Alibaba Cloud CLI authenticates using credentials to call cloud service APIs for managing cloud resources. This topic describes how to select a suitable credential type based on your use case, and how to configure and manage credentials.
Select a credential type
Alibaba Cloud CLI supports multiple credential types. Select the type that best fits your use case.
Credential type | Use case | Supports non-interactive configuration | Configuration |
OAuth (Recommended) | Sign in with an Alibaba Cloud account, RAM user, or SSO in a browser. Supports MFA and passkeys. No long-term AccessKey storage required, ensuring high security. | No | |
EcsRamRole (Recommended) | When running CLI on an ECS instance, automatically obtains temporary security credentials from the RAM role attached to the instance. No AccessKey configuration or storage required. | Yes | |
RamRoleArn (Recommended) | Assume a RAM role to operate resources as the role identity. Suitable for temporary privilege escalation or cross-account access. For example, a RAM user with basic permissions can assume a RAM role with resource management permissions, or access resources across Alibaba Cloud accounts. Uses temporary security credentials (STS token). | Yes | |
ChainableRamRoleArn | Use a role chain to assume roles sequentially for cross-account resource access. | Yes | |
OIDC | Authenticates and assumes a role through an ID token issued by an OIDC (OpenID Connect)-compatible external identity provider. Recommended for ACK/ACS pods with RRSA (RAM Roles for Service Accounts) enabled. | Yes | |
CloudSSO | For multi-account enterprises with Cloud SSO and Resource Directory. Uses browser-based sign-in with MFA support, similar to OAuth. | No | |
External | Calls an external executable program to dynamically obtain a credential (AccessKey or temporary security token). Suitable for custom credential provider scenarios. | Yes | |
CredentialsURI | Obtains a temporary security credential (STS token) from an HTTP URI that you provide. Suitable for self-hosted credential distribution services. | No | |
StsToken | Manually provide a temporary security credential (STS token). The token must be manually updated after it expires. | Yes | |
BearerToken | Uses a bearer token to authenticate Alibaba Cloud API services. Suitable for automated scenarios such as CI/CD. | Yes | |
AK (Not Recommended) | Uses a long-term AccessKey of an Alibaba Cloud account or a RAM user for direct authentication. The credential is permanently valid and relatively less secure. If you must use this method, we recommend that you first review the AccessKey best practices. | Yes |
If you use Cloud Shell, the system automatically configures a temporary credential. The identity is the RAM user or role currently signed in to the console, and the permissions are consistent with that identity. You can run CLI commands without manual configuration.
Configure credentials
Alibaba Cloud CLI supports two credential configuration methods: interactive configuration and non-interactive configuration.
Interactive configuration
Interactive configuration uses a command-line wizard that guides you through credential configuration. The system prompts you to enter each credential parameter in sequence. Suitable for local development environments or first-time configuration.
aliyun configure --mode <AuthenticateMode> --profile <ProfileName>Example: to create an EcsRamRole credential profile named EcsProfile:
aliyun configure --mode EcsRamRole --profile EcsProfileThe following is a sample interactive session:
Configuring profile 'EcsProfile' in 'EcsRamRole' authenticate mode...
Ecs Ram Role []: ECSAdmin
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[EcsProfile] ...Done.Non-interactive configuration
Specify credential configuration parameters directly through command-line arguments without interactive input. Suitable for automation scenarios such as scripts and CI/CD pipelines.
Example: to create an AK credential profile named AkProfile:
Bash
aliyun configure set \
--profile AkProfile \
--mode AK \
--access-key-id ************ \
--access-key-secret ************ \
--region "cn-shanghai"PowerShell
aliyun configure set `
--profile AkProfile `
--mode AK `
--access-key-id ************ `
--access-key-secret ************ `
--region "cn-shanghai"For the configuration parameters supported by each credential type, see the corresponding credential type's detailed configuration page. The following parameters are common to all credential types:
Common parameters | Description |
| The profile name. If not specified, the active profile is used. |
| The credential type. Examples: |
| The default region ID, such as |
The Select a credential type table shows which types support non-interactive configuration.
You can create multiple profiles for the same credential type with unique names. For example, create ak-dev and ak-prod AK profiles for development and production.
Verify credential configuration
After the credential is configured, run the following command to verify that the credential is valid:
aliyun sts get-caller-identityIf the credential is configured correctly, the output is similar to the following:
If the authenticated identity is a RAM user:
{ "AccountId": "173305794806****", "Arn": "acs:ram::173305794806****:user/<user-name>", "IdentityType": "RAMUser", "PrincipalId": "20407046578681****", "RequestId": "D012C652-FF76-5101-81B3-45A1DDAC****", "UserId": "20407046578681****" }If the authenticated identity is a RAM role:
{ "AccountId": "191317683912****", "Arn": "acs:ram::191317683912****:assumed-role/<role-name>/<role-session-name>", "IdentityType": "AssumedRoleUser", "PrincipalId": "30004467717606****:<role-session-name>", "RequestId": "0FFADC33-EA49-5E2A-977F-0BA820D6****", "RoleId": "30004467717606****" }
Successful verification only indicates that authentication is successful. To manage resources, you must also attach the corresponding permission policies to the identity associated with the credential.
Manage credentials
Use aliyun configure subcommands to view, switch, modify, and delete credential profiles.
View configurations
View profile list and active profile
View all configured credentials and their status on the current machine. Use this command to check credential profile summary information, such as profile names and credential types, and to identify the active profile.
aliyun configure listThe following is a sample output. The asterisk (*) marks the active credential profile. The active profile is the default credential and parameter set (such as region and language) used by the CLI. Unless you specify a different profile by using the --profile parameter or an environment variable, all commands use this profile.
Profile | Credential | Valid | Region | Language
--------- | ------------------ | ------- | ---------------- | --------
default | AK:***UyLX | Valid | cn-shanghai | en
OAuthProfile | OAuth:fiA5bnZkyw@CN | Valid | cn-hangzhou | en
EcsProfile * | EcsRamRole:ecs-role-name | Valid | cn-beijing | zhView profile details
Run the following command to view the detailed information of a specified credential profile:
aliyun configure get [--profile <ProfileName>] [<SETTING_NAME>...]SETTING_NAME: The name of the settings to view. You can specify multiple settings at the same time. If not specified, all credential profile information is displayed. If the specified setting does not exist, the command returns no output.
Example 1: View the details of a profile named OAuthProfile:
aliyun configure get --profile OAuthProfileOutput:
{
"name": "OAuthProfile",
"mode": "OAuth",
"access_key_id": "STS.9jYc5erFPDLrwNGWc7Sob2ZRHenhHfz7pw9*************",
"access_key_secret": "3AcNFz37QykuHEwgzWramXGZaCrM1mDHpG1s7v******",
"sts_token": "CAIS5gJ1q6Ft5DqyfSjI2KnsKI/Rn5lx846Zd******",
"region_id": "cn-hangzhou",
"output_format": "json",
"language": "zh",
"sts_expiration": 1776751437,
"oauth_access_token": "eyJhbGciOiJSUzI1NiIsI*******",
"oauth_refresh_token": "ALGuHPAmSWxR5ynSsoRXhWpUtsxXHcLpGLnZqVvVXZDkjcbMsMasoshv1MnyRhkTq******",
"oauth_access_token_expire": 1776751436,
"oauth_site_type": "CN"
}Example 2: View only the profile name, credential type, and default language for OAuthProfile:
aliyun configure get --profile OAuthProfile profile mode languageOutput:
profile=OAuthProfile
mode=OAuth
language=enConfiguration file location
To manually view or back up the credential configuration file, find it at the following paths:
Operating system | Storage path |
Linux / macOS |
|
Windows |
|
Switch profiles
Switch the active profile
Switch the specified profile to the active profile. Alibaba Cloud CLI supports the aliyun configure switch command since v3.0.214. After a successful switch, all subsequent requests that do not explicitly specify a credential by using the --profile parameter automatically use this profile.
aliyun configure switch --profile <ProfileName>Run aliyun configure list to confirm the target profile name before switching.
Example: Switch to a profile named prod:
aliyun configure switch --profile prodAfter the switch, run aliyun configure list to confirm the target profile is marked with *.
Use a profile for a single command
Use the --profile parameter in a single command to temporarily specify a profile. This does not affect the active profile.
Example: Use the prod profile to query the list of ECS regions:
aliyun ecs describe-regions --profile prodModify a profile
Use aliyun configure set to modify parameter values of an existing profile. You only need to specify the parameters to modify. Unspecified parameters remain unchanged.
aliyun configure set --profile <ProfileName> --<ParameterName> <NewValue>Common parameters:
--region: Default region--language: Output language (zh / en)
For detailed parameters, see the documentation of each credential type.
Example: Modify the default region of the default profile:
aliyun configure set --profile default --region cn-shanghaiModifying a profile automatically sets it as the active profile.
Delete a profile
Run the following command to delete a specified profile:
aliyun configure delete --profile <ProfileName>Example: Delete a profile named dev:
aliyun configure delete --profile devThe delete operation is irreversible. If you delete the active profile, the first profile in the list automatically becomes the new active profile.
After the deletion, run the aliyun configure list command to confirm that the profile has been removed from the list.
FAQs
What if I enter incorrect information during interactive configuration?
Use aliyun configure set to modify the corresponding field. You do not need to reconfigure from scratch. Example:
aliyun configure set --profile <ProfileName> --<ParameterName> <CorrectValue>A CLI command does not use the active profile
The CLI determines the actual profile to use based on the following priority (from highest to lowest). Higher priority overrides lower priority:
The
--profilecommand-line parameter: Applies only to the current command and has the highest precedence.The
ALIBABA_CLOUD_PROFILEenvironment variable: Applies to all commands in the current terminal session.The active profile: The profile marked with an
*in the output of thealiyun configure listcommand. This setting is persistent.
If a command result does not match expectations, check whether the --profile parameter or the ALIBABA_CLOUD_PROFILE environment variable is set, as they override the active profile. Run echo $ALIBABA_CLOUD_PROFILE to check whether the environment variable is set.
Error: load current configuration failed unknown profile default
Full error message:
ERROR: load current configuration failed unknown profile default, run configure to checkCause:
All credential profiles have been deleted, which prevents Alibaba Cloud CLI from working properly.
Solution:
Manually delete the config.json file and run the aliyun configure command to reconfigure credentials. For the file location, see Configuration file location. For example, on Linux or macOS, run the following command to delete the file:
rm ~/.aliyun/config.json