CloudSSO integrates with Alibaba Cloud CLI. Users can log on to the CloudSSO user portal using browsers or Alibaba Cloud CLI. When using Alibaba Cloud CLI to access CloudSSO, users need to select an account in a resource directory and the required access configuration to access Alibaba Cloud resources. This topic describes how to use Alibaba Cloud CLI to access CloudSSO.
Background information
Alibaba Cloud CLI 3.0.271 and later versions (new versions) add the CloudSSO credential type and simplify the configuration process. The old version operation method is still available. You can use the aliyun version command to check the current version of Alibaba Cloud CLI.
New version
The new version provides both interactive and non-interactive configuration methods. The interactive configuration method simplifies operations through process guides, making it easier for users to get started. The non-interactive configuration method is more suitable for script writing, facilitating automated configuration.
Interactive configuration
Run the aliyun configure command to start configuring CloudSSO logon information in interactive mode. You can specify multiple profiles and select a specific profile to quickly switch between accounts and access configurations.
aliyun configure --profile SSOProfile --mode CloudSSO
Enter the user logon URL as prompted.
aliyun configure --profile SSOProfile --mode CloudSSO
CloudSSO Sign In Url []: https://signin-******.alibabacloudsso.com/device/login
In the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
If no browsers appear, copy the logon URL and user code provided in the CLI to log on to the user portal.
Example:
If the browser does not open automatically, use the following URL to complete the login process:
SignIn url: https://signin-****.alibabacloudsso.com/device/code
User code: *********
The CLI prompts that the logon is successful and outputs the username of the resource directory account that you can access. Enter the number of the account that you want to access.
Now you can login to your account with SSO configuration in the browser.
You have successfully logged in.
Please choose an account:
1. <RD Management Account>
2. AccountName
Please input the account number: 1
The CLI outputs the available access configurations. Enter the number of the access configuration that you want to use.
Please choose an access configuration:
1. AccessConfiguration1
2. AccessConfiguration2
Please input the access configuration number: 2
Specify the default region.
Default Region Id []: cn-hangzhou
After the configuration is successful, the Configure Done message and a welcome message are displayed.
Non-interactive mode
Run the aliyun configure set command to configure CloudSSO credentials in non-interactive mode. The following table describes the parameters and options required for the credentials:
Options | Description | Example value |
profile | The name of the credential configuration. This name can be customized by the user and can contain uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), and special characters (_/+=.@-). | SSOProfile |
mode | The credential type. In this scenario, the value must be CloudSSO. | CloudSSO |
cloud-sso-sign-in-url | The user logon URL. How to obtain: Log on to the CloudSSO console and obtain the user logon URL on the right side of the Overview page. | https://signin-******.alibabacloudsso.com/device/login |
cloud-sso-account-id | The UID of the account in a resource directory. How to obtain: Log on to the CloudSSO console and obtain the UID of the account in a resource directory on the right side of the Multi-account Permission Management page. | 012345678910**** |
cloud-sso-access-config | The ID of the access configuration. How to obtain: Log on to the CloudSSO console and obtain the ID of the access configuration on the Access Configuration page. | ac-012345678910abcde**** |
region | The default region. Some cloud services do not support cross-region access. We recommend that you specify the region of your resources. | cn-hangzhou |
Configuration command:
Note After you configure CloudSSO credentials in non-interactive mode, you need to run the aliyun configure --profile <profileName> command to log on for the first time when you use the credentials.
Old version
Procedure
Step 1: Install CLI
You must install Alibaba Cloud CLI and CloudSSO CLI:
Step 2: Configure information about access to CloudSSO
Run the following command to configure information about access to CloudSSO:
acs-sso configure
Enter the user logon URL signinUrl.
Note How to obtain the user logon URL signinUrl: Log on to the CloudSSO console and obtain the User Logon URL on the right side of the Overview page.
Sample request:
acs-sso configure
? please input 'signinUrl': https://signin-******.alibabacloudsso.com/device/login
Sample success response:
configuration done!
Step 3: Log on to Alibaba Cloud as a CloudSSO user
The following list provides the commonly used commands:
Default logon
Run the following command:
acs-sso login
In the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
If no browsers appear, copy the logon URL and user code that are provided in the CLI to log on to the user portal.
Example:
If your default browser is not opened automatically, please use the following URL to finish the signin process.
Signin URL: https://signin-****.alibabacloudsso.com/device/code
User Code: *********
If the current user is assigned access permissions on multiple accounts in your resource directory, the CLI reminds you to select an account and the access configuration for the account. Then, the CLI generates the AccessKey pair for the account.
Sample response:
You have logged in.
used account: test-account(191585963325****)
used access configuration: TestAC(ac-x08xz11covd3cyzd****)
{
"mode": "StsToken",
"access_key_id": "STS.****",
"access_key_secret": "****",
"sts_token": "****"
}
After the logon succeeds, the profile is attached to the account in a resource directory and the access configuration. The cached account and access configuration are used for the next logon.
Specify the CloudSSO logon configuration name.
acs-sso login --profile sso
If you want to configure logon information for multiple accounts in your resource directory and access configurations at a time, you can specify a logon profile to use a specific account and its access configuration. In this case, logon profiles are used to distinguish multiple accounts in your resource directory and their access configurations. You can use --profile to specify different logon profiles for CloudSSO. The preceding command specifies that the logon profile is sso.
If --profile is not specified, the default logon profile is default.
Obtain logon configurations
acs-sso profile --list
Delete a specific logon configuration
Run the following command to delete the default logon configuration:
acs-sso profile --delete --profile default
Run the following command to delete the logon configuration named sso:
acs-sso profile --delete --profile sso
Configure the mode of the output
You can configure one of the following modes as needed:
External process mode (default): You can use this output mode when you use the external process (External) mode of Alibaba Cloud CLI.
Sample response:
{
"mode": "StsToken",
"access_key_id": "STS.NUyPeEoab****",
"access_key_secret": "GBubpmh****",
"sts_token": "CAIS****"
}
Environment variable mode: You can use the --env parameter to configure the output in environment variable mode. For example: acs-sso login --profile user1 --env.
Sample response:
export ALIBABACLOUD_ACCESS_KEY_ID=STS.NUyPeEoab****
export ALIBABACLOUD_ACCESS_KEY_SECRET=GBubpmh****
export SECURITY_TOKEN=CAIS****
Environment variables can be used together with Alibaba Cloud tools such as Terraform. For example: `acs-sso login --profile user1 --env` && terraform plan.
Environment variables can be used together with Alibaba Cloud CLI. For example: `acs-sso login --profile user1 --env` && aliyun ecs DescribeRegions.
Step 4: Use Alibaba Cloud CLI
Sample request:
aliyun configure --mode External --profile sso
Configuring profile 'sso' in 'External' authenticate mode...
Process Command []: acs-sso login --profile sso
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.
In this example, Process Command uses the acs-sso login --profile sso command to specify that the logon profile for CloudSSO is sso. We recommend that you specify the same profile for both Alibaba Cloud CLI and CloudSSO CLI. This way, if multiple logon profiles are configured, you can configure CLI credentials multiple times and match the CLI credentials with different logon profiles.
Sample success response:
Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............
Run the following command to check whether Alibaba Cloud CLI is available:
aliyun sts GetCallerIdentity --profile sso