CloudSSO:Use Alibaba Cloud CLI to access CloudSSO and Alibaba Cloud resources

Step 1: Install CLIs

You must install Alibaba Cloud CLI and CloudSSO CLI:

• Install Alibaba Cloud CLI

  For more information, see Documentation of Alibaba Cloud CLI.

• Install CloudSSO CLI
  Note You must install Node.js 7.6.0 or later. We recommend that you install the latest long-term support (LTS) version. For more information, visit Node.js.

  Use the package management tool npm to install CloudSSO CLI. You must run the following command:

  npm i @alicloud/sso-cli -g

  For more information, see CloudSSO CLI.

Step 2: Configure information about access to CloudSSO

Sample request:

acs-sso configure
? please input 'signinUrl': https://signin-******.alibabacloudsso.com/device/login

signinUrl indicates the URL used to log on to the CloudSSO user portal. To obtain the URL, log on to the CloudSSO console, go to the Overview page, and then find the User Logon URL section.

Sample success response:

configuration done!

Step 3: Use CloudSSO users to log on to Alibaba Cloud

The following list provides the commonly used logon commands:

• Default logon
  1. Run the following command:

     acs-sso login

  2. In the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
     If no browsers appear, copy the logon URL and user code that are provided in the CLI to log on to the user portal. Example:

     If your default browser is not opened automatically, please use the following URL to finish the signin process.
     Signin URL: https://signin-****.alibabacloudsso.com/device/code
     User Code: *********

  3. If the current user is assigned access permissions on multiple accounts in your resource directory, the CLI reminds you to select an account and the access configuration for the account. Then, the CLI generates the AccessKey pair for the account. Example:

     You have logged in.
     used account: test-account(191585963325****)
     used access configuration: TestAC(ac-x08xz11covd3cyzd****)
     {
       "mode": "StsToken",
       "access_key_id": "STS.****",
       "access_key_secret": "****",
       "sts_token": "****"
     }

  After you log on to the user portal, the selected account and access configuration are cached for the profile option. The cached account and access configuration are used for the next logon.

• Force logon

  acs-sso login --force

  After you log on to the user portal, the logon information is automatically cached. If you do not want to use the cached information for logons, you can use the --force option to forcibly start a logon session.

• Logon by using logon profiles

  acs-sso login --profile sso

  If you want to configure logon information for multiple accounts in your resource directory and access configurations at a time, you can specify a logon profile to use a specific account and its access configuration. In this case, logon profiles are used to distinguish multiple accounts in your resource directory and their access configurations. You can use the --profile option to specify different logon profiles. The preceding command specifies that the logon profile is sso.

  If you do not use the --profile option to specify the logon profile, the logon profile named default is used.

• Configure the mode of the output

  You can configure one of the following modes based on your business requirements:

  • External process mode: If you use --mode External in Alibaba Cloud CLI, you can use this mode. This mode is the default value. For more information, see Use an external program to get credentials.

    Sample output:

    {
      "mode": "StsToken",
      "access_key_id": "STS.NUyPeEoab****",
      "access_key_secret": "GBubpmh****",
      "sts_token": "CAIS****"
    }

  • Environment variable mode: You can use this mode by configuring the --env parameter. Example: acs-sso login --profile user1 --env.

    Sample output:

    export ALIBABACLOUD_ACCESS_KEY_ID=STS.NUyPeEoab****
    export ALIBABACLOUD_ACCESS_KEY_SECRET=GBubpmh****
    export SECURITY_TOKEN=CAIS****

    Environment variables can be used together with Alibaba Cloud tools such as Terraform. Example: `acs-sso login --profile user1 --env` && terraform plan.

    Environment variables can be used together with Alibaba Cloud CLI. Example: `acs-sso login --profile user1 --env` && aliyun ecs DescribeRegions.

Step 4: Use Alibaba Cloud CLI to access CloudSSO

Sample request:

aliyun configure --mode External --profile sso
Configuring profile 'sso' in 'External' authenticate mode...
Process Command []: acs-sso login --profile sso
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: 
Saving profile[sso] ...Done.

acs-sso login --profile sso in Process Command specifies that the logon profile is sso. We recommend that you specify the same profile for both Alibaba Cloud CLI and CloudSSO CLI. This way, if multiple logon profiles are configured, you can configure CLI credentials multiple times and match the CLI credentials with different logon profiles.

Sample success response:

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Run the following command to check whether Alibaba Cloud CLI is available:

aliyun sts GetCallerIdentity --profile sso