How to use Alibaba Cloud CLI to access CloudSSO and Alibaba Cloud resources - CloudSSO

CloudSSO is integrated with Alibaba Cloud CLI. Users can log on to the CloudSSO user portal by using browsers or Alibaba Cloud CLI. If a user uses Alibaba Cloud CLI to access CloudSSO, the user needs to select an account in a resource directory and the required access configuration to access Alibaba Cloud resources. This topic describes how to use Alibaba Cloud CLI to access CloudSSO.

Step 1: Install CLIs

You must install Alibaba Cloud CLI and CloudSSO CLI:

Install Alibaba Cloud CLI
Install CloudSSO CLI
1. Install Node.js.
  Install the package management tool npm when you install Node.js.
  Note
  You must install Node.js 7.6.0 or later. We recommend that you install the latest long-term support (LTS) version. For more information, visit LTS.
2. Run the following command to install the CloudSSO CLI:
```
npm i @alicloud/sso-cli -g
```
For more information, see CloudSSO CLI.

Step 2: Configure information about access to CloudSSO

Run the following command to configure information about access to CloudSSO:
```
acs-sso configure
```
Enter signinUrl, which indicates the URL that is used to log on to the CloudSSO user portal.
Note
To obtain the signinUrl, log on to the CloudSSO console, go to the Overview page, and then find the User Logon URL section on the right.
Sample request:
```
acs-sso configure
? please input 'signinUrl': https://signin-******.alibabacloudsso.com/device/login
```
Sample success response:
```
configuration done!
```

Step 3: Use CloudSSO users to log on to Alibaba Cloud

The following list provides the commonly used commands:

Default logon
1. Run the following command:
```
acs-sso login
```
2. In the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
  If no browsers appear, copy the logon URL and user code that are provided in the CLI to log on to the user portal.
  Example:
```
If your default browser is not opened automatically, please use the following URL to finish the signin process.
Signin URL: https://signin-****.alibabacloudsso.com/device/code
User Code: *********
```
3. If the current user is assigned access permissions on multiple accounts in your resource directory, the CLI reminds you to select an account and the access configuration for the account. Then, the CLI generates the AccessKey pair for the account.
  Example:
```
You have logged in.
used account: test-account(191585963325****)
used access configuration: TestAC(ac-x08xz11covd3cyzd****)
{
  "mode": "StsToken",
  "access_key_id": "STS.****",
  "access_key_secret": "****",
  "sts_token": "****"
}
```
After you log on to the user portal, the selected account and access configuration are cached for the profile option. The cached account and access configuration are used for the next logon.
Logon by using logon profiles
```
acs-sso login --profile sso
```
If you want to configure logon information for multiple accounts in your resource directory and access configurations at a time, you can specify a logon profile to use a specific account and its access configuration. In this case, logon profiles are used to distinguish multiple accounts in your resource directory and their access configurations. You can use the --profile option to specify different logon profiles. The preceding command specifies that the logon profile is sso.
If you do not use the --profile option to specify the logon profile, the logon profile named default is used.
Obtain logon configurations.
```
acs-sso profile --list
```
Delete a specific logon configuration.
Run the following command to delete the default logon configuration:
```
acs-sso profile --delete --profile default
```
Run the following command to delete the logon configuration named sso:
```
acs-sso profile --delete --profile sso
```
Configure the mode of the output.
You can configure one of the following modes based on your business requirements:
- External process mode: If you use --mode External in Alibaba Cloud CLI, you can use this mode. This mode is the default value. For more information, see Use an external program to get credentials.
  Example:
```
{
  "mode": "StsToken",
  "access_key_id": "STS.NUyPeEoab****",
  "access_key_secret": "GBubpmh****",
  "sts_token": "CAIS****"
}
```
- Environment variable mode: You can use this mode by configuring the --env parameter. Example: acs-sso login --profile user1 --env.
  Example:
```
export ALIBABACLOUD_ACCESS_KEY_ID=STS.NUyPeEoab****
export ALIBABACLOUD_ACCESS_KEY_SECRET=GBubpmh****
export SECURITY_TOKEN=CAIS****
```
  Environment variables can be used together with Alibaba Cloud tools such as Terraform. Example: `acs-sso login --profile user1 --env` && terraform plan.
  Environment variables can be used together with Alibaba Cloud CLI. Example: `acs-sso login --profile user1 --env` && aliyun ecs DescribeRegions.

Step 4: Use Alibaba Cloud CLI to access CloudSSO

Sample request:

aliyun configure --mode External --profile sso
Configuring profile 'sso' in 'External' authenticate mode...
Process Command []: acs-sso login --profile sso
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: 
Saving profile[sso] ...Done.

acs-sso login --profile sso in Process Command specifies that the logon profile is sso. We recommend that you specify the same profile for both Alibaba Cloud CLI and CloudSSO CLI. This way, if multiple logon profiles are configured, you can configure CLI credentials multiple times and match the CLI credentials with different logon profiles.

Sample success response:

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Run the following command to check whether Alibaba Cloud CLI is available:

aliyun sts GetCallerIdentity --profile sso