All Products
Search
Document Center

Agent Identity:What is Agent Identity?

Last Updated:Jul 10, 2026

Alibaba Cloud Agent Identity is an identity and credential management service designed for AI agents within the Alibaba Cloud Agentic AI ecosystem. It securely manages agent identities, protects access credentials, and enables agents to access Alibaba Cloud services and third-party SaaS applications on behalf of users or themselves, providing end-to-end security controls for agents to transition from prototypes to production-grade agents.

Core features

31A0371D-1BEF-47ED-9DB4-AC87F9C87747

  • Workload identity management: Provides standardized workload identities for agents.

  • Credential provider management: Centrally and securely manages various credentials, such as API keys and OAuth tokens, that agents use to access cloud services and third-party applications.

  • Authorization and credential acquisition: Supports multiple methods for obtaining credentials by connecting to Alibaba Cloud services, SaaS applications, or existing enterprise services. For more information, see How to choose an outbound credential.

  • Security and audit:

    • Secure credential storage: All sensitive credentials, such as client secrets, API keys, and refresh tokens, are encrypted and stored in the Token Vault using Key Management Service (KMS).

    • Fine-grained access control:

      • Configure Resource Access Management (RAM) policies to restrict specific workload identities to accessing only specific credential providers.

      • Tokens in the Token Vault are bound to workload and user identities to prevent credential misuse.

    • Complete audit logs: All identity management and credential acquisition operations are recorded in Alibaba Cloud ActionTrail. This provides full audit traceability.

Core concepts

Workload Identity

A workload identity is a digital identity designed for AI agents or automated workloads. Similar to a user or role in RAM, it is used for identity authentication and secure access to services and resources. It is the core identity unit for access control and security audits in Agent Identity.

  • Each workload identity has a unique Aliyun Resource Name (ARN) within an Alibaba Cloud account.

  • A workload identity is the basic unit for access control and auditing.

  • It can be automatically created by agent hosting services, such as Alibaba Cloud Model Studio, AI Studio, or LangStudio. It can also be manually created by developers through the API or console.

For more information about how to create and manage workload identities, see Workload identity management.

Workload Access Token

A Workload Access Token is a short-lived, opaque token issued by the Agent Identity service. It encapsulates information about both the workload identity and the end-user identity in user-agent authorization scenarios. It acts as the key for an agent to obtain access credentials for downstream resources from the Token Vault.

For more information about how to obtain a Workload Access Token, see Obtain a Workload Access Token.

Identity Provider

Agent Identity integrates with Identity Providers (IdPs) that are compatible with the OpenID Connect (OIDC) protocol. These IdPs can include Alibaba Cloud RAM, enterprise-owned IdPs, Okta, and Entra ID. An agent uses a JSON Web Token (JWT) obtained from the user's IdP to call the Agent Identity API. After Agent Identity authenticates the agent, it issues a Workload Access Token to the agent.

For more information about how to configure an IdP, see Identity provider management.

Credential Provider

A credential provider is a configuration entity that provides access credentials, such as API keys or OAuth tokens, to an AI agent.

It defines the configuration for how an agent obtains access credentials from external services, such as DingTalk, Lark, or your own business systems. Agent Identity securely stores these configurations. When required, it automatically handles the authentication and authorization interactions with external IdPs on behalf of the agent. The following types are supported:

  • OAuth 2.0 credential provider: Configures connection information for services that support OAuth 2.0. These services include RAM, DingTalk, Google, Entra ID, Okta, PingIdentity, or custom OIDC services.

  • API key credential provider: Securely stores and manages static API keys.

For more information about how to create and configure a credential provider, see Credential provider management.

Token Vault

The Token Vault is a highly secure and available credential storage system managed by the Agent Identity service. It encrypts and stores sensitive credentials obtained from credential providers, such as OAuth access tokens, API keys, and Security Token Service (STS) tokens, using KMS.

  • All credentials, such as API keys, OAuth client secrets, and refresh tokens, are encrypted and stored using KMS.

  • The Token Vault enforces strict access control policies. This ensures that only authorized agents with a specific workload identity can access the corresponding credentials under specific user authorization. Agent code cannot directly access long-term credentials.

Key features

Seamlessly integrate with enterprise IdPs

Identity authentication is the starting point for security in any system.

Agent Identity provides IdP configuration capabilities for seamless integration and end-to-end user context propagation:

  • Seamless IdP integration: Whether your enterprise uses Okta, Entra ID, or Ping Identity as the user identity source, or uses RAM or IDaaS directly, you can integrate them through the standard OIDC protocol. You do not need to register a separate set of agent accounts for your users. Users can use agents through their existing identity authentication systems.

  • Consistent user context: After a user logs on, Agent Identity not only performs identity authentication but also securely propagates the user's context to the agent, gateway, downstream tools, and Alibaba Cloud services. This context includes the subject, issuer, and audience. This provides a foundation for subsequent access control and security audits.

All agent calls start with a user identity authenticated by an IdP. Every interaction log can be traced back to a specific person.

Securely manage agent credentials

Hard-coding credentials in code or configurations is a common security risk. If the code or configuration is leaked, the keys are compromised.

Agent Identity provides a Token Vault designed specifically for agents to securely store, retrieve, and manage credentials:

  • Keyless: During agent development, developers no longer directly handle plaintext credentials, such as AccessKeys, large language model (LLM) keys, or OAuth client secrets. Instead, they use credentials declaratively through the Agent Identity Token Vault. This avoids the threat of key leakage due to code or configuration exposure.

  • KMS credential encryption: All sensitive credentials in the Token Vault are encrypted with high-strength encryption using KMS. This ensures the data security of every credential.

  • Just-in-time injection: Only when an agent actually needs a credential, and after it passes identity authentication and authorization, does Agent Identity inject the credential into the running agent in real time and for a short duration.

  • Security audit: Through the trusted user context propagation mechanism of Agent Identity, all records of an agent obtaining credentials are recorded in ActionTrail for security audits. The audit provides granularity down to the agent user level, specifying which agent user used which agent and through which RAM role to obtain a specific credential.

Delegate agents to access tools on behalf of users

Traditionally, agents are configured with API keys that have superuser permissions, allowing access to all user data by default. This can lead to privilege escalation, where users access data through the agent that they cannot access directly.

Agent Identity provides on-behalf-of authorization, allowing agents to access tools using the user's own identity instead of a machine identity:

  • Just-in-time authorization: By default, an agent does not have the ability to access tools. After a trusted user uses the agent and completes OAuth authorization, the agent temporarily gains permission to access the tool. It accesses the tool and resources with the user's identity and permissions. This eliminates the threats of over-authorization and long-term credential leakage, achieving zero standing permissions.

  • Permission de-escalation: The permissions an agent obtains will never exceed the user's own permissions. If a user grants an agent permission to read a document, the agent cannot write to the document.

  • Avoid authorization fatigue: Using Token Vault technology, Agent Identity securely stores user authorizations for agents. Unless a high-risk operation requires mandatory authorization, re-authorization is not required within the default validity period. This ensures security and prevents agent users from facing continuous confirmation pop-ups.

Securely access Alibaba Cloud

Agents need to not only access SaaS applications but also call cloud infrastructure, such as OSS for data storage, MQ for messaging, or Function Compute for business logic.

Agent Identity is deeply integrated with RAM, STS, and ActionTrail, bringing mature identity security capabilities to the agent ecosystem:

  • Role-based access: Agents do not need to be configured with long-term AccessKeys. Through a role-binding mechanism, agents can securely assume RAM roles and access Alibaba Cloud using STS tokens.

  • Fine-grained access control: You can configure fine-grained RAM policies for agents to control their access to Alibaba Cloud. This access is also subject to your enterprise's existing security control policies. Fine-grained control at the agent user level will also be supported soon.

  • User-level auditing: Compared to traditional applications that provide audits only down to the RAM user or RAM role when accessing Alibaba Cloud, Agent Identity supports agent-level and agent-user-level operation audits through its trusted user context propagation mechanism. This achieves end-to-end auditing from the human identity to the agent and then to Alibaba Cloud.

Security and compliance

  • RAM integration: Agent Identity is deeply integrated with Alibaba Cloud RAM. All control plane operations can be authorized through RAM policies. The data plane supports fine-grained control over credential acquisition and access to Alibaba Cloud services.

  • Service-linked Role: Agent Identity creates a service-linked role, such as AliyunServiceRoleForAgentIdentity, to access a customer's KMS keys on behalf of the service.

  • Data encryption: All credentials in the Token Vault are encrypted by default using KMS.

  • ActionTrail: All operations to create, modify, or delete Agent Identity resources, along with all credential acquisition operations, are recorded in ActionTrail. This provides immutable audit logs.

Next steps

Follow these tutorials to get started: