If you use the AccessKey pair of an Alibaba Cloud account in the development process, it may pose security risks. To enhance security, you can use the Security Token Service (STS) token issued for a RAM role to access Alibaba Cloud services.
Introduction to the STS token
STS is a cloud service that provides short-term access control for Alibaba Cloud accounts. You can use STS to issue an access credential with custom validity period and access permissions to the federated user who is managed by your local account system. Federated users can use the STS credential to call Alibaba Cloud APIs or log on to the Alibaba Cloud console to manage the authorized resources.
STS tokens are the preferred credentials because they provide the following benefits:
STS tokens reduce the risk of compromising the AccessKey ID and AccessKey Secret of the Alibaba Cloud account, especially on mobile devices.
STS tokens allow you to control access to resources and impose time limits. You can grant RAM roles specific permissions on resources such as ECS and SLB.
Set the STS token
- Method 1: Use the STS token
If you use the STS token, you must update the token in a regular manner.
from aliyunsdkcore.client import AcsClient from aliyunsdkcore.auth.credentials import StsTokenCredential sts_token_credential = StsTokenCredential('sts_access_key_id', 'sts_access_key_secret', 'sts_session_token') acs_client = AcsClient(region_id='cn-hangzhou', credential=sts_token_credential)where:
- region-id is the region ID that you are using. You can call DescribeRegions to query the most recent region list.
- sts-access-key-id, sts-access-key-secret, and sts-session-token are credentials returned by calling AssumeRole.
- Method 2: Use the SDK to manage the STS token
You can allow the SDK to automatically apply for and maintain the STS token by specifying the RAM role.
from aliyunsdkcore.client import AcsClient from aliyunsdkcore.auth.credentials import RamRoleArnCredential ram_role_arn_credential = RamRoleArnCredential('access_key_id', 'access_key_secret', 'role_arn', 'role_session_name') acs_client = AcsClient(region_id='cn-hangzhou', credential=ram_role_arn_credential)where:
role-arn is the global resource descriptor that specifies a role. You can access the RAM console to query the role-arn that matches the role, click the role name, and go to the corresponding role details page.
role-session-name is a temporary role name. You can call AssumeRole to create a temporary identity, and then use the value of RoleSessionName that is used during creation as role-session-name.