Configure credentials in Alibaba Cloud CLI - Alibaba Cloud CLI

Before you use Alibaba Cloud CLI, you must configure the credential that is required for calling Alibaba Cloud resources. The credential information includes the credential, region, and language. When Alibaba Cloud CLI is used for the first time, it automatically creates a profile named default to store the required information. You can also configure and use your custom profiles.

Credential configuration methods

Alibaba Cloud CLI provides two configuration modes: interactive mode and non-interactive mode. You can select a configuration mode based on your business requirements.

The interactive mode guides you through the configuration process. This way, you can configure a profile in Alibaba Cloud CLI at a low learning cost. We recommend that you use this mode if you are a beginner, are unfamiliar with CLI operations, or occasionally configure a profile.
The non-interactive mode allows you to directly specify configuration items by using parameters in commands or environment variables. This mode offers high flexibility and efficiency. We recommend that you use this mode if you want to manage and use Alibaba Cloud CLI by using scripts, automated deployment tools, or configuration management tools.

Interactive mode

Common syntax

You can run the aliyun configure command to configure a credential in interactive mode. Syntax:

aliyun configure --mode <AuthenticateMode> --profile <profileName>

Command options:
- --mode: the credential type. Default value: AK. For more information about the credential types supported by Alibaba Cloud CLI, see the Credential types section of this topic.
- --profile: the profile name. If you do not specify this option, the default profile is used. If the specified profile exists, it is overwritten. If the specified profile does not exist, a profile with the specified name is created.

Usage notes:

Make sure that you specify valid credential information. Invalid credential information may cause user errors or command failures.

After you configure a credential in interactive mode, the following information is displayed if the credential information is valid:

Complete response

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Non-interactive mode

Common syntax

You can run the aliyun configure set command to configure a credential in non-interactive mode. Syntax:

aliyun configure set [--settingName <settingValue>]... --mode <AuthenticateMode> --profile <profileName>

Note

When you configure a credential in non-interactive mode, you must specify the required options. You need to specify only the options that are required by the type of credential that you configure.

The following list describes the common options, which apply to all credential types:
- --profile: required. The profile name. If the specified profile exists, it is overwritten. If the specified profile does not exist, a profile with the specified name is created.
- --region: required. The ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.
- --language: the language of Alibaba Cloud CLI. Default value: en.
- --mode: the credential type. Default value: AK. For more information about the credential types supported by Alibaba Cloud CLI, see the Credential types section of this topic.

Usage notes:
- Make sure that you specify valid credential information. Invalid credential information may cause user errors or command failures.
- After you configure a credential in non-interactive mode, you can run the aliyun configure list or aliyun configure get command to check whether the credential is configured as expected. For more information, see Profile-related commands.

Credential types

AK

Description

Important

To ensure the security of your Alibaba Cloud account, we recommend that you create a Resource Access Management (RAM) user for calling API operations and create an AccessKey pair for the RAM user. For more information about how to use an AccessKey pair in a secure manner, see Credential security solutions.

In Alibaba Cloud CLI, AK is the default credential type, which uses an AccessKey pair as the credential. Therefore, you can skip the --mode option when you configure a credential of the AK credential type.
Required options:
- AccessKey Id: the AccessKey ID. For more information, see the "Create an AccessKey pair for a RAM user" section of the Create an AccessKey pair topic.
- AccessKey Secret: the AccessKey secret. For more information, see the Create an AccessKey pair for a RAM user section of the "Create an AccessKey pair" topic.
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.

Configuration examples

The following examples show how to configure a credential named AkProfile of the AK type.

Interactive mode

Run the following command:

aliyun configure --profile AkProfile

The following sample response shows the interaction process:

Sample response

Configuring profile 'AkProfile' in 'AK' authenticate mode...
Access Key Id []: ****
Access Key Secret []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json))
Default Language [zh|en] en: en
Saving profile[akProfile] ...Done.

Non-interactive mode

Run the aliyun configure set command to configure a credential in non-interactive mode.

aliyun configure set \
  --profile AkProfile \
  --mode AK \
  --access-key-id **** \
  --access-key-secret **** \
  --region ****

StsToken

Description

Security Token Service (STS) tokens are provided by Alibaba Cloud for temporary access to and management of services. For more information about STS tokens, see What is STS?
An STS token is valid for a specific period. After an STS token expires, you must obtain another STS token. In Alibaba Cloud CLI, credentials of the StsToken type are not automatically renewed. We recommend that you use the following types of credentials:
- The following types of credentials can be automatically renewed:
- CloudSSO users can use External credentials to access Alibaba Cloud resources. For more information, see Use Alibaba Cloud CLI to access CloudSSO and Alibaba Cloud resources.
- The following types of credentials can be renewed by developers:
  - CredentialsURI
  - External
To configure a credential of this type, you must set the --mode option to StsToken.
Required options:
- AccessKey Id: the AccessKey ID. For more information, see Create an AccessKey pair.
- AccessKey Secret: the AccessKey secret. For more information, see Create an AccessKey pair.
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.
- STS Token: the STS token used for authentication. For more information, see AssumeRole.

Configuration examples

The following examples show how to configure a credential named StsProfile of the StsToken type.

Interactive mode

Run the following command:

aliyun configure --profile StsProfile --mode StsToken

The following sample response shows the interaction process:

Sample response

Configuring profile 'StsProfile' in 'StsToken' authenticate mode...
Access Key Id []: ****
Access Key Secret []: ****
Sts Token []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json))
Default Language [zh|en] en: en
Saving profile[stsTokenProfile] ...Done.

Non-interactive mode

Run the aliyun configure set command to configure a credential in non-interactive mode.

aliyun configure set \
  --profile StsProfile \
  --mode StsToken \
  --access-key-id **** \
  --access-key-secret **** \
  --sts-token **** \
  --region ****

RamRoleArn

Description

To configure a credential of the RamRoleArn type, call the AssumeRole operation of STS to obtain an STS token. For more information, see the following topics:
- What is STS?
- AssumeRole
Temporary credentials of the RamRoleArn type can be automatically renewed:
Required options:
- AccessKey Id: the AccessKey ID. For more information, see Create an AccessKey pair.
- AccessKey Secret: the AccessKey secret. For more information, see Create an AccessKey pair.
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.
- RamRoleArn: the Alibaba Cloud Resource Name (ARN) of the RAM role. You can view the ARN of a RAM role in the RAM console or by calling an API operation.
  - For more information about how to view the ARN of a RAM role in the RAM console, see the "How do I view the ARN of a RAM role?" section of the FAQ about RAM roles and STS tokens topic.
  - For more information about how to view the ARN of a RAM role by calling an API operation, see ListRoles or GetRole.
- RoleSessionName: the session name of the RAM role. The parameter value is user-defined and is usually set to the identity of the user who calls the API operation, such as the username.

Configuration examples

The following examples show how to configure a credential named RamRoleArnProfile of the RamRoleArn type.

Interactive mode

Run the following command:

aliyun configure --profile RamRoleArnProfile --mode RamRoleArn

The following sample response shows the interaction process:

Sample response

Configuring profile 'RamRoleArnProfile' in 'RamRoleArn' authenticate mode...
Access Key Id []: ****
Access Key Secret []: ****
Ram Role Arn []: ****
Role Session Name []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json))
Default Language [zh|en] en: en
Saving profile[ramRoleArnProfile] ...Done.

Non-interactive mode

Run the aliyun configure set command to configure a credential in non-interactive mode.

aliyun configure set \
  --profile RamRoleArnProfile \
  --mode RamRoleArn \
  --access-key-id **** \
  --access-key-secret **** \
  --ram-role-arn **** \
  --role-session-name ****\
  --region ****

EcsRamRole

Description

Note

Alibaba Cloud CLI allows you to obtain credentials in security hardening mode (IMDSv2). We recommend that you install the latest version of Alibaba Cloud CLI before you configure a credential of the EcsRamRole type. For more information, see Installation Guide.
For more information about ECS instance metadata, see Obtain instance metadata.
For more information about how to attach a RAM role to an ECS instance, see the "Create an instance RAM role and attach the instance RAM role to an ECS instance" section of the Instance RAM roles topic. For more information about how to attach a RAM role to an elastic container instance, see the "Assign the instance RAM role to an elastic container instance" section of the Use an instance RAM role by calling API operations topic.

Credentials of the EcsRamRole type do not require an AccessKey pair. If you use Alibaba Cloud CLI to perform API operations on an ECS instance or an ECI, you can access the metadata service of the instance to obtain an STS token. This minimizes the risk of AccessKey leaks.
Temporary credentials of the EcsRamRole type can be automatically renewed.
The metadata server supports access in normal mode (IMDSv1) and security hardening mode (IMDSv2). By default, Alibaba Cloud CLI obtains access credentials from the metadata server in security hardening mode. If an exception occurs in the security hardening mode, you can configure the ALIBABA_CLOUD_IMDSV1_DISABLED environment variable to specify an exception handling logic. Sample configurations:
- false (default): The Credentials tool continues to obtain the access credential in normal mode.
- true: The exception is thrown and Alibaba Cloud CLI continues to obtain the access credential in security hardening mode.
The configurations for the metadata server determine whether the server supports the security hardening mode (IMDSv2).
For more information about how to configure environment variables, see Configure environment variables in Linux, macOS, and Windows.
Required options:
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.

Configuration examples

The following examples show how to configure a credential named EcsRamRoleProfile of the EcsRamRole type.

Interactive mode

Run the following command:

aliyun configure --profile EcsRamRoleProfile --mode EcsRamRole

The following sample response shows the interaction process:

Sample response

Configuring profile 'EcsRamRoleProfile' in 'EcsRamRole' authenticate mode...
Ecs Ram Role []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json))
Default Language [zh|en] en: en
Saving profile[ecsRamRamRoleArnProfile] ...Done.

Non-interactive mode
Run the aliyun configure set command to configure a credential in non-interactive mode.
```
aliyun configure set \
  --profile EcsRamRoleProfile \
  --mode EcsRamRole \
  --region ****
```

External

Description

Note

External credentials can be automatically renewed.

Alibaba Cloud CLI can obtain an external credential by running a command of an external program. You can manually renew external credentials.
You can manually renew external credentials.
Alibaba Cloud CLI allows you to use an external credential to log on to CloudSSO. For more information, see Use Alibaba Cloud CLI to access CloudSSO and Alibaba Cloud resources.
Required options:
- Process Command: the command of the external program. You can configure the external program to return an AccessKey pair or an STS token, which are both static credentials. The following code shows the structures of the two types of credentials:
  AK
```
{
  "mode": "AK",
  "access_key_id": "accessKeyId",
  "access_key_secret": "accessKeySecret"
}
```
  StsToken
```
{
  "mode": "StsToken",
  "access_key_id": "accessKeyId",
  "access_key_secret": "accessKeySecret",
  "sts_token": "stsToken"
}
```
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.

Configuration examples

The following examples show how to configure a credential named ExternalProfile of the External type.

Interactive mode

Run the following command:

aliyun configure --profile ExternalProfile --mode External

The following sample response shows the interaction process:

Sample response

Configuring profile 'ExternalProfile' in 'External' authenticate mode...
Process Command []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[externalTest] ...Done.

Non-interactive mode

Run the aliyun configure set command to configure a credential in non-interactive mode.

aliyun configure set \
  --profile ExternalProfile \
  --mode External \
  --process-command **** \
  --region ****

ChainableRamRoleArn

Description

The ChainableRamRoleArn credential type allows you to use chainable role assumption to obtain credentials. To use a credential of this type, Alibaba Cloud CLI obtains an intermediate credential, such as an AccessKey pair or an STS token, from the source credential, assumes a role by using the intermediate credential, and then obtains the final credential, which is an STS token.
Credentials of the ChainableRamRoleArn type can be automatically renewed.
Required options:
- Source Profile: the name of the source profile. The source credential can be of any type. Before you configure a credential of the ChainableRamRoleArn type, you must configure a source credential. For more information, see the following configuration examples.
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.
- RamRoleArn: the Alibaba Cloud Resource Name (ARN) of the RAM role. You can view the ARN of a RAM role in the RAM console or by calling an API operation.
  - For more information about how to view the ARN of a RAM role in the RAM console, see the "How do I view the ARN of a RAM role?" section of the FAQ about RAM roles and STS tokens topic.
  - For more information about how to view the ARN of a RAM role by calling an API operation, see ListRoles or GetRole.
- RoleSessionName: the session name of the RAM role. The parameter value is user-defined and is usually set to the identity of the user who calls the API operation, such as the username.

Configuration example

Note

Before you configure a credential of the ChainableRamRoleArn type, you must attach the AliyunSTSAssumeRoleAcces system policy to the RAM user associated with the source credential.

The following example shows how to configure a credential named ChainableProfile of the ChainableRamRoleArn type. In this example, the source profile is named RamRoleArnProfile and of the RamRoleArn credential type.

Interactive mode

Configure the source profile RamRoleArnProfile. For more information, see the configuration examples in the RamRoleArn section of this topic.

Run the following command to configure the ChainableProfile credential of the ChainableRamRoleArn type.

aliyun configure --profile ChainableProfile --mode ChainableRamRoleArn

The following sample response shows the interaction process. Specify the source profile by setting the Source Profile parameter to RamRoleArnProfile.

Sample response

Configuring profile 'ChainableProfile' in 'ChainableRamRoleArn' authenticate mode...
Source Profile []: RamRoleArnProfile
Sts Region []: ****
Ram Role Arn []: ****
Role Session Name []: ****
Expired Seconds [900]: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[p1] ...Done.

You cannot configure a credential of the ChainableRamRoleArn type in non-interactive mode.

CredentialsURI

Description

Credentials of the CredentialsURI type obtain Security Token Service (STS) tokens for API calls by using the URI provided by you.
You can also manually renew credentials of the CredentialsURI type.
Required options:
- CredentialsURI: the local or remote URI. If the URI is inaccessible or the structure of the returned credential is incorrect, Alibaba Cloud CLI returns an error. The following code shows the standard structure:
  Standard structure
```
{
  "Code": "Success",
  "AccessKeyId": "<ak id>",
  "AccessKeySecret": "<ak secret>",
  "SecurityToken": "<security token>",
  "Expiration": "2006-01-02T15:04:05Z"
}
```
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.

Configuration examples

The following examples show how to configure a credential named URIProfile of the CredentialsURI type.

Interactive mode

Run the following command:

aliyun configure --profile URIProfile --mode CredentialsURI

The following sample response shows the interaction process:

Sample response

Configuring profile 'URIProfile' in 'CredentialsURI' authenticate mode...
Credentials URI []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[cup] ...Done.

You cannot configure a credential of the CredentialsURI type in non-interactive mode.

OIDC

Description

After you attach a Resource Access Management (RAM) role to a worker node in a Container Service for Kubernetes (ACK) cluster, applications in the pods on the worker node can use the metadata server to obtain a Security Token Service (STS) token in the same way as the applications on Elastic Compute Service (ECS) instances. However, if an untrusted application is deployed on the worker node, such as an application that is submitted by your customer and whose code is not available to you, you may not want the application to use the metadata server to obtain an STS token of the RAM role attached to the worker node. To ensure the security of cloud resources and enable untrusted applications to securely obtain required STS tokens, you can use the RAM Roles for Service Accounts (RRSA) feature to grant minimum necessary permissions to an application. In this case, the ACK cluster creates a service account OpenID Connect (OIDC) token file, associates the token file with a pod, and then injects relevant environment variables into the pod. Then, Alibaba Cloud CLI uses the environment variables to call the AssumeRoleWithOIDC operation of STS to obtain an STS token of the RAM role. For more information about the RRSA feature, see Use RRSA to authorize different pods to access different cloud services.
Credentials of the OIDC type can be automatically renewed.
Required options:
- OIDCProviderARN: the Alibaba Cloud Resource Name (ARN) of the OIDC identity provider (IdP). You can view the ARN of an OIDC IdP in the RAM console or by calling an API operation.
  - For more information about how to view the ARN of an OIDC IdP in the RAM console, see Manage an OIDC IdP.
  - For more information about how to the ARN of an OIDC IdP by calling an API operation, see GetOIDCProvider or ListOIDCProviders.
- OIDCTokenFile: the path of the OIDC token file. An OIDC token is issued by an external IdP.
- Region Id: the ID of the default region. For more information about the IDs of regions supported by Alibaba Cloud, see Regions and zones.
- RamRoleArn: the ARN of the RAM role. You can view the ARN of a RAM role in the RAM console or by calling an API operation.
  - For more information about how to view the ARN of a RAM role in the RAM console, see the "How do I view the ARN of a RAM role?" section of the FAQ about RAM roles and STS tokens topic.
  - For more information about how to view the ARN of a RAM role by calling an API operation, see ListRoles or GetRole.
- RoleSessionName: the session name of the RAM role. The parameter value is user-defined and is usually set to the identity of the user who calls the API operation, such as the username.

Configuration examples

The following examples show how to configure a credential named OIDCProfile of the OIDC type.

Interactive mode

Run the following command:

aliyun configure --profile OIDCProfile --mode OIDC

The following sample response shows the interaction process:

Sample response

Configuring profile 'OIDCProfile' in 'OIDC' authenticate mode...
OIDC Provider ARN []: ****
OIDC Token File []: ****
RAM Role ARN []: ****
Role Session Name []: ****
Default Region Id []: ****
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[oidc_p] ...Done.

Non-interactive mode

Run the aliyun configure set command to configure a credential in non-interactive mode.

aliyun configure set \
  --profile OIDCProfile \
  --mode OIDC \
  --oidc-provider-arn **** \
  --oidc-token-file **** \
  --ram-role-arn **** \
  --role-session-name ****\
  --region ****

Use a profile

If you do not specify a profile when you run a command, the default profile is used.
You can also use one of the following methods to specify a profile for running a command.
Use the -profile parameter
Add the --profile parameter to your command to use the specified profile.
Example: Call the DescribeInstances operation of Elastic Compute Service by using the credential named exampleProfile to query the information about Elastic Compute Service instances.
```
aliyun ecs DescribeInstances --profile exampleProfile
```
Specify the default profile
After the default profile is specified, you do not need to specify a profile every time you run a command in Alibaba Cloud CLI. You can still use the --profile parameter to specify the profile that you want to use after the default profile is specified.
You can use one of the following methods to specify the default profile:
- Run the aliyun configure switch command to explicitly specify a profile as the default profile. For more information, see the "Specify the default profile" section of the Profile-related commands topic.
- Run the aliyun configure set command to overwrite a profile. After the profile is overwritten, Alibaba Cloud CLI automatically sets the profile as the default profile. For more information, see the Method 2: Modify a specific profile section of the "Profile-related commands" topic.
- Manually modify the current parameter in the config.json file to specify the default profile.

Profile storage location

A credential profile specifies a set of configuration items and has a custom name. All profiles are stored in the config.json file in the JSON format. This file is located in the .aliyun folder in your personal user directory. The path of the folder varies with the operating system.

Windows: C:\Users\<USERNAME>\.aliyun
Linux or macOS: ~/.aliyun

Credential configuration methods

Interactive mode

Common syntax

Non-interactive mode

Common syntax

Credential types

AK

Description

Configuration examples

StsToken

Description

Configuration examples

RamRoleArn

Description

Configuration examples

EcsRamRole

Description

Configuration examples

External

Description

Configuration examples

ChainableRamRoleArn

Description

Configuration example

CredentialsURI

Description

Configuration examples

OIDC

Description

Configuration examples

Use a profile

Use the -profile parameter

Specify the default profile

Profile storage location