessKey pair?
The following sample code provides an example on how to use a V4 signature to initialize a Tablestore client, query the list of data tables in an instance, and display the list of data tables in the Tablestore console:
In Example 1, you only need to provide an AccessKey pair. The Tablestore SDK calculates the derived key. You do not need to manually maintain the derived key. When the derived key expires, the Tablestore SDK automatically refreshes the derived key.
In Example 2, you provide the AccessKey pair (AccessKey) and derived key (v4 SigningAccessKey). The derived key automatically expires on the next day. You must develop a mechanism to automatically refresh the derived key. Otherwise, you cannot access Tablestore after the derived key expires.
import com.alicloud.openservices.tablestore.SyncClient;
import com.alicloud.openservices.tablestore.core.ResourceManager;
import com.alicloud.openservices.tablestore.core.auth.*;
import java.text.SimpleDateFormat;
import java.util.Date;
import static com.alicloud.openservices.tablestore.core.Constants.PRODUCT;
import static com.alicloud.openservices.tablestore.core.Constants.SIGNING_KEY_SIGN_METHOD;
public class InitClientV4 {
public static void main(String[] args) {
// Specify the region in which the instance that you want to access resides. Example: cn-hangzhou.
final String region = "yourRegion";
// Specify the name of the instance.
final String instanceName = "yourInstanceName";
// Specify the endpoint of the instance.
final String endpoint = "yourEndpoint";
// Obtain the AccessKey ID and AccessKey secret from the system environment variables.
final String accessKeyId = System.getenv("TABLESTORE_ACCESS_KEY_ID");
final String accessKeySecret = System.getenv("TABLESTORE_ACCESS_KEY_SECRET");
{
/**
* Example 1: Use the original AccessKey ID and AccessKey secret to construct {@link DefaultCredentials } and then generate {@link V4Credentials }.
*/
DefaultCredentials credentials = new DefaultCredentials(accessKeyId, accessKeySecret);
V4Credentials credentialsV4 = V4Credentials.createByServiceCredentials(credentials, region);
CredentialsProvider provider = new DefaultCredentialProvider(credentialsV4);
/**
* using {@link V4Credentials } initialize tableStore client
*/
SyncClient client = new SyncClient(endpoint, provider, instanceName, null, new ResourceManager(null, null));
// do something
client.listTable().getTableNames().forEach(System.out::println);
// shutdown tableStore client
client.shutdown();
}
{
/**
* Example 2: Use the AccessKey pair and derived key to construct {@link V4Credentials }.
*/
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
String signDate = dateFormat.format(new Date()); // Sample value of the signDate parameter: 20230527
String v4SigningAccessKey = CalculateV4SigningKeyUtil.finalSigningKeyString(accessKeySecret, signDate, region, PRODUCT, SIGNING_KEY_SIGN_METHOD); // The derived key.
V4Credentials credentialsV4 = new V4Credentials(accessKeyId, v4SigningAccessKey, region, signDate);
CredentialsProvider provider = new DefaultCredentialProvider(credentialsV4);
/**
* using {@link V4Credentials } initialize tableStore client
*/
SyncClient client = new SyncClient(endpoint, provider, instanceName, null, new ResourceManager(null, null));
// do something
client.listTable().getTableNames().forEach(System.out::println);
// shutdown tableStore client
client.shutdown();
}
}
}For information about how to obtain temporary access credentials from Security Token Service (STS), see Use temporary access credentials obtained from STS to access Tablestore.
The following sample code provides an example on how to use a V4 signature to initialize a Tablestore client, query the list of data tables in an instance, and display the list of data tables in the Tablestore console:
In Example 1, you only need to provide the temporary access credentials obtained from STS. The Tablestore SDK calculates and generates the derived key. You do not need to manually maintain the derived key. When the derived key expires, the Tablestore SDK automatically refreshes the derived key.
In Example 2, you provide the temporary access credentials obtained from STS and derived key (v4 SigningAccessKey). The derived key automatically expires on the next day. You must develop a mechanism to automatically refresh the derived key. Otherwise, you cannot access Tablestore after the derived key expires.
import com.alicloud.openservices.tablestore.SyncClient;
import com.alicloud.openservices.tablestore.core.ResourceManager;
import com.alicloud.openservices.tablestore.core.auth.*;
import java.text.SimpleDateFormat;
import java.util.Date;
import static com.alicloud.openservices.tablestore.core.Constants.PRODUCT;
import static com.alicloud.openservices.tablestore.core.Constants.SIGNING_KEY_SIGN_METHOD;
public class InitClientV4 {
public static void main(String[] args) {
// Specify the region in which the instance that you want to access resides. Example: cn-hangzhou.
final String region = "yourRegion";
// Specify the name of the instance.
final String instanceName = "yourInstanceName";
// Specify the endpoint of the instance.
final String endpoint = "yourEndpoint";
// Obtain the temporary AccessKey ID, temporary AccessKey secret, and security token from the environment variables.
final String accessKeyId = System.getenv("TABLESTORE_ACCESS_KEY_ID");
final String accessKeySecret = System.getenv("TABLESTORE_ACCESS_KEY_SECRET");
final String securityToken = System.getenv("TABLESTORE_SESSION_TOKEN");
{
/**
* Example 1: Use the original AccessKey ID, AccessKey secret, and security token to construct {@link DefaultCredentials } and then generate {@link V4Credentials }.
*/
DefaultCredentials credentials = new DefaultCredentials(accessKeyId, accessKeySecret, securityToken);
V4Credentials credentialsV4 = V4Credentials.createByServiceCredentials(credentials, region);
CredentialsProvider provider = new DefaultCredentialProvider(credentialsV4);
/**
* using {@link V4Credentials } initialize tableStore client
*/
SyncClient client = new SyncClient(endpoint, provider, instanceName, null, new ResourceManager(null, null));
// do something
client.listTable().getTableNames().forEach(System.out::println);
// shutdown tableStore client
client.shutdown();
}
{
/**
* Example 2: Use the AccessKey pair and derived key to construct {@link V4Credentials }.
*/
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyyMMdd");
String signDate = dateFormat.format(new Date()); // Sample value of the signDate parameter: 20230527
String v4SigningAccessKey = CalculateV4SigningKeyUtil.finalSigningKeyString(accessKeySecret, signDate, region, PRODUCT, SIGNING_KEY_SIGN_METHOD);
V4Credentials credentialsV4 = new V4Credentials(accessKeyId, v4SigningAccessKey, securityToken, region, signDate);
CredentialsProvider provider = new DefaultCredentialProvider(credentialsV4);
/**
* using {@link V4Credentials } initialize tableStore client
*/
SyncClient client = new SyncClient(endpoint, provider, instanceName, null, new ResourceManager(null, null));
// do something
client.listTable().getTableNames().forEach(System.out::println);
// shutdown tableStore client
client.shutdown();
}
}
}
