You can obtain a temporary authorization token for an instance Resource Access Management (RAM) role. The token is automatically updated on a regular basis. You can use the token to execute the permissions and use the resources of the instance RAM role.
Procedure
Connect to an Elastic Compute Service (ECS) instance. For more information, see Connection method overview.
Obtain a temporary authorization token for the instance RAM role that is attached to the instance.
<Validity period of the metadata server access credentials>
: Before you obtain a temporary authorization token for the instance RAM role, you need to obtain the access credentials of the metadata server and specify a validity period for the credentials to enhance data security. After the specified validity period expires, you need to re-obtain the access credentials of the metadata server. Otherwise, you cannot obtain a temporary authorization token for the instance RAM role.Valid values: 1 to 21600. Unit: seconds. For more information, see View instance metadata.
<Name of the instance RAM role>
: Replace <Name of the instance RAM role> with the actual name of the instance RAM role. Example: EcsRamRoleDocumentTesting.
Linux instance
# Obtain the access credentials of the metadata server for authentication. TOKEN=`curl -X PUT "http://100.100.100.200/latest/api/token" -H "X-aliyun-ecs-metadata-token-ttl-seconds:<Validity period of the metadata server access credentials>"` # Obtain a temporary authorization token for the instance RAM role. curl -H "X-aliyun-ecs-metadata-token: $TOKEN" http://100.100.100.200/latest/meta-data/ram/security-credentials/<Name of the instance RAM role>
Windows instance
# Obtain the access credentials of the metadata server for authentication. $token = Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token-ttl-seconds" = "<Validity period of the metadata server access credentials>"} -Method PUT –Uri http://100.100.100.200/latest/api/token # Obtain a temporary authorization token for the instance RAM role. Invoke-RestMethod -Headers @{"X-aliyun-ecs-metadata-token" = $token} -Method GET -Uri http://100.100.100.200/latest/meta-data/ram/security-credentials/<Name of the instance RAM role>
The following code snippet shows a sample output, in which:
SecurityToken
: indicates the temporary authorization token for the instance RAM role.Expiration
: indicates the validity period of the temporary authorization token for the instance RAM role, instead of the validity period of metadata server access credentials.{ "AccessKeyId" : "STS.*******6YSE", "AccessKeySecret" : "aj******jDU", "Expiration" : "2017-11-01T05:20:01Z", "SecurityToken" : "CAISng********", "LastUpdated" : "2023-07-18T14:17:28Z", "Code" : "Success" }