All Products
Search

This Product

    Identity as a Service:Alibaba Cloud OpenAPI authentication

    Document Center

    Identity as a Service:Alibaba Cloud OpenAPI authentication

    Last Updated:Mar 30, 2026

    When you cannot use a federated credential, such as PKCS#7 or OpenID Connect (OIDC), for authentication, IDaaS lets you get a client access token by using Alibaba Cloud OpenAPI. This topic describes how to configure the required RAM permissions for OpenAPI authentication.

    To use OpenAPI authentication, you must first obtain an STS Token by assuming a RAM role. Then, use this STS Token to call the IDaaS OpenAPI and get an access token for your application. The RAM role must have the necessary permissions to access the IDaaS application. This topic uses Function Compute as an example.

    Create a permission policy

    1. Log on to the RAM console.

    2. In the navigation pane, choose Permissions > Policies.

    3. Click Create Policy.

    4. Click the JSON Editor tab and paste the following permission policy into the editor.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "eiam:GenerateOauthToken",
      "Resource": [
        "acs:eiam:<regionId>:<accountId>:instance/<InstanceId>/application/<ApplicationId>"
      ]
    }
  ]
}

      Replace the placeholders in the Resource field with your actual values. Replace <regionId> with the region ID of your IDaaS EIAM instance, <accountId> with your Alibaba Cloud account ID, <InstanceId> with your IDaaS EIAM instance ID, and <ApplicationId> with the application ID of the IDaaS M2M client that you want to access.

    5. Click OK and enter a name for the policy. For example, openapi-authentication-policy.

    Create and authorize a RAM role

    1. Log on to the RAM console.

    2. In the navigation pane, choose Identities > Roles.

    3. Click Create Role. Set Principal Type to Cloud Service and Principal Name to Function Compute / FC.

    4. Click OK and enter a name for the role. For example, openapi-authentication-fc-role.

    5. Find the role you created and, in the Attach Policy column, click Actions.

    6. In the Policy field, select openapi-authentication-policy, and click OK.

    Attach the RAM role

    1. Log on to the Function Compute console.

    2. In the navigation pane, choose Function Management > Function List.

    3. Find the function instance and, in the Configure column, click Actions.

    4. On the Function Details tab, click Modify next to Advanced Settings.

    5. Under Permissions, select the openapi-authentication-fc-role role.

    6. After you finish the configuration, click Deploy.

    For more information, see Grant Function Compute permissions to access other cloud services by using a function role.