After completing inbound authentication and authorization, an agent uses a Workload Access Token to call Agent Identity APIs and obtain credentials for accessing downstream Alibaba Cloud services or third-party resources. This credential-acquisition flow is called outbound.
Choose an outbound credential
Agent Identity supports three types of outbound credentials: STS Token, OAuth Access Token, and API Key. Choose the credential that matches the type and authentication method of the downstream resource.
|
Scenario |
Outbound credential |
Method |
|
Access Alibaba Cloud services |
OAuth Access Token |
Register an OAuth credential provider. Call the |
|
STS Token |
The agent calls the |
|
|
Access an LLM or third-party resources |
API Key |
Register an API Key credential provider. Call the |
|
OAuth Access Token |
Register an OAuth credential provider. Call the |
For more information, see Obtain credentials.
Outbound authorization
Outbound authorization is required to call Agent Identity APIs and obtain outbound credentials, such as GetReourceOAuth2Token.
Grant the required permissions by creating a custom policy for the RAM role associated with the workload identity used to obtain outbound credentials.
Policy example:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"agentidentitydata:GetResourceOAuth2Token",
"agentidentitydata:GetResourceAPIKey",
],
"Resource": "*"
}
],
"Version": "1"
}
Credential provider management
Agent Identity supports two types of credential providers: OAuth and API Key. To configure and manage them, see:
Agent Identity provides pre-configurations for common OAuth credential providers, such as Alibaba Cloud. For more information, see Tutorials: Set up typical OAuth credential providers.