An AccessKey (AK) is a long-term access credential for a RAM user. It is ideal for automation scenarios that require stable, long-term authentication, such as CI/CD pipelines, scheduled tasks, and browserless remote terminals. This topic covers how to configure, verify, and delete AccessKey credentials in the Alibaba Cloud CLI.
Prerequisites
An AccessKey is a long-term credential that does not expire automatically. If an AccessKey is compromised, an attacker can continuously access all authorized cloud resources until the AccessKey is manually disabled or deleted in the RAM console.
If your runtime environment supports them, we recommend using OAuth credentials or RAM role credentials instead. For a comparison of different credential types, see Configure and manage identity credentials.
Alibaba Cloud CLI version ≥
3.3.0. Runaliyun versionto check your current version. If your version is earlier than 3.3.0, see Install/Update CLI to upgrade.You must have the AccessKey ID and AccessKey Secret for a RAM user. We recommend using the AccessKey of a RAM user instead of a root account. A root account has permissions to all resources, and the impact of a leak is severe. To learn how to obtain an AccessKey, see CreateAccessKey.
Configure credentials
The Alibaba Cloud CLI provides three methods to configure an AccessKey: interactive configuration, non-interactive configuration (for scripting and automation), and environment variables (for CI/CD pipelines).
Interactive configuration
Run the following command to start the configuration. Replace
<ProfileName>with a custom profile name, such asAkProfile:aliyun configure --profile <ProfileName>Enter your AccessKey ID, AccessKey Secret, default region, and language when prompted:
Configuring profile 'AkProfile' in 'AK' authenticate mode... Access Key Id []: <yourAccessKeyID> Access Key Secret []: <yourAccessKeySecret> Default Region Id []: cn-shanghai Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[AkProfile] ...Done.When the terminal displays
...Done., the configuration is successful.
After the configuration is successful, the profile is automatically activated. To switch to a different profile, run the aliyun configure switch --profile <ProfileName> command.
Non-interactive configuration
Bash
aliyun configure set \
--profile AkProfile \
--mode AK \
--access-key-id <yourAccessKeyID> \
--access-key-secret <yourAccessKeySecret> \
--region cn-hangzhouPowerShell
aliyun configure set `
--profile AkProfile `
--mode AK `
--access-key-id <yourAccessKeyID> `
--access-key-secret <yourAccessKeySecret> `
--region cn-hangzhouVerify credential configuration
After configuring the credentials, run the following command to verify them:
aliyun sts get-caller-identityThe output is similar to the following. You can identify the owner of the current AccessKey using the Arn and UserId fields:
{
"AccountId": "173305794806****",
"Arn": "acs:ram::173305794806****:user/<user-name>",
"IdentityType": "RAMUser",
"PrincipalId": "20407046578681****",
"RequestId": "D012C652-FF76-5101-81B3-45A1DDAC****",
"UserId": "20407046578681****"
}Environment variable configuration
The Alibaba Cloud CLI prioritizes profile configurations. If a field in a profile is empty, the CLI uses the corresponding environment variable.
Linux / macOS
export ALIBABA_CLOUD_ACCESS_KEY_ID="LTAI5txxx"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="yourSecret"PowerShell
$env:ALIBABA_CLOUD_ACCESS_KEY_ID = "LTAI5txxx"
$env:ALIBABA_CLOUD_ACCESS_KEY_SECRET = "yourSecret"Delete credentials
To delete an AccessKey profile from your local configuration, run the following command:
aliyun configure delete --profile <ProfileName>This command only deletes the corresponding configuration entry from ~/.aliyun/config.json. It does not disable or delete the AccessKey in the RAM console. To permanently revoke access, you must also manually disable or delete the AccessKey in the RAM console.
FAQ
Credential precedence
The CLI prioritizes values in the profile. It uses environment variables only for fields that are not defined in the profile.