edit-icon download-icon


Last Updated: Mar 12, 2018

When calling an Alibaba Cloud API, you can set up your credentials using the following methods:

  • AccessKey

    AccessKey is an identity, issued for the Alibaba Cloud primary account or RAM user, to call Alibaba Cloud APIs. AccessKey is similar to a username and password to log on to the console. AccessKey consists of an AccessKey ID and AccessKey Secret.

    You must sign the API request when manually calling an API. However, if you use the Alibaba Cloud SDK to call APIs, the SDK will automatically sign the request according to the configured AccessKey.

    For more information, see Create an AccessKey.

  • STS token

    When a temporary permission is required to access a service for security reasons, you can use the Security Token Service (STS) to create a temporary token to call the API. A temporary AccessKey consists of an AccessKey ID, AccessKey Secret, and a security token with an expiration time.

    For more information, see STS overview.

  • RSA key pairs

    In cases when more stringent security objectives are necessary, such as requiring cloud service providers to provide Non-Repudiation security capabilities, you can use RSA key pairs.

    RSA key pairs consist of a public key and a private key. You use the private key to calculate the signature and send a request to STS to get a session AccessKey with a temporary permission. Then you use the session AccessKey to call Alibaba Cloud APIs.

    For more information, see Use RSA key pairs to call APIs


  • For security reasons, we recommend that you use the RAM user to call APIs. The RAM user has limited access granted by the primary account to the cloud services. For more information, see RAM Documentation.

  • You must grant corresponding permission to the RAM user to allow it to call APIs and further create or modify cloud resources. For more information, see Permissions.

Thank you! We've received your feedback.