All Products
Search
Document Center

Alibaba Cloud SDK:Manage access credentials

最終更新日:Nov 06, 2024

When you call API operations to manage cloud resources by using Alibaba Cloud SDKs, you must configure valid credential information. This topic describes how to configure an access credential for Alibaba Cloud SDK V1.0 for Java. The access credential ensures the access security when you use the SDK for development.

Use an AccessKey pair

Important
  • If the AccessKey pair of an Alibaba Cloud account is leaked, the resources that belong to the account are exposed to potential risks. To ensure account security, we recommend that you use the AccessKey pair of a Resource Access Management (RAM) user. For more information, see Create an AccessKey pair.

  • Make sure that the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are configured for your runtime environment. For more information, see Configure environment variables in Linux, macOS, and Windows.

  • Configure an AccessKey pair for client initialization by using DefaultProfile.

    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.IAcsClient;
    import com.aliyuncs.profile.DefaultProfile;
    
    public class Sample {
        public static void main(String[] args) {
            DefaultProfile profile = DefaultProfile.getProfile(
                    "<REGION_ID>",
                    // Obtain the AccessKey ID of the RAM user from an environment variable.
                    System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"),
                    // Obtain the AccessKey secret of the RAM user from an environment variable.
                    System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
            IAcsClient client = new DefaultAcsClient(profile);
            // The step of calling an API operation is omitted.
        }
    }
  • Configure an AccessKey pair for client initialization by using BasicCredentials.

    import com.aliyuncs.DefaultAcsClient;
    import com.aliyuncs.IAcsClient;
    import com.aliyuncs.auth.BasicCredentials;
    import com.aliyuncs.profile.DefaultProfile;
    
    public class Sample {
        public static void main(String[] args) {
            BasicCredentials basicCredentials = new BasicCredentials(
                    // Obtain the AccessKey ID of the RAM user from an environment variable.
                    System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"),
                    // Obtain the AccessKey secret of the RAM user from an environment variable.
                    System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")
            );
            DefaultProfile profile = DefaultProfile.getProfile("<REGION_ID>");
            IAcsClient client = new DefaultAcsClient(profile, basicCredentials);
            // The step of calling an API operation is omitted.
        }
    }

Use an STS token

Use a temporary Security Token Service (STS) token for client initialization.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.profile.DefaultProfile;

public class Test {
    public static void main(String[] args) {
        DefaultProfile profile = DefaultProfile.getProfile(
                "<REGION_ID>",
                // Obtain the AccessKey ID of the RAM user from an environment variable.
                System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"),
                // Obtain the AccessKey secret of the RAM user from an environment variable.
                System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"),
                // STS Token
                System.getenv("ALIBABA_CLOUD_SECURITY_TOKEN"));
        IAcsClient client = new DefaultAcsClient(profile);
        // The step of calling an API operation is omitted.
    }
}

Use RamRoleArn

Call the AssumeRole operation of STS as a RAM user to obtain an STS token.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.auth.STSAssumeRoleSessionCredentialsProvider;
import com.aliyuncs.profile.DefaultProfile;

public class Sample {
    public static void main(String[] args) {
        DefaultProfile profile = DefaultProfile.getProfile();
        // Use an STS token for client initialization.
        STSAssumeRoleSessionCredentialsProvider stsProvider = new STSAssumeRoleSessionCredentialsProvider(
                // Obtain the AccessKey ID of the RAM user from an environment variable.
                System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"),
                // Obtain the AccessKey secret of the RAM user from an environment variable.
                System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"),
                // Specify a session name.
                "<ROLE_SESSION_NAME>",
                // Specify the Alibaba Cloud Resource Name (ARN) of the RAM role.
                "<ROLE_ARN>",
                // Specify the region ID.
                "<REGION_ID>"
        );
        DefaultAcsClient client = new DefaultAcsClient(profile, stsProvider);
        // The step of calling an API operation is omitted.
    }
}

Use ECSRamRole

To deploy applications in a secure and convenient manner, the SDK allows you to use the RAM role attached to an Elastic Computer Service (ECS) instance to obtain a temporary authorization token. You can use the token to access the resources and services that are available for the RAM role attached to the ECS instance. For more information, see the "Step 5: (Optional) Obtain a temporary authorization token" section of the Use an instance RAM role by calling API operations topic. This way, the applications that are deployed on the ECS instance can call API operations without the need to use an AccessKey pair. After you configure this type of credentials in the SDK, the SDK is granted the permissions of the RAM role attached to the ECS instance.

Important

Make sure that the RAM role that you want to use is attached to the ECS instance on which the SDK is installed.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.auth.InstanceProfileCredentialsProvider;
import com.aliyuncs.profile.DefaultProfile;

public class Sample {
    public static void main(String[] args) {
        DefaultProfile profile = DefaultProfile.getProfile("<REGION_ID>");
        // Use ECSRamRole for client initialization.
        InstanceProfileCredentialsProvider provider = new InstanceProfileCredentialsProvider(
                "<ROLE_NAME>"
        );
        DefaultAcsClient client = new DefaultAcsClient(profile, provider);
        // The step of calling an API operation is omitted.
    }
}

Use OIDCRoleArn

After you attach a RAM role to a worker node in a Container Service for Kubernetes (ACK) cluster, you can use the RAM Roles for Service Accounts (RRSA) feature to allow different applications in an ACK cluster to assume different RAM roles. Applications can assume specific RAM roles, obtain STS tokens, and then use the tokens to access cloud services. This enforces the principle of least privilege and allows applications to call API operations without the need to use AccessKey pairs, which prevents AccessKey pair leaks.

ACK creates a service account OpenID Connect (OIDC) token file, associates the token file with a pod, and then injects relevant environment variables into the pod. The SDK uses the environment variables and calls the AssumeRoleWithOIDC operation of STS to obtain an STS token of the RAM role. For more information, see Use RRSA to authorize different pods to access different cloud services.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.auth.OIDCCredentialsProvider;
import com.aliyuncs.exceptions.ClientException;
import com.aliyuncs.profile.DefaultProfile;

public class OIDC {
    public static void main(String[] args) throws ClientException {
        // Use OIDCRoleArn for client initialization.
        OIDCCredentialsProvider provider = new OIDCCredentialsProvider(
                // Specify the ARN of the RAM role.
                System.getenv("ALIBABA_CLOUD_ROLE_ARN"),
                // Specify the ARN of the OIDC provider.
                System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN"),
                // Specify the path of the OIDC token file.
                System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE"),
                // Specify a temporary session name.
                "<ROLE_SESSION_NAME>",
                // Specify the region ID of STS.
                "<REGION_ID>"
        );
        DefaultProfile profile = DefaultProfile.getProfile(
                // Specify the region ID of the client.
                "<REGION_ID>");
        IAcsClient client = new DefaultAcsClient(profile, provider);
        // The step of calling an API operation is omitted.
    }
}

Use a bearer token

Note

Only Cloud Call Center (CCC) allows you to configure a bearer token as an access credential in the SDK.

import com.aliyuncs.auth.BearerTokenCredentials;
import com.aliyuncs.profile.DefaultProfile;
import com.aliyuncs.DefaultAcsClient;

public class BearerToken {
    public static void main(String[] args) {
        DefaultProfile profile = DefaultProfile.getProfile("<REGION_ID>");
        // Configure an access credential by using BearerTokenCredentials.
        BearerTokenCredentials bearerTokenCredential = new BearerTokenCredentials("<BEARER_TOKEN>");
        DefaultAcsClient client = new DefaultAcsClient(profile, bearerTokenCredential);
        // The step of calling an API operation is omitted.
    }
}

Use the default credential provider chain

If you do not specify a method to initialize an SDK client, the default credential provider chain is used.

import com.aliyuncs.DefaultAcsClient;
import com.aliyuncs.IAcsClient;
import com.aliyuncs.exceptions.ClientException;

public class Test {
    public static void main(String[] args) throws ClientException {
        // Use the default credential provider chain.
        IAcsClient client = new DefaultAcsClient("<REGION_ID>");
        // The step of calling an API operation is omitted.
    }
}

The default credential provider chain searches for and uses credentials in the following order:

1. System properties

The credential provider chain searches for credentials in system properties. If the system properties alibabacloud.accessKeyId and alibabacloud.accessKeyIdSecret are defined and non-null values are specified for the system properties, the credential provider chain uses the values of the system properties to create default credentials.

2. Environmental variables

The credential provider chain searches for credentials from environment variables. If the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are defined and non-null values are specified for the environment variables, the credential provider chain uses the values of the environment variables to create default credentials.

3. RAM role of an OIDC provider

If no credentials are found in the previous step, the Credentials tool obtains the values of the following environment variables:

ALIBABA_CLOUD_ROLE_ARN: the ARN of the RAM role.

ALIBABA_CLOUD_OIDC_PROVIDER_ARN: the ARN of the OIDC provider.

ALIBABA_CLOUD_OIDC_TOKEN_FILE: the path of the OIDC token file.

If the preceding three environment variables are specified, the Credentials tool uses the environment variables to call the AssumeRoleWithOIDC operation of STS to obtain an STS token as the default credential.

4. Configuration file

If the default credential file is stored in the home directory of the user, the credential provider chain automatically creates a credential based on the specified type and name. The path of the default credential file is ~/.alibabacloud/credentials.ini. In Windows, the path is C:\Users\USER_NAME\.alibabacloud\credentials.ini. If the default credential file does not exist, an exception is thrown. The name of a configuration is in lowercase. The configuration file can be shared by different projects and tools. The configuration file is stored outside projects and is therefore prevented from being accidentally committed to code repositories. You can modify the path of the default credential file by using the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable. If you do not specify a value for the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable, the default configuration is used. You can also configure the ALIBABA_CLOUD_PROFILE environment variable to specify the configuration to use.

[default]                          # The configuration named default.
enable = true                      # Enable the configuration. By default, the configuration is disabled if this parameter is left empty.
type = access_key                  # Use AccessKey pairs for authentication.
access_key_id = foo                # The AccesssKey ID.
access_key_secret = bar            # The AccessKey secret.

[client1]                          # The configuration named `client1`.
enable = false                     # Disable the configuration.
type = ecs_ram_role                # Use EcsRamRole credentials for authentication.
role_name = EcsRamRoleTest         # The name of the RAM role.

[client2]                          # The configuration named `client2`.
enable = false                     # Disable the configuration.
type = ram_role_arn                # Use RamRoleArn credentials for authentication.
region_id = cn-test                # The region ID of the session.
policy = test                      # Optional. The permissions of the specified RAM role.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn
role_session_name = session_name   # Optional. The session name.

5. RAM role of an ECS instance

If no credentials are found in the previous step, the Credentials tool obtains the value of the ALIBABA_CLOUD_ECS_METADATA environment variable that specifies the RAM role name of an ECS instance. If the RAM role exists, the application obtains an STS token of the RAM role as the default credential by using the metadata server of ECS.