All Products
Search
Document Center

Configure credentials

Last Updated: Jan 13, 2022

Use AccessKey pairs

You can log on to the User Management console to configure AccessKey pairs. An AccessKey pair is granted full permissions on the resources that belong to an Alibaba Cloud account or a Resource Access Management (RAM) user. Keep your AccessKey pairs confidential. You may not want to provide an AccessKey pair of your Alibaba Cloud account to a developer due to security reasons. In this case, you can create a RAM user and grant permissions to the RAM user. This way, the RAM user can use an AccessKey pair to call API operations.

The following sample code shows how to create a client named default that authenticates to servers based on AccessKey pairs. This way, the client is used as the default client.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::accessKeyClient('accessKeyId', 'accessKeySecret')->asDefaultClient();
AlibabaCloud::accessKeyClient('accessKeyId', 'accessKeySecret')->name('default');

Use Security Token Service (STS) credentials

To ensure the security of your business, you can apply for temporary security credentials (TSC) from STS to create a temporary client.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::stsClient('accessKeyId', 'accessKeySecret', 'securityToken')->name('sts');

Use RamRoleArn credentials

You can assign a RAM role to a client. Then, the client can automatically apply for and maintain STS tokens before the client initiates a request. This way, the client automatically changes to an STS client that has a validity period. You can also apply for an STS token and create an STS client.

The following sample code shows how to create a client named ramRoleArnClient that authenticates to servers based on RamRoleArn credentials.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::ramRoleArnClient('accessKeyId', 'accessKeySecret', 'roleArn', 'roleSessionName')
              ->name('ramRoleArnClient');

EcsRamRole

You can assign a RAM role to a client. Then, the client can automatically apply for and maintain STS tokens before the client initiates a request. This way, the client automatically changes to an STS client that has a validity period. You can also apply for an STS token and create an STS client.

The following sample code shows how to create a client named ecsRamRoleClient that authenticates to servers based on EcsRamRole credentials.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::ecsRamRoleClient('roleName')->name('ecsRamRoleClient');

Use bearer tokens

If your Cloud Call Center (CCC) uses clients that authenticate to servers based on bearer tokens, you must apply for and maintain bearer tokens.

The following sample code shows how to create a client named bearerTokenClient that authenticates to servers based on bearer tokens.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::bearerTokenClient('token')->name('bearerTokenClient');

Use Rivest–Shamir–Adleman (RSA) key pairs

You can specify a public key ID and a private key file to allow a client to automatically apply for and maintain an AccessKey pair before the client initiates a request. This way, the client automatically changes to an AccessKey client that has a validity period. The feature is supported only on the Japan site.

The following sample code shows how to create a client named rsaKeyPairClient that authenticates to servers based on RSA key pairs.

<?php

use AlibabaCloud\Client\AlibabaCloud;

AlibabaCloud::rsaKeyPairClient('publicKeyId', '/your/privateKey.pem')->name('rsaKeyPairClient');

Default credential provider chain

The default provider chain searches for and uses credentials in the following order:

1. Use credentials from environment variables.

The provider chain searches for credentials in environment variables. If you specify the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET, the provider chain uses the environment variables to create a default client. If the client that is specified in a request is not the default client, the provider chain searches for and loads clients in the configuration file.

2. Use the configuration file

If a default file exists in the home directory of the user, the provider chain automatically creates a client based on the specified type and name. The path for the default file is ~/.alibabacloud/credentials. In Windows, the path is C:\Users\USER_NAME\.alibabacloud\credentials. The default file does not have to exist. However, an exception is thrown if a parsing error occurs. The client name is not case-sensitive. If two clients have the same name, the most recent client overwrites the client is created earlier. You can also load the specified file from AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...);. Different projects or tools can share this configuration file, because the file is stored outside the projects and cannot be accidentally committed to version control. In Windows, you can refer to your home directory by using the environment variable %UserProfile%. In Unix-like systems, you can use the environment variable $HOME or a tilde (~). You can modify the path of the default file when you configure the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable.

[default]                          # The default client.
enable = true                      # Enables the client. By default, the client is enabled if this parameter does not exist.
type = access_key                  # Specifies that the client authenticates to servers based on AccessKey pairs.
access_key_id = foo                # Key
access_key_secret = bar            # Secret
region_id = cn-hangzhou            # Optional. The region ID.
debug = true                       # Optional. Specifies that detailed information is output to the command-line interface (CLI) in debug mode.
timeout = 0.2                      # Optional. The timeout period. If the value is greater than 1, the unit is seconds. If the value is smaller than 1, the value is multiplied by 1,000 and the unit is milliseconds.
connect_Timeout = 0.03             # Optional. The connection timeout period. This is the same as the timeout period.
cert_file = /path/server.pem       # Optional. The client certificate.
cert_password = password           # Optional. The client password.
proxy = tcp://localhost:8125       # Optional. The proxy.
proxy_http = tcp://localhost:8125  # Optional. The HTTP proxy.
proxy_https = tcp://localhost:9124 # Optional. The HTTPS proxy.
proxy_no = .mit.edu,foo.com        # Optional. The domain name that is ignored by the proxy.

[client1]                          # The client named client1.
type = ecs_ram_role                # Specifies that the client authenticates to servers based on EcsRamRole credentials.
role_name = EcsRamRoleTest         # Role Name
#..................................# The other parameters are the same as the parameters of the default client.

[client2]                          # The client named client2.
enable = false                     # Disables the client.
type = ram_role_arn                # Specifies that the client authenticates to servers based on RamRoleArn credentials.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn
role_session_name = session_name
#..................................# The other parameters are the same as the parameters of the default client.

[client3]                          # The client named client3.
type = rsa_key_pair                # Specifies that the client authenticates to servers based on RSA key pairs.
public_key_id = publicKeyId        # Public Key ID
private_key_file = /your/pk.pem    # The private key file.
#..................................# The other parameters are the same as the parameters of the default client.

3. Instance RAM role

If you specify the environment variable ALIBABA_CLOUD_ECS_METADATA, the provider chain uses the value of the environment variable as the role name, sends a request to http://100.100.100.200/latest/meta-data/ram/security-credentials/ to obtain temporary security credentials, and then creates a default client.

Custom credential provider chain

You can use a custom provider chain to search for credentials, or write a closure to pass the provider.

<?php

use AlibabaCloud\Client\Credentials\Providers\CredentialsProvider;

CredentialsProvider::chain(
        CredentialsProvider::ini(),
        CredentialsProvider::env(),
        CredentialsProvider::instance()
);