Configure access credentials for Alibaba Cloud SDK V1.0 for PHP to authenticate API calls securely.
Use an AccessKey pair
An Alibaba Cloud account AccessKey pair grants full access to all resources in the account. To minimize the impact of a credential leak, use the AccessKey pair of a RAM user with permissions granted based on the principle of least privilege (PoLP), and rotate the AccessKey pair regularly. For information about how to create an AccessKey pair for a RAM user, see Create an AccessKey pair.
Create a default client named default using an AccessKey pair:
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::accessKeyClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'))->asDefaultClient();
AlibabaCloud::accessKeyClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'))->name('default');
Use an STS token
Use temporary credentials from Security Token Service (STS) when you need short-lived, scoped access. Apply for temporary credentials from STS and create a temporary client:
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::stsClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), getenv('ALIBABA_CLOUD_SECURITY_TOKEN'))->name('sts');
Use a RAM role
Assign a RAM role to a client so that the client automatically obtains and refreshes STS tokens before each API request. This produces a time-limited STS client with no manual token management required. To use STS tokens directly, apply for them manually and create an STS client directly.
Create a client named ramRoleArnClient using a RAM role:
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::ramRoleArnClient(getenv('ALIBABA_CLOUD_ACCESS_KEY_ID'), getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), 'roleArn', 'roleSessionName')
->name('ramRoleArnClient');
Use the RAM role of an ECS instance
When running code on an Elastic Compute Service (ECS) instance, the client can fetch an STS token from the ECS metadata server using the RAM role attached to the instance. This eliminates the need to store any credentials in your code or environment.
Create a client named ecsRamRoleClient using the ECS instance RAM role:
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::ecsRamRoleClient('roleName')->name('ecsRamRoleClient');
Use a bearer token
Bearer tokens are supported exclusively by Cloud Call Center (CCC). Apply for and manage bearer tokens manually.
Create a client named bearerTokenClient using a bearer token:
<?php
use AlibabaCloud\Client\AlibabaCloud;
AlibabaCloud::bearerTokenClient('bearerToken')->name('bearerTokenClient');
Use the default credential provider chain
The default credential provider chain searches for credentials in the following order:
Environment variables
Configuration file
Instance RAM role (ECS metadata)
1. Use credentials from environment variables
If ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET are set to non-null values, the provider chain uses them to create a default client. If the request targets a non-default client, the chain falls through to the configuration file.
2. Use the configuration file
If a credential file exists in the home directory, the provider chain automatically creates clients based on the type and name specified in the file.
Default file paths:
Linux/macOS:
~/.alibabacloud/credentialsWindows:
C:\Users\USER_NAME\.alibabacloud\credentials
Key behaviors:
Client names are case-insensitive. If two clients share the same name, the later one takes precedence.
If the file exists but cannot be parsed, an exception is thrown.
The file is stored outside projects and must not be committed to public repositories.
Override the default file path by setting the
ALIBABA_CLOUD_CREDENTIALS_FILEenvironment variable.Load specific files manually using
AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...);
Home directory references:
Windows: use the
%UserProfile%environment variableUnix-like systems: use the
$HOMEenvironment variable or a tilde (~)
The following example shows a credentials file with multiple client configurations:
[default] # The default client.
enable = true # Enable the client. By default, the client is enabled if this parameter is not specified.
type = access_key # The authentication is based on AccessKey pairs.
access_key_id = foo # Key
access_key_secret = bar # Secret
region_id = cn-hangzhou # Optional. The region ID.
debug = true # Optional. Specifies whether to enable the debug mode. The detailed information is displayed on the CLI in debug mode.
timeout = 0.2 # Optional. The timeout period. If the value is greater than 1, the unit is seconds. If the value is smaller than 1, the value is multiplied by 1,000 and the unit is milliseconds.
connect_Timeout = 0.03 # Optional. The timeout period for connection requests. If the value is greater than 1, the unit is seconds. If the value is smaller than 1, the value is multiplied by 1,000 and the unit is milliseconds.
cert_file = /path/server.pem # Optional. The certificate file.
cert_password = password # Optional. The password of the certificate.
proxy = tcp://localhost:8125 # Optional. The common proxy.
proxy_http = tcp://localhost:8125 # Optional. The HTTP proxy.
proxy_https = tcp://localhost:9124 # Optional. The HTTPS proxy.
proxy_no = example.com # Optional. The domain name that is ignored by the proxy.
[client1] # The client named client1.
type = ecs_ram_role # The authentication is based on EcsRamRole credentials.
role_name = EcsRamRoleTest # Role Name
#..................................# The other parameters are the same as those of the default client.
[client2] # The client named client2.
enable = false # The client is disabled.
type = ram_role_arn # The authentication is based on RamRoleArn credentials.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn
role_session_name = session_name
#..................................# The other parameters are the same as those of the default client.
[client3] # The client named client3.
type = rsa_key_pair # The authentication is based on Rivest-Shamir-Adleman (RSA) key pairs.
public_key_id = publicKeyId # Public Key ID
private_key_file = /your/pk.pem # The private key file.
#..................................# The other parameters are the same as those of the default client.
3. Use an instance RAM role
If ALIBABA_CLOUD_ECS_METADATA is set to a non-null value, the provider chain treats the value as the RAM role name and queries http://100.100.100.200/latest/meta-data/ram/security-credentials/ for temporary security credentials. Those credentials are then used to create a default client.
Custom credential provider chain
Build a custom provider chain or pass a closure as a credential provider:
<?php
use AlibabaCloud\Client\Credentials\Providers\CredentialsProvider;
CredentialsProvider::chain(
CredentialsProvider::ini(),
CredentialsProvider::env(),
CredentialsProvider::instance()
);