CloudSSO integrates with Alibaba Cloud CLI. Users can log on to the CloudSSO user portal by using browsers or Alibaba Cloud CLI. After logging on to the user portal, users can select an account in a resource directory and the required access configuration to use the CLI for accessing Alibaba Cloud resources. This topic describes how to use Alibaba Cloud CLI to access CloudSSO.
Background information
Alibaba Cloud CLI 3.0.271 and later versions (new versions) add the CloudSSO credential type and simplify the configuration process. The operation method of earlier versions is still available. You can use the aliyun version command to check the current version of Alibaba Cloud CLI.
New version
Procedure
Step 1: Install CLI
You need to install Alibaba Cloud CLI:
Step 2: Configure CloudSSO logon information
Run the following command to configure information about access to CloudSSO. You can set multiple profiles to quickly switch between accounts and access configurations by specifying a profile.
aliyun configure --profile sso --mode CloudSSOEnter the user logon URL
signinUrlas prompted.NoteHow to obtain the user logon URL
signinUrl: Log on to the CloudSSO console, and on the Overview page, obtain the User Logon URL on the right side.aliyun configure --profile sso --mode CloudSSO CloudSSO Sign In Url []: https://signin-******.alibabacloudsso.com/device/loginIn the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
If the browser does not open automatically, you can manually copy the login URL (SignIn url) and user code (User code) to complete the login according to the CLI prompt.
Example:
If the browser does not open automatically, use the following URL to complete the login process: SignIn url: https://signin-****.alibabacloudsso.com/device/code User code: *********The CLI returns a successful login and lists the names of the resource directory accounts you can access. Enter the number to select the resource directory account you want to access.
Now you can login to your account with SSO configuration in the browser. You have successfully logged in. Please choose an account: 1. <RD Management Account> 2. AccountName Please input the account number: 1The CLI lists the access configurations you can use. Enter the number to select the access configuration you want to use.
Please choose an access configuration: 1. AccessConfiguration1 2. AccessConfiguration2 Please input the access configuration number: 2Specify the default region.
For region IDs, see Regions and zones.
Default Region Id []: cn-hangzhouSample success response:
Configure Done!!! ..............888888888888888888888 ........=8888888888888888888D=.............. ...........88888888888888888888888 ..........D8888888888888888888888I........... .........,8888888888888ZI: ...........................=Z88D8888888888D.......... .........+88888888 ..........................................88888888D.......... .........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D.......... .........+88888888 ............. ************* ..............O8888888D.......... .........+88888888 .... Command Line Interface(Reloaded) ....O8888888D.......... .........+88888888...........................................88888888D.......... ..........D888888888888DO+. ..........................?ND888888888888D.......... ...........O8888888888888888888888...........D8888888888888888888888=........... ............ .:D8888888888888888888.........78888888888888888888O ..............Run the following command to check whether Alibaba Cloud CLI is available:
aliyun sts GetCallerIdentity --profile sso
Earlier version
Procedure
Step 1: Install CLI
You must install Alibaba Cloud CLI and CloudSSO CLI:
Install Alibaba Cloud CLI
Install CloudSSO CLI
Install Node.js.
Install the package management tool npm when you install Node.js.
NoteNode.js version must be 7.6.0 or later. We recommend the latest LTS version.
Run the following command to install the CloudSSO CLI:
npm i @alicloud/sso-cli -g
For more information, see CloudSSO CLI.
Step 2: Configure CloudSSO logon information
Run the following command to configure information about access to CloudSSO:
acs-sso configureEnter the user logon URL
signinUrl.NoteHow to obtain the user logon URL
signinUrl: Log on to the CloudSSO console, and on the Overview page, obtain the User Logon URL on the right side.Sample request:
acs-sso configure ? please input 'signinUrl': https://signin-******.alibabacloudsso.com/device/loginSample success response:
configuration done!
Step 3: Log on to Alibaba Cloud as a CloudSSO user
The following list provides the commonly used commands:
Default logon
Run the following command:
acs-sso loginIn the browser that appears, log on to the user portal. After you log on to the user portal, close the browser.
If the browser does not open automatically, you can manually copy the login URL (SignIn url) and user code (User code) to complete the login according to the CLI prompt.
Example:
If your default browser is not opened automatically, please use the following URL to finish the signin process. Signin URL: https://signin-****.alibabacloudsso.com/device/code User Code: *********If the current user is assigned access permissions on multiple accounts in your resource directory, the CLI reminds you to select an account and the access configuration for the account. Then, the CLI generates the AccessKey pair for the account.
Sample responses:
You have logged in. used account: test-account(191585963325****) used access configuration: TestAC(ac-x08xz11covd3cyzd****) { "mode": "StsToken", "access_key_id": "STS.****", "access_key_secret": "****", "sts_token": "****" }
After a successful login, the
profileis attached to the account and access configuration. The cached account and access configuration are used for the next logon.Logon by using logon profiles
acs-sso login --profile ssoIf you want to configure logon information for multiple accounts in your resource directory and access configurations at a time, you can specify a logon profile to use a specific account and its access configuration. In this case, logon profiles are used to distinguish multiple accounts in your resource directory and their access configurations. You can use
--profileto specify different logon profiles for CloudSSO. The preceding command specifies that the logon profile is sso.If you do not specify
--profile, the default logon profile is default.Obtain logon configurations
acs-sso profile --listDelete a specific logon configuration
Run the following command to delete the default logon configuration:
acs-sso profile --delete --profile defaultRun the following command to delete the logon configuration named sso:
acs-sso profile --delete --profile ssoConfigure the mode of the output
You can configure one of the following modes based on your business requirements:
External process mode (default): You can use this output mode when you use it with the external process (External) mode of Alibaba Cloud CLI.
Sample returned result:
{ "mode": "StsToken", "access_key_id": "STS.NUyPeEoab****", "access_key_secret": "GBubpmh****", "sts_token": "CAIS****" }Environment variable mode: You can use the
--envparameter to configure the returned result as environment variables. For example:acs-sso login --profile user1 --env.Sample responses:
export ALIBABACLOUD_ACCESS_KEY_ID=STS.NUyPeEoab**** export ALIBABACLOUD_ACCESS_KEY_SECRET=GBubpmh**** export SECURITY_TOKEN=CAIS****Environment variables can be used together with Alibaba Cloud tools such as Terraform. For example:
`acs-sso login --profile user1 --env` && terraform plan.Environment variables can be used together with Alibaba Cloud CLI. For example:
`acs-sso login --profile user1 --env` && aliyun ecs DescribeRegions.
Step 4: Use with Alibaba Cloud CLI
Sample request:
aliyun configure --mode External --profile sso
Configuring profile 'sso' in 'External' authenticate mode...
Process Command []: acs-sso login --profile sso
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.In this example, Process Command uses the command acs-sso login --profile sso to specify the CloudSSO logon profile as sso. We recommend that you specify the same profile for both Alibaba Cloud CLI and CloudSSO CLI. This way, if multiple logon profiles are configured, you can configure CLI credentials multiple times and match the CLI credentials with different logon profiles.
Sample success response:
Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............Run the following command to check whether Alibaba Cloud CLI is available:
aliyun sts GetCallerIdentity --profile sso