Alibaba Cloud CLI supports five advanced credential methods — OIDC, CloudSSO, External, CredentialsURI, and BearerToken — that eliminate the need to store long-term AccessKeys locally. This topic covers the applicable scenarios and configuration steps for each method.
Version requirements
Alibaba Cloud CLI version 3.3.0 or later is required. Run the aliyun version command to check your current version. If your version is earlier than 3.3.0, see Install or update the CLI to upgrade.
The BearerToken method requires Alibaba Cloud CLI version 3.3.16 or later.
OIDC
The OIDC method authenticates by assuming a RAM role with an ID Token from an OIDC-compatible identity provider. Use this method in ACK or ACS pods with RRSA (RAM Roles for Service Accounts) enabled. The CLI reads the OIDC token file mounted to the pod, calls the STS AssumeRoleWithOIDC API for a temporary credential, and refreshes it automatically.
Prerequisites
-
You have created an ACK or ACS cluster and enabled the RRSA feature for ACK or ACS.
-
You have created a RAM role for the OIDC identity provider, and the trust policy allows the role to be assumed by the OIDC identity provider that is automatically created by the cluster in the format of
ack-rrsa-{cluster-id}. -
You have associated the pod's service account with the RAM role by using RRSA.
Configure the credential
Non-interactive configuration (recommended)
With RRSA enabled, the ack-pod-identity-webhook component injects the following environment variables into pods, which the CLI recognizes automatically. To install the component, follow Manage components for ACK managed clusters.
-
ALIBABA_CLOUD_OIDC_PROVIDER_ARN -
ALIBABA_CLOUD_OIDC_TOKEN_FILE -
ALIBABA_CLOUD_ROLE_ARN
Configure the profile with environment variables:
aliyun configure set \
--mode OIDC \
--profile OIDCProfile \
--oidc-provider-arn $ALIBABA_CLOUD_OIDC_PROVIDER_ARN \
--oidc-token-file $ALIBABA_CLOUD_OIDC_TOKEN_FILE \
--ram-role-arn $ALIBABA_CLOUD_ROLE_ARN \
--role-session-name "rrsa-pod" \
--region cn-shanghaiInteractive configuration
-
Run the following command to start the configuration. Replace
<ProfileName>with a custom profile name, such asOIDCProfile.aliyun configure --mode OIDC --profile <ProfileName> -
At the prompts, enter the OIDC Provider ARN, OIDC Token File path, RAM Role ARN, Role Session Name, default region, and language.
Configuring profile 'OIDC_Profile' in 'OIDC' authenticate mode... OIDC Provider ARN []: acs:ram::012345678910****:oidc-provider/TestOidcIdp OIDC Token File []: /path/to/oidctoken RAM Role ARN []: acs:ram::012345678910****:role/Alice Role Session Name []: rrsa-pod-name Default Region Id []: cn-shanghai Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[OIDC_Profile] ...Done. -
The terminal displays
Configure Doneand a welcome message, indicating success.
Run aliyun sts get-caller-identity in the pod to verify the credentials.
Credential refresh
The cluster automatically rotates the OIDC token file in the pod. The CLI calls the STS AssumeRoleWithOIDC API with the latest token to refresh the credential. No user action is required.
CloudSSO
The CloudSSO method is for enterprises using the CloudSSO directory service. It lets you log on to the CLI with a unified identity and switch between resource directory accounts and access configurations.
Prerequisites
-
Your enterprise has deployed CloudSSO and configured a user directory and access configurations.
-
The CloudSSO user has been assigned at least one access configuration.
-
You have the CloudSSO logon URL from your administrator, typically in the format
https://signin-<region>.alibabacloudsso.com/<directory-name>/login. Obtain the user portal URL.
Configure the credential
-
Run the following command to start the configuration. Replace
<ProfileName>with a custom profile name, such asSSOProfile.aliyun configure --mode CloudSSO --profile <ProfileName> -
As prompted, enter the
SignIn Url.Configuring profile 'SSOProfile' in 'CloudSSO' authenticate mode... CloudSSO Sign In Url []: https://signin-<region>.alibabacloudsso.com/<directory-name>/login -
Follow the browser prompts to complete CloudSSO logon. After logging in, close the browser.
NoteIf no browser opens, copy the
SignIn urlandUser codefrom the CLI output and paste them into a browser.The following is a sample prompt:
If the browser does not open automatically, use the following URL to complete the login process: SignIn url: https://signin-****.alibabacloudsso.com/device/code User code: CGKM-LIXZ -
After successful logon, the CLI lists the accounts you can access. Enter the number of the target account.
Now you can login to your account with SSO configuration in the browser. You have successfully logged in. Please choose an account: 1. <RD Management Account> 2. <other-account-name> Please input the account number: 1 -
The CLI lists available access configurations. Enter the number of the configuration you want to use.
Please choose an access configuration: 1. <access-configuration1> 2. <access-configuration2> Please input the access configuration number: 2 -
Set the default region and language. For example:
Default Region Id []: cn-shanghai Default Language [zh|en] en: enSet the default region to where your resources reside. Available regions are listed in Regions and availability zones.
-
The terminal displays
Configure Doneand a welcome message, indicating success.
Run aliyun sts get-caller-identity to verify the credential.
A new configuration automatically becomes active. To switch profiles, run the aliyun configure switch --profile <ProfileName> command.
Credential refresh
CloudSSO credentials do not automatically refresh. After expiration, run aliyun configure --mode CloudSSO --profile <ProfileName> again to reconfigure.
External
The External method runs an external program to retrieve credentials. The CLI executes the specified program each time a credential is needed and reads the result from its standard output.
Prerequisites
-
You have a program or script that outputs a credential in the following JSON format to stdout:
AccessKey
{ "mode": "AK", "access_key_id": "<yourAccessKeyID>", "access_key_secret": "<yourAccessKeySecret>" }STS token
{ "mode": "StsToken", "access_key_id": "<yourAccessKeyID>", "access_key_secret": "<yourAccessKeySecret>", "sts_token": "<yourSecurityToken>" } -
The program must exit with status code 0.
Configure the credential
Non-interactive configuration (recommended)
Bash
aliyun configure set \
--mode External \
--profile ExternalProfile \
--process-command "/path/to/credential-helper" \
--region cn-shanghaiPowerShell
aliyun configure set `
--mode External `
--profile ExternalProfile `
--process-command "/path/to/credential-helper" `
--region cn-shanghaiInteractive configuration
aliyun configure --mode External --profile <ProfileName>At the prompts, enter the Process Command, default region, and language to complete the configuration.
Run aliyun sts get-caller-identity to verify the credential.
Credential refresh
The CLI does not cache or refresh External credentials. It re-executes the program each time a credential is needed.
CredentialsURI
The CredentialsURI method retrieves temporary STS tokens via HTTP GET from a specified endpoint. Use this method with a self-managed credential distribution service.
Prerequisites
You have an HTTP(S) endpoint that returns credentials with HTTP 200 in the following JSON format:
{
"Code": "Success",
"AccessKeyId": "<yourAccessKeyID>",
"AccessKeySecret": "<yourAccessKeySecret>",
"SecurityToken": "<yourSecurityToken>"
}-
If the URL does not return HTTP 200 or the response format is unexpected, the CLI treats the request as a failure.
-
The
Codefield in the response JSON must be"Success"(case-sensitive).
Configure the credential
-
Run the following command to start the configuration. Replace
<ProfileName>with a custom profile name, such asURIProfile.aliyun configure --mode CredentialsURI --profile <ProfileName> -
At the prompts, enter the Credentials URI, default region, and language.
Configuring profile 'URIProfile' in 'CredentialsURI' authenticate mode... Credentials URI []: http://credentials.uri/ Default Region Id []: cn-shanghai Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[URIProfile] ...Done.Set the default region to where your resources reside. Available regions are listed in Regions and availability zones.
-
The terminal displays
Configure Doneand a welcome message, indicating success.
A new profile automatically becomes active. To switch profiles, run the aliyun configure switch --profile <ProfileName> command.
Run aliyun sts get-caller-identity to verify the credential.
Credential refresh
After the credential expires, the CLI automatically sends a new GET request to the endpoint. Your endpoint must return a valid STS token for each request.
BearerToken
The BearerToken method authenticates with Alibaba Cloud APIs using a Bearer Token. This method calls APIs through product plugins.
Prerequisites
-
You have a Bearer Token from the target service.
-
You have installed the CLI plugin for the target product:
aliyun plugin install --name <plugin-name>.
-
BearerToken mode requires product plugins. Install the plugin before calling the API:
aliyun plugin install --name <plugin-name>. -
The CLI version must be ≥
3.3.16.
Configure the credential
Non-interactive configuration (recommended)
aliyun configure set \
--mode BearerToken \
--profile BearerProfile \
--bearer-token <your-bearer-token> \
--region cn-shanghaiTo use a custom authentication header, add the --bearer-token-header-key parameter:
aliyun configure set \
--mode BearerToken \
--profile BearerProfile \
--bearer-token <your-bearer-token> \
--bearer-token-header-key <custom-header-name> \
--region cn-shanghaiInteractive configuration
-
Run the following command to start the configuration. Replace
<ProfileName>with a custom profile name, such asBearerProfile.aliyun configure --mode BearerToken --profile <ProfileName> -
At the prompts, enter the Bearer Token, an optional Bearer Token Header Key (leave blank to use the default), the default region, and the language.
Configuring profile 'BearerProfile' in 'BearerToken' authenticate mode... Bearer Token []: eyJhbGciOiJSUzI1**** Bearer Token Header Key [] (optional, e.g. x-custom-token; leave empty for x-acs-bearer-token): Default Region Id []: cn-shanghai Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[BearerProfile] ...Done. -
The terminal displays
Configure Doneand a welcome message, indicating success.
Verify the credential by calling an API through the product plugin:
aliyun <command> <sub-command> --profile BearerProfileIn BearerToken mode, configure hello does not check connectivity and always returns success. Verify the credential with an actual API call.
Environment variables
The BearerToken method supports these environment variables:
|
Environment variable |
Description |
|
|
The value of the Bearer Token. |
|
|
Custom authentication header name. Defaults to |
Delete credential
To delete a profile:
aliyun configure delete --profile <ProfileName>Deleting the active profile causes the CLI to switch to the first profile in the list.