Configure credentials in Alibaba Cloud CLI - Alibaba Cloud CLI

Before you use Alibaba Cloud CLI, you must configure the credential that is required for calling Alibaba Cloud resources. The credential information includes the credential, region, and language.

Note

When you configure a credential, make sure that the credential information is correct. Otherwise, user errors or API call failures may cause business losses.

Credential configuration methods

Alibaba Cloud CLI allows you to configure credential in interactive and non-interactive modes. The interactive mode guides you through the configuration process. This way, you can configure a profile in Alibaba Cloud CLI at a low learning cost.

Interactive mode

Common syntax

You can run the aliyun configure command to configure a credential in interactive mode. Syntax:

aliyun configure [--profile <PROFILE_NAME>] [--mode <AUTHENTICATE_MODE>]

Command options:

PROFILE_NAME: The name of the profile.
- If the specified profile exists, it is overwritten. If the specified profile does not exist, a profile with the specified name is created.
- If you do not specify a profile, the current profile is modified. For more information about how to modify the current profile, see the "Set the current profile" section in this topic.
AUTHENTICATE_MODE: The identity credential type. Default value: AK. For more information about the supported credential types, see the "Credential types" section in this topic.

Sample success response:

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Non-interactive mode

Common syntax

You can run the aliyun configure set command to configure a credential in non-interactive mode. Syntax:

aliyun configure set [--profile <PROFILE_NAME>] [--mode <AUTHENTICATE_MODE>] [--settingName <SETTING_VALUE>...]

Command options:

ProfileName: The name of the profile. If the specified profile exists, it is overwritten. If the specified profile does not exist, a profile with the specified name is created.
AUTHENTICATE_MODE: The credential type. Default value: AK. For more information about the supported credential types, see the "Credential types" section in this topic.
SETTING_VALUE: The information that you need to specify varies based on the credential type. For more information, see the "Credential types" section in this topic and the "Non-interactive mode" section in Profile-related commands.

After you configure a credential in non-interactive mode, you can run the aliyun configure list or aliyun configure get command to check whether the credential is configured as expected.

Credential types

Alibaba Cloud CLI provides the following credential types. You can configure them as needed.

Credential type	Credential refresh policy	Key-free access
AK	Manual refresh	Not supported
StsToken	Manual refresh	Not supported
RamRoleArn	Automatic refresh	Not supported
EcsRamRole	Automatic refresh	Supported
External	Refreshed by an external system	Supported
ChainableRamRoleArn	Follows the refresh policy of the preceding credential	Supported
CredentialsURI	Refreshed by an external system	Supported
OIDC	Automatic refresh	Supported
CloudSSO	Requires browser logon	Supported
OAuth	Requires browser interaction for initial authorization. Can be auto-refreshed later.	Supported

AK

Description

Important

To ensure the security of your Alibaba Cloud account, we recommend that you create a Resource Access Management (RAM) user for calling API operations and create an AccessKey pair for the RAM user. For more information about how to use an AccessKey pair in a secure manner, see Credential security solutions.

In Alibaba Cloud CLI, AK is the default credential type, which uses an AccessKey pair as the credential. Therefore, you can skip the --mode option when you configure a credential of the AK credential type.

Options:

Option	Description	Example
AccessKey Id	The AccessKey ID that is used to create the custom image. For more information, see Create an AccessKey pair for a RAM user.	yourAccessKeyID
AccessKey Secret	The AccessKey secret that is used to create the custom image. For more information, see Create an AccessKey pair for a RAM user.	yourAccessKeySecret
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

The following examples show how to configure a credential named AkProfile of the AK type.

Interactive mode

Run the following command:

aliyun configure --profile AkProfile

The following sample response shows the interaction process:

Sample response

Configuring profile 'AkProfile' in 'AK' authenticate mode...
Access Key Id []: <yourAccessKeyID>
Access Key Secret []: <yourAccessKeySecret>
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[AkProfile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile AkProfile \
  --mode AK \
  --access-key-id <yourAccessKeyID> \
  --access-key-secret <yourAccessKeySecret> \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile AkProfile `
  --mode AK `
  --access-key-id <yourAccessKeyID> `
  --access-key-secret <yourAccessKeySecret> `
  --region "cn-hangzhou"

StsToken

Description

Security Token Service (STS) tokens are provided by Alibaba Cloud for temporary access to and management of services. For more information about STS tokens, see What is STS.

Options:

Note

For more information about how to obtain STS tokens, see AssumeRole.

Option	Description	Example
AccessKey Id	The AccessKey ID.	STS.L4aBSCSJVMuKg5U1****
AccessKey Secret	The AccessKey secret.	yourAccessKeySecret
STS Token	The STS token.	yourSecurityToken
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

The following examples show how to configure a credential named StsProfile of the StsToken credential type.

Interactive mode

Run the following command:

aliyun configure --profile StsProfile --mode StsToken

The following sample response shows the interaction process:

Sample response

Configuring profile 'StsProfile' in 'StsToken' authenticate mode...
Access Key Id []: STS.L4aBSCSJVMuKg5U1****
Access Key Secret []: <yourAccessKeySecret>
Sts Token []: <yourSecurityToken>
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[StsProfile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile StsProfile \
  --mode StsToken \
  --access-key-id "STS.L4aBSCSJVMuKg5U1****" \
  --access-key-secret <yourAccessKeySecret> \
  --sts-token <yourSecurityToken> \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile StsProfile `
  --mode StsToken `
  --access-key-id "STS.L4aBSCSJVMuKg5U1****" `
  --access-key-secret <yourAccessKeySecret> `
  --sts-token <yourSecurityToken> `
  --region "cn-hangzhou"

RamRoleArn

Description

Note

Alibaba Cloud CLI 3.0.276 and later support the External Id option for RamRoleArn credentials. For more information, see the following table.

To configure a credential of the RamRoleArn type, call the AssumeRole operation of STS to obtain an STS token.

Options:

Option	Description	Example
AccessKey Id	The AccessKey ID that is used to create the custom image. For more information, see Create an AccessKey pair for a RAM user.	yourAccessKeyID
AccessKey Secret	The AccessKey secret that is used to create the custom image. For more information, see Create an AccessKey pair for a RAM user.	yourAccessKeySecret
STS Region	The region from which the request for the STS token is initiated. For more information about the regions in which STS is supported, see Endpoints.	cn-hangzhou
Ram Role Arn	The ARN of the RAM role to be assumed. The trusted entity of the RAM role is an Apsara Stack tenant account. For more information, see Create a RAM role for a trusted Alibaba Cloud account or CreateRole. You can view the ARNs of RAM roles by using the RAM console or by calling API operations. The details are as follows: For more information about how to view the ARN in the RAM console, see How do I find the ARN of the RAM role? For more information about how to view the ARN by calling operations, see ListRoles or GetRole.	acs:ram::012345678910****:role/Alice
Role Session Name	The name of the role session. The value is user-defined. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, you can specify a username. You can specify `RoleSessionName` to identify API callers that assume the same RAM role in ActionTrail logs. This allows you to track the users that perform the operations. The name must be 2 to 64 characters in length, and can contain letters, digits, and the following special characters: `. @ - _`.	alice
External Id	The external ID of the RAM role. The value of this parameter is provided by an external party and is used to prevent the confused deputy issue. For more information, see Use ExternalId to prevent the confused deputy problem. The ID must be 2 to 1,224 characters in length and can contain letters, digits, and the following special characters: `= , . @ : / - _`. The regular expression for this parameter is `[\w+=,.@:\/-]*`.	abcd1234
Expired Seconds	The validity period of the access token. Unit: seconds. The default value is `900`. The maximum value is the value of `MaxSessionDuration`.	900
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

The following examples show how to configure a credential named RamRoleArnProfile of the RamRoleArn credential type.

Interactive mode

Run the following command:

aliyun configure --profile RamRoleArnProfile --mode RamRoleArn

The following sample response shows the interaction process:

Sample response

Configuring profile 'RamRoleArnProfile' in 'RamRoleArn' authenticate mode...
Access Key Id []: <yourAccessKeyID>
Access Key Secret []: <yourAccessKeySecret>
Sts Region []: cn-hangzhou
Ram Role Arn []: acs:ram::012345678910****:role/Alice
Role Session Name []: alice
External ID []: abcd1234
Expired Seconds [900]: 900
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[RamRoleArnProfile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile RamRoleArnProfile \
  --mode RamRoleArn \
  --access-key-id <yourAccessKeyID> \
  --access-key-secret <yourAccessKeySecret> \
  --sts-region "cn-hangzhou"
  --ram-role-arn "acs:ram::012345678910****:role/Alice" \
  --role-session-name "alice" \
  --external-id "abcd1234" \
  --expired-seconds 900 \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile RamRoleArnProfile `
  --mode RamRoleArn `
  --access-key-id <yourAccessKeyID> `
  --access-key-secret <yourAccessKeySecret> `
  --sts-region "cn-hangzhou" `
  --ram-role-arn "acs:ram::012345678910****:role/Alice" `
  --role-session-name "alice" `
  --external-id "abcd1234" `
  --expired-seconds 900 `
  --region "cn-hangzhou"

EcsRamRole

Description

Note

Alibaba Cloud CLI 3.0.225 and later allow you to obtain credentials in security hardening mode (IMDSv2). We recommend that you install the latest version of Alibaba Cloud CLI before you configure a credential of the EcsRamRole type.
For more information about how to attach a RAM role to an ECS instance, see the "Create an instance RAM role and attach the instance RAM role to an ECS instance" section of the Instance RAM roles topic. For more information about how to attach a RAM role to an elastic container instance, see the "Assign the instance RAM role to an elastic container instance" section of the Use an instance RAM role by calling API operations topic.

Credentials of the EcsRamRole type do not require an AccessKey pair. If you use Alibaba Cloud CLI to perform API operations on an ECS instance or an ECI, you can access the metadata service of the instance to obtain an STS token. This minimizes the risk of AccessKey leaks.
The metadata server supports access in normal mode (IMDSv1) and security hardening mode (IMDSv2). By default, Alibaba Cloud CLI obtains access credentials from the metadata server in security hardening mode. If an exception occurs in the security hardening mode, you can configure the ALIBABA_CLOUD_IMDSV1_DISABLED environment variable to specify an exception handling logic. Sample configurations:
- false (default): The Credentials tool continues to obtain the access credential in normal mode.
- true: The exception is thrown and Alibaba Cloud CLI continues to obtain the access credential in security hardening mode.
The configurations for the metadata server determine whether the server supports the security hardening mode (IMDSv2).
For more information about how to configure environment variables, see Configure environment variables in Linux, macOS, and Windows.

Options:

Option

Description

Example

Ecs Ram Role

The name of the RAM role to be attached to the ECS instance.

If you do not specify a RAM role, the program automatically accesses the metadata service of the ECS instance to obtain the RoleName information, which can be used to obtain the credential. Two requests must be sent during this process.

ECSAdmin

Region Id

The default region.

Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.

cn-hangzhou

Configuration examples

The following examples show how to configure a credential named EcsRamRole of the EcsRamRole type.

Interactive mode

Run the following command:

aliyun configure --profile EcsProfile --mode EcsRamRole

The following sample response shows the interaction process:

Sample response

Configuring profile 'EcsProfile' in 'EcsRamRole' authenticate mode...
Ecs Ram Role []: ECSAdmin
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[EcsProfile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile EcsProfile \
  --mode EcsRamRole \
  --ram-role-name "ECSAdmin" \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile EcsProfile `
  --mode EcsRamRole `
  --ram-role-name "ECSAdmin" `
  --region "cn-hangzhou"

External

Description

Alibaba Cloud CLI can obtain an external credential by running a command of an external program.

Options:

Option

Description

Example

Process Command

The command for running external programs. You can configure the external program to return an AccessKey pair or an STS token, which are both static credentials.

acs-sso login --profile sso

Region Id

The default region.

Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.

cn-hangzhou

Sample credentials returned from the external program:

AccessKey pairs

{
  "mode": "AK",
  "access_key_id": "<yourAccessKeyID>",
  "access_key_secret": "<yourAccessKeySecret>"
}

STS tokens

{
  "mode": "StsToken",
  "access_key_id": "<yourAccessKeyID>",
  "access_key_secret": "<yourAccessKeySecret>",
  "sts_token": "<yourSecurityToken>"
}

Configuration examples

The following examples show how to configure a credential named ExternalProfile of the External credential type.

Interactive mode

Run the following command:

aliyun configure --profile ExternalProfile --mode External

The following sample response shows the interaction process:

Sample response

Configuring profile 'ExternalProfile' in 'External' authenticate mode...
Process Command []: acs-sso login --profile sso
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[ExternalProfile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile ExternalProfile \
  --mode External \
  --process-command "acs-sso login --profile sso" \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile ExternalProfile `
  --mode External `
  --process-command "acs-sso login --profile sso" `
  --region "cn-hangzhou"

ChainableRamRoleArn

Description

Note

Alibaba Cloud CLI 3.0.276 and later support the External Id option for ChainableRamRoleArn credentials. For more information, see the following table.

The ChainableRamRoleArn credential type allows you to use chainable role assumption to obtain credentials. To use a credential of this type, Alibaba Cloud CLI obtains an intermediate credential, such as an AccessKey pair or an STS token, from the source credential, assumes a role by using the intermediate credential, and then obtains the final credential, which is an STS token.

Options:

Option	Description	Example
Source Profile	The name of the source profile. Before you configure a credential of the ChainableRamRoleArn type, you must configure a source profile. For more information, see the following configuration example.	RamRoleArnProfile
STS Region	The region from which the request for the STS token is initiated. For more information about the regions in which STS is supported, see Endpoints.	cn-hangzhou
Ram Role Arn	The ARN of the RAM role to be assumed. The trusted entity of the RAM role is an Apsara Stack tenant account. For more information, see Create a RAM role for a trusted Alibaba Cloud account or CreateRole. You can view the ARNs of RAM roles by using the RAM console or by calling API operations. The details are as follows: For more information about how to view the ARN in the RAM console, see How do I find the ARN of the RAM role? For more information about how to view the ARN by calling operations, see ListRoles or GetRole.	acs:ram::012345678910****:role/Alice
Role Session Name	The name of the role session. The value is user-defined. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, you can specify a username. You can specify `RoleSessionName` to identify API callers that assume the same RAM role in ActionTrail logs. This allows you to track the users that perform the operations. The name must be 2 to 64 characters in length, and can contain letters, digits, and the following special characters: `. @ - _`.	alice
External Id	The external ID of the RAM role. The value of this parameter is provided by an external party and is used to prevent the confused deputy issue. For more information, see Use ExternalId to prevent the confused deputy problem. The ID must be 2 to 1,224 characters in length and can contain letters, digits, and the following special characters: `= , . @ : / - _`. The regular expression for this parameter is `[\w+=,.@:\/-]*`.	abcd1234
Expired Seconds	The validity period of the access token. Unit: seconds. The default value is `900`. The maximum value is the value of `MaxSessionDuration`.	900
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

Note

Before you configure a credential of the ChainableRamRoleArn type, you must attach the AliyunSTSAssumeRoleAcces system policy to the RAM user associated with the source credential.

The following example shows how to configure a credential named ChainableProfile of the ChainableRamRoleArn type. In this example, the source profile is named RamRoleArnProfile and of the RamRoleArn credential type.

Interactive mode

Configure the source profile RamRoleArnProfile. For more information, see the configuration examples in the "RamRoleArn" section of this topic.

Run the following command to configure the ChainableProfile credential of the ChainableRamRoleArn type.

aliyun configure --profile ChainableProfile --mode ChainableRamRoleArn

The following sample response shows the interaction process. Specify the source profile by setting the Source Profile parameter to RamRoleArnProfile.

Sample response

Configuring profile 'ChainableProfile' in 'ChainableRamRoleArn' authenticate mode...
Source Profile []: RamRoleArnProfile
Sts Region []: cn-hangzhou
Ram Role Arn []: acs:ram::012345678910****:role/Alice
Role Session Name []: alice
External ID []: abcd1234
Expired Seconds [900]: 900
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[ChainableProfile] ...Done.

Non-interactive mode

Alibaba Cloud CLI 3.0.298 and later let you configure credentials of the ChainableRamRoleArn type non-interactively by running the aliyun configure set command. Run the following command:

Bash

aliyun configure set \
  --profile ChainableProfile \
  --mode ChainableRamRoleArn \
  --source-profile RamRoleArnProfile \
  --sts-region "cn-hangzhou" \
  --ram-role-arn "acs:ram::012345678910****:role/Alice" \
  --role-session-name "alice" \
  --external-id "abcd1234" \
  --expired-seconds 900 \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile ChainableProfile `
  --mode ChainableRamRoleArn `
  --source-profile RamRoleArnProfile `
  --sts-region "cn-hangzhou" `
  --ram-role-arn "acs:ram::012345678910****:role/Alice" `
  --role-session-name "alice" `
  --external-id "abcd1234" `
  --expired-seconds 900 `
  --region "cn-hangzhou"

CredentialsURI

Description

Credentials of the CredentialsURI type obtain STS tokens for API calls by using the URI provided by you.

Options:

Option

Description

Example

CredentialsURI

The local or remote URI.

If the HTTP 200 status code cannot be returned from the specified address, or the response structure is not in the expected format, Alibaba Cloud CLI determines that the request fails.

http://credentials.uri/

Region Id

The default region.

Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.

cn-hangzhou

Sample response structure from the URI:

{
  "Code": "Success",
  "AccessKeyId": "<yourAccessKeyID>",
  "AccessKeySecret": "<yourAccessKeySecret>",
  "SecurityToken": "<yourSecurityToken>",
  "Expiration": "2006-01-02T15:04:05Z" // utc time
}

Configuration examples

The following examples show how to configure a credential named URIProfile of the CredentialsURI type.

Interactive mode

Run the following command:

aliyun configure --profile URIProfile --mode CredentialsURI

The following sample response shows the interaction process:

Sample response

Configuring profile 'URIProfile' in 'CredentialsURI' authenticate mode...
Credentials URI []: http://credentials.uri/
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[URIProfile] ...Done.

You cannot configure a credential of the CredentialsURI type in non-interactive mode.

OIDC

Description

To configure a credential of the OIDC type, call the AssumeRoleWithOIDC operation of STS to obtain an STS token. For more information, see Use RRSA to authorize different pods to access different cloud services.

Options:

Option	Description	Example
OIDCProviderARN	The ARN of the OIDC IdP. You can view the ARN of an OIDC IdP in the RAM console or by calling an API operation. For more information about how to view the ARN of an OIDC IdP in the RAM console, see Manage an OIDC IdP. For more information about how to view the ARN by calling operations, see GetOIDCProvider or ListOICProviders.	acs:ram::012345678910****:oidc-provider/TestOidcIdp
OIDCTokenFile	The file path of the OIDC token. An OIDC token is issued by an external IdP.	/path/to/oidctoken
Ram Role Arn	The ARN of the RAM role to be assumed. You can view the ARNs of RAM roles by using the RAM console or by calling API operations. The details are as follows: For more information about how to view the ARN in the RAM console, see How do I find the ARN of the RAM role. For more information about how to view the ARN by calling operations, see ListRoles or GetRole.	acs:ram::012345678910****:role/Alice
Role Session Name	The name of the role session. The value is user-defined. In most cases, you can set this parameter to the identity of the user who calls the operation. For example, you can specify a username. You can specify `RoleSessionName` to identify API callers that assume the same RAM role in ActionTrail logs. This allows you to track the users that perform the operations. The name must be 2 to 64 characters in length, and can contain letters, digits, and the following special characters: `. @ - _`.	alice
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

The following examples show how to configure a credential named OIDC_Profile of the OIDC type.

Interactive mode

Run the following command:

aliyun configure --profile OIDC_Profile --mode OIDC

The following sample response shows the interaction process:

Sample response

Configuring profile 'OIDC_Profile' in 'OIDC' authenticate mode...
OIDC Provider ARN []: acs:ram::012345678910****:oidc-provider/TestOidcIdp
OIDC Token File []: /path/to/oidctoken
RAM Role ARN []: acs:ram::012345678910****:role/Alice
Role Session Name []: alice
Default Region Id []: cn-hangzhou
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[OIDC_Profile] ...Done.

Non-interactive mode

Run the following command:

Bash

aliyun configure set \
  --profile OIDC_Profile \
  --mode OIDC \
  --oidc-provider-arn "acs:ram::012345678910****:oidc-provider/TestOidcIdp" \
  --oidc-token-file "/path/to/oidctoken" \
  --ram-role-arn "acs:ram::012345678910****:role/Alice" \
  --role-session-name "alice" \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile OIDC_Profile `
  --mode OIDC `
  --oidc-provider-arn "acs:ram::012345678910****:oidc-provider/TestOidcIdp" `
  --oidc-token-file "/path/to/oidctoken" `
  --ram-role-arn "acs:ram::012345678910****:role/Alice" `
  --role-session-name "alice" `
  --region "cn-hangzhou"

CloudSSO

Description

Note

Alibaba Cloud CLI 3.0.271 and later support the CloudSSO credential type to simplify logons to CloudSSO. The procedure to log on to CloudSSO by using Alibaba Cloud CLI 3.0.271 and earlier is still valid.

CloudSSO is integrated with Alibaba Cloud Resource Directory to provide unified multi-account identity management and access control. After you assign the access permissions on an account in your resource directory to a CloudSSO user or user group by using an access configuration, the access configuration is provisioned for the account and serves as a RAM role of the account. CloudSSO assumes the RAM role to obtain an STS token for calling API operations. This reduces the risk of AccessKey pair leaks.
CloudSSO credentials require browser-based logon and user interaction for identity authentication.

Options:

Option	Description	Example
SignIn Url	The logon URL. To obtain the URL, log on to the CloudSSO console, go to the Overview page, and then find the User Logon URL section on the right.	https://signin-******.alibabacloudsso.com/device/login
Account	The account in the resource directory. In the interactive mode, select the account by entering the ordinal number before the account name. In the non-interactive mode, specify the account by passing its ID. To obtain the ID, log on to the CloudSSO console. On the Multi-account Permission Configuration page, find the UID of the account on the right.	012345678910****
Access Configuration	The access configuration. In the interactive mode, select the configuration by entering the ordinal number before the configuration name. In the non-interactive mode, specify the configuration by passing its ID. To obtain the ID, log on to the CloudSSO console. On the Access Configuration page, find the access configuration ID.	ac-012345678910abcde****
Region Id	The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.	cn-hangzhou

Configuration examples

The following examples show how to configure a credential named SSOProfile of the CloudSSO credential type.

Interactive mode

Run the following command to configure information about access to CloudSSO: You can specify multiple profiles and specify a specific profile to quickly switch between accounts and access configurations.
```
aliyun configure --profile SSOProfile --mode CloudSSO
```

Specify a URL for the signinUrl option to configure the URL that is used to log on to the CloudSSO user portal.

aliyun configure --profile SSOProfile --mode CloudSSO
CloudSSO Sign In Url []: https://signin-******.alibabacloudsso.com/device/login

In the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
Note
If no browsers appear, copy the logon URL and user code that are provided in the CLI to log on to the user portal.
Example:
```
If the browser does not open automatically, use the following URL to complete the login process:

SignIn url: https://signin-****.alibabacloudsso.com/device/code
User code: *********
```

The CLI prompts that the logon succeeds and outputs the username of the resource directory account that you can access. Enter the number of the account that you want to access.

Now you can login to your account with SSO configuration in the browser.
You have successfully logged in.
Please choose an account:
1. <RD Management Account>
2. AccountName
Please input the account number: 1

The CLI outputs the available access configurations. Enter the number of the access configuration that you want to use.

Please choose an access configuration:
1. AccessConfiguration1
2. AccessConfiguration2
Please input the access configuration number: 2

Specify the default region.
```
Default Region Id []: cn-hangzhou
```
After the configuration is successful, the Configure Done message and a welcome message are displayed.

Non-interactive mode

Note

After you configure a CloudSSO credential in non-interactive mode, you must run the aliyun configure --profile <PROFILE_NAME> command to log on when you use the credential for the first time.

You can run the aliyun configure set command to configure a credential in non-interactive mode. Syntax:

Bash

aliyun configure set \
  --profile SSOProfile \
  --mode CloudSSO \
  --cloud-sso-sign-in-url "https://signin-******.alibabacloudsso.com/device/login" \
  --cloud-sso-access-config "ac-012345678910abcde****" \
  --cloud-sso-account-id "012345678910****" \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile SSOProfile `
  --mode CloudSSO `
  --cloud-sso-sign-in-url "https://signin-******.alibabacloudsso.com/device/login" `
  --cloud-sso-access-config "ac-012345678910abcde****" `
  --cloud-sso-account-id "012345678910****" `
  --region "cn-hangzhou"

OAuth

Description

Note

Alibaba Cloud CLI 3.0.299 and later support the OAuth credential type. We recommend that you install the latest version of Alibaba Cloud CLI before you configure this credential type.

When you configure an OAuth credential for the first time, Alibaba Cloud CLI creates a third-party OAuth application in RAM. After authorization, Alibaba Cloud CLI can use this application to obtain a token that represents the user identity to access cloud resources.
OAuth credentials require a browser to complete the authorization process. The browser and Alibaba Cloud CLI must run on the same device.

Options:

Option

Description

Example

OAuth Site Type

The logon site. Default value: CN.

China site (aliyun.com): 0 /CN :.
International site (alibabacloud.com): 1 /INTL.

Region Id

The default region.

Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.

cn-hangzhou

OAuth scopes:

OAuth scope	Description
openid	Obtains the OpenID of a RAM user. OpenID is a string that uniquely identifies a user. However, the OpenID does not contain information such as the Alibaba Cloud UID and username of the user.
/internal/ram/usersts	Obtains an STS token to call Alibaba Cloud service APIs.

Configuration examples

The following examples show how to configure a credential named OAuthProfile of the OAuth credential type.

Interactive mode

Run the following command to configure information for OAuth logon:
```
aliyun configure --profile OAuthProfile --mode OAuth
```
Configure OAuth Site Type as prompted.
```
aliyun configure --profile OAuthProfile --mode OAuth
Configuring profile 'OAuthProfile' in 'OAuth' authenticate mode...
OAuth Site Type (CN: 0 or INTL: 1, default: CN): 
```
- Enter 0 or CN to set the logon site to the Alibaba Cloud China site (aliyun.com).
- Enter 1 or INTL to set the logon site to the Alibaba Cloud international site (alibabacloud.com).
- Press Enter to select the China site (aliyun.com) (CN) by default.
In the browser window that appears, perform the authorization.
Note
This authorization must be performed by an administrator attached with the AliyunRAMFullAccess policy. If you do not have the permission, contact an administrator.
If no browser windows appear, copy the value of SignIn url provided in the CLI to log on to the user portal.
Example:
```
If the browser does not open automatically, use the following URL to complete the login process:

SignIn url: https://signin.aliyun.com/oauth2/v1/auth?response_type=code&client_id=403818195455774****&redirect_uri=http%3A%2F%2F127.0.0.1%3A12345%2Fcli%2Fcallback&state=EKumS4qOPm11yRx7&code_challenge=BxR9DHWIdKBypPb089N0ekP-C-SAYwLj_jbLU-N****&code_challenge_method=S256
```
1. When you configure an OAuth credential for the first time, on the Third-party Application Authorization page, click Authorize. Alibaba Cloud CLI creates a third-party OAuth application in the Resource Access Management console.
2. After you complete the authorization, you must assign RAM users to this application. Click Go to allocate to go to the RAM console > OAuth Application page.
3. On the OAuth Application page, click the Third-party Application tab, click the name of the official-cli application.
4. On the Assignments tab, click Create Assignment and select the RAM user accounts that you want to log on. Click OK to complete the assignment.
After the assignment is complete, you must start the authorization process again. Access the logon URL again and click Authorize.
After the authorization is successful, specify the default region for Alibaba Cloud CLI.
```
Default Region Id []: cn-hangzhou
```
After the configuration is successful, the Configure Done message and a welcome message are displayed.

Non-interactive mode

Note

After you configure an OAuth credential in non-interactive mode, you must run the aliyun configure --profile <PROFILE_NAME> command to perform the authorization operation when you use the credential for the first time.
When you configure a credential in non-interactive mode, only CN or INTL are valid values for the logon site type.

You can run the aliyun configure set command to configure a credential in non-interactive mode. Syntax:

Bash

aliyun configure set \
  --profile OAuthProfile \
  --mode OAuth \
  --oauth-site-type "CN" \
  --region "cn-hangzhou"

PowerShell

aliyun configure set `
  --profile OAuthProfile `
  --mode OAuth `
  --oauth-site-type "CN" `
  --region "cn-hangzhou"

Credential management

Alibaba Cloud CLI allows you to configure and manage multiple sets of credentials. You can switch between or specify profiles as needed.

Use the current profile

Run the following command to switch from the current profile to a specific profile.

aliyun configure switch --profile <PROFILE_NAME>

After the switch is successful, Alibaba Cloud CLI uses the settings and credentials in this profile by default until you make another change.

You can also run the aliyun configure set command to modify a credential's profile settings. The modified settings are used.

Specify a profile

When you run a command, you can use the --profile option to explicitly specify the profile to use. This method has the highest priority and overwrites the configurations of other methods.

Example: Call the DescribeInstances operation of Elastic Compute Service by using the credential named exampleProfile to query the information about Elastic Compute Service instances.

aliyun ecs DescribeInstances --profile exampleProfile

Other credential management commands

Alibaba Cloud CLI provides the configure command and its sub-commands to manage multiple identity credentials. You can use these commands to add, delete, modify, and view credentials. For more information, see Manage multiple credentials.

Storage locations of credentials

A credential profile specifies a set of configuration items and has a custom name. All profiles are stored in the config.json file in the JSON format. This file is located in the .aliyun folder in your personal user directory. The path of the folder varies with the operating system.

Windows: C:\Users\<USERNAME>\.aliyun
Linux/macOS: /home/ <USER_NAME> /.aliyun

Credential configuration methods

Interactive mode

Common syntax

Non-interactive mode

Common syntax

Credential types

AK

Description

Configuration examples

StsToken

Description

Configuration examples

RamRoleArn

Description

Configuration examples

EcsRamRole

Description

Configuration examples

External

Description

AccessKey pairs

STS tokens

Configuration examples

ChainableRamRoleArn

Description

Configuration examples

CredentialsURI

Description

Configuration examples

OIDC

Description

Configuration examples

CloudSSO

Description

Configuration examples

OAuth

Description

Configuration examples

Credential management

Use the current profile

Specify a profile

Other credential management commands

Storage locations of credentials

References