Integrate the Machine-to-Machine (M2M) authentication feature of Alibaba Cloud Identity as a Service (IDaaS) with AI Gateway. This integration allows clients to use dynamic JSON Web Tokens (JWTs) to securely access Alibaba Cloud Model Studio AI services, eliminating the need for static credentials.
Background
As artificial intelligence (AI) technology becomes more common, AI applications are integrating more closely with large language model (LLM) services. In traditional access modes, AI applications often rely on static AccessKey pairs to call LLM service APIs. However, using static AccessKey pairs poses the following security risks:
No expiration limit: Keys are valid long-term and do not automatically expire. If a key is leaked, an attacker can use it indefinitely.
Insecure storage: Keys are often hard-coded in code, configuration files, or container images. This makes them vulnerable to theft through code scanning or image analysis.
Excessive permissions: The permissions associated with keys are often too broad. This makes it difficult to follow the principle of least privilege and increases the potential attack surface.
No rotation mechanism: Keys cannot be rotated automatically. The manual replacement process is complex, costly, and often delayed.
To solve these problems, this solution integrates IDaaS with AI Gateway. This integration enables dynamic rotation and centralized management of client credentials. The core benefits are as follows:
Credential-free client access: Clients do not need to hold any long-term static keys. Instead, they request a short-lived Access Token from IDaaS at runtime.
Unified authentication and authorization endpoint: All calls to backend AI services are routed through AI Gateway. The gateway handles all JWT-based authorization.
Centralized downstream key management: The API keys for backend services, such as Alibaba Cloud Model Studio, are stored securely in AI Gateway. This process is transparent to the client and reduces the risk of key leakage.
Architecture
AI Gateway supports JWT-formatted tokens. This allows clients to access AI Gateway by requesting an M2M token from IDaaS, without holding plaintext keys. The gateway then performs authorization and calls the Alibaba Cloud Model Studio API. This flow provides dynamic token authentication for the client and centralizes static credential access for downstream services at the gateway layer. This improves the security and flexibility of the overall architecture. The process is as follows:
The client obtains an Access Token: The client requests an Access Token from the IDaaS token endpoint.
The client requests the AI Gateway: The client includes the obtained Access Token in the
Authorizationheader of the request and calls the AI Gateway API.The AI Gateway performs local signature verification: The AI Gateway retrieves the public key from the IDaaS JSON Web Key Set (JWKS) URL and verifies the Access Token locally. This process does not require a request to IDaaS for every call, which allows for efficient authorization.
Call the Model Studio model service: After successful authorization, the AI Gateway uses the pre-configured Model Studio API key to call the backend model service and returns the result to the client.
Procedure
Step 1: Get a Model Studio API key
Go to the Key Management page of Alibaba Cloud Model Studio (Singapore| Beijing).
If you have an available API key, copy it from the list. If not, follow these steps to create one. For more information, see Obtain an API key.
On the API Key tab, click Create API Key. If you cannot create the key, contact your organization or IT administrator.
In the Create API Key dialog box, select the Owner Account and Workspace, and click OK.
Owning Account: Select Alibaba Cloud account.
Workspace: Select Default Workspace.
Click the
icon next to the new API key to copy it.
Step 2: Configure AI Gateway to proxy Model Studio
Create an Internet NAT gateway
Go to the Internet NAT Gateway purchase page, set the following configurations, and then click Buy Now. For more information, see Create an Internet NAT gateway and associate an EIP.
Parameter
Description
Example
Billing Method
Only Pay-As-You-Go is supported.
Pay-As-You-Go
Region
Select the region where you want to create the Internet NAT gateway.
Singapore
Network and Zone
Select the VPC and vSwitch for the Internet NAT gateway. You cannot change these settings after the gateway is created.
TEST_VPC
EIP
Select an option based on whether you have created an EIP.
Purchase EIP
Log on to the VPC console and switch to the destination region in the top navigation bar. In the navigation pane on the left, choose .
Find the target instance and click its instance ID to open the details page.
On the SNAT tab, click Create SNAT Entry.
On the Create SNAT Entry page, set SNAT Entry to Specify VPC and EIP to the associated EIP. Then, click OK.
Create an AI Gateway instance
Go to the AI Gateway purchase page, enter the required configurations, and then click Buy Now.
NoteThe following configurations are for creating an instance that has its Network Type set to Public Network and uses the minimum Instance Specification. Keep the default values for any other configurations. For more information, see Create a gateway instance.
Parameter
Description
Example
Product Type
Supports Dedicated Instance (pay-as-you-go), Dedicated Instance (subscription), and Serverless (Pay-as-you-go).
Dedicated Instance (pay-as-you-go)
Region
Select the destination region.
NoteSelect the same region as the Internet NAT gateway instance created in the previous step.
Singapore
Instance Name
Enter a custom name for the gateway.
test_gateway
Instance Specification
Select the node specifications as needed. The Serverless version does not have gateway specifications.
aigw.small.x1
Network Type
Supports Public Network, Private Network, and Public + Private access types.
Public Network
Private Network
Select the VPC where the gateway instance runs.
NoteSelect the same VPC as the Internet NAT gateway instance created in the previous step.
TEST_VPC
Select Zone
Select Auto-assign or Manually Select.
Auto-assign: Select a vSwitch. The system automatically allocates two zones to deploy the gateway nodes.
Manually Select: Manually select the zones and vSwitches to deploy the gateway nodes.
Auto-assign
vSwitch
Select the vSwitch where the gateway instance runs.
VSW_1
Service-linked Role
Click Create Service-linked Role for all items to create the following two roles. For more information, see Service-linked Role.
AliyunServiceRoleForNativeApiGw
AliyunServiceRoleForNativeApiGwInvokeFC
-
On the Confirm Order page, review the AI Gateway configuration details and click Buy Now.
Return to the AI Gateway Instance page. The gateway creation is complete when its Status changes to Running (this may take 1 to 5 minutes).
Create an AI Gateway service
Log on to the AI Gateway console and switch to the destination region in the top navigation bar. In the navigation pane on the left, choose .
Find the target instance. Click the instance ID to open the details page.
In the navigation pane on the left, click Service and then click Create Service. If the Configure Default Alerts panel appears, you can configure the settings as required or skip this step.
In the Create Service panel, configure the following parameters and click OK.
NoteThe following example shows the configurations for Alibaba Cloud Model Studio. Keep the default values for any other configurations. For more information, see Create a service.
Parameter
Description
Example
Service Source
Select the type of service to be accessed through the proxy.
AI Services
Service Name
Enter a custom service name.
test_bailian
Large Model Supplier
Select the large model provider to be accessed through the proxy.
Alibaba Cloud Model Studio
Model Protocol
Specify the model protocol. Keep the default value.
OpenAI/v1
Service URL (base_url)
Set the endpoint provided by the large model provider. Keep the default value.
https://dashscope.aliyuncs.com/compatible-mode/v1
Generation Method
Specify how to generate the key required to access the large model.
Enter
API-KEY
Set the credential required to access the large model.
sk-4901******8a59
Create a Model API
On the AI Gateway instance details page, in the left navigation pane, click Model API and then click Create Model API.
Select a scenario and click its Create button. In the panel that appears, provide the following information and click OK.
NoteThe following configurations are for the Text Generation scenario. Keep the default values for any unmentioned configurations. For more information, see Manage Model APIs.
Parameter
Description
Example
Protocol
Different protocols correspond to a set of built-in default routing rules for the scenario. These are used to quickly generate compatible interfaces for services such as OpenAI, DashScope, and vLLM.
OpenAI-compatible
API Name
Enter a custom API name. The name must be globally unique within your account.
test_api
Domain Name
The domain name used to access this API. You can select multiple domain names.
The combination of the domain name and the
BasePathmust be unique.To add a new domain name, click Add Domain Name on the right to create a domain name.
NoteIf you set Network Type to "Public Network" or "Public + Private" when creating the AI Gateway instance, or if you configured a public domain name after creating the instance, the instance can be accessed through the public domain name.
The public domain name provided by AI Gateway has a daily call limit of 1,000. It is for testing only and must not be used in a production environment.
To call the AI Gateway using a specific domain name in a production environment, create a CNAME record to resolve this domain name to the public domain name of the current AI Gateway instance. You can find the public domain name on the page of the AI Gateway instance.
example.aliyun.com
Service Type
Supports Single Service, Multiple Service (by model name), and Multiple Services (by proportion).
Single Service
Service Name
Select the target service.
test_bailian
On the API details page, click the Consumer Authentication tab. Click . In the panel that appears, turn on the Status switch, set Authentication Method to JWT, and click OK.
Step 3: Configure an IDaaS M2M application
Create an IDaaS instance
Log on to the IDaaS console and switch to the destination region in the top navigation bar. In the navigation pane, select EIAM.
On the right side of the page, click . In the panel that appears, set the Description, select Alibaba Cloud Product Service Agreement, and click Create.
In the EIAM instance list, find the target instance and click Manage in the Actions column to open its management backend.
In the navigation pane on the left of the EIAM instance management backend, choose . In the Note on Upgrade dialog box, click Upgrade Now.
On the upgrade page, enable M2M Management, configure other options as needed, and click Buy Now.
Create an M2M client application
In the navigation pane on the left of the EIAM instance management backend, choose .
Click Add Application, set Application Name to "M2M Client", and click Add to open the application details page.
On the General tab, click . Select a Client Secret Validity Period and click Confirm.
Click View next to client_secret. Copy and save the client_id and client_secret values for later use.
Copy and save the URL from for later use.
On the Client Permission Management tab, turn on the Custom Permissions switch.
Create an M2M server application
In the navigation pane on the left of the EIAM instance management backend, choose .
Click Add Application, set the Application Name to "M2M Server", and click Add to open the application details page.
On the Server Permission Control tab, under Authorized application, turn on the Server Permission Control switch. In the panel that appears, set the ResourceServer Identifier and click Confirm.
NoteSet ResourceServer Identifier to
cloud:idaas:aigateway:alibabacloud:<account-id>, where<account-id>is your Alibaba Cloud account ID.Under Permission Management, click Create Scope. Enter a Scope Name and a Scope Value, and click Confirm.
Under Authorized Applications, turn on the switch for M2M Client. Then, select the permission you added in the previous step from the Permission list and click Confirm.
On the General tab, go to . Copy and save the URL for later use.
Step 4: Configure JWT authentication for AI Gateway
Create a consumer and configure JWT authentication
Log on to the AI Gateway console and select the destination region from the top menu bar. In the navigation pane on the left, click .
On the Consumers page, click Create Consumer in the upper-left corner.
On the Create Consumer page, enter the required information and click Create. For more information, see Create a consumer.
Parameter
Description
Example
Consumer Name
Enter a custom name for the consumer.
test_consumer
Status
The consumer status can be Enable or Disable. You can manually enable or disable the consumer after it is created.
Enable
Authentication Method
Set the authentication method for the consumer: API Key, JWT, or HMAC. This example uses JWT.
Creation Method: Remote Fetch.
JWKS: Set this to the Signature Verification Public Key Endpoint URL from the Create an M2M server application step.
Consumer Identity in JWKS Payload:
Key:
scope.Value: Set this to the Permission ID from the Create an M2M server application step.
Configure other settings as needed or keep the default values.
JWT
Authorize the API for the consumer
On the Consumers page, click a consumer. On the details page, click the Consumer Authorization tab.
On the Model API tab, click Authorization.
In the authorization panel, select the Model API created in the previous steps and click OK. For more information, see Authorization management.
Step 5: Verify the configuration
Get an M2M token
This example uses the client_secret_post Authentication Method. For other authentication methods, see M2M Client Token call examples.
We recommend that you use a federated credential authentication method, such as OIDC federation, PKCS#7 signature authentication, or PrivateCA certificate authentication.
In a terminal that can access the public network, run the following curl command to obtain an Access Token using the client_secret_post method.
curl --location --request POST '<Token endpoint of the M2M client application, for example: https://******.aliyunidaas.com/api/v2/iauths_system/oauth2/token>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<client_id of the M2M client application, for example: app_m5doo******>' \
--data-urlencode 'client_secret=<client_secret of the M2M client application, for example: CS5v3F******>' \
--data-urlencode 'scope=<Audience ID of the M2M server application, for example: cloud:idaas:aigateway:alibabacloud:******>|<Permission ID of the M2M server application>'<M2M client application Token Endpoint>: The Token Endpoint URL obtained when you Create an M2M Client Application.<M2M Client application client_id>: The application's client_id. For more information, see Create an M2M client application.<The M2M Client application's client_secret>: Set this to the client_secret that is generated when you Create an M2M Client application.<M2M Server application ResourceServer Identifier>: Set this to the ResourceServer Identifier specified in Create an M2M Server application.<M2M Server application's Scope Value>: Set this to the Scope Value described in Create an M2M Server application.
The scope parameter must contain the ResourceServer Identifier and the Scope Value, separated by a vertical bar (|).
If the request is successful, a JSON response similar to the following is returned. Copy the value of access_token, which is the M2M token.
{
"token_type": "Bearer",
"access_token": "eyJraWQi******Nsn2u7Jcw",
"expires_in": 3600,
"expires_at": 1765448721
}Call the AI Gateway using the M2M token
Go to the AI Gateway page and find the target instance. Click the instance ID to open the details page.
Verify using the debug feature of AI Gateway
In the navigation pane on the left, click Model API. Click the name of the Model API that you created in the previous steps to open its details page.
In the upper-right corner, click Debugging. In the dialog box that opens, set the following parameters:
Domain Name: Select the public domain name, such as
env-d4t******kv0-cn-hangzhou.alicloudapi.com.Custom Parameters: In the Header section, click Add Parameter to add an
Authorizationparameter.Key:
Authorization.Value:
Bearer <M2M Token>.ImportantMake sure there is a single space between
Bearerand<M2M Token>. Replace<M2M Token>with theaccess_tokenobtained in the previous step.Construct the full string in a local text editor to ensure the format is correct before you paste it into the Value field.
Prompt: The input sent to the large model.
Click Send Request in the upper-right corner. The response appears in the Model Response section.
Verify using code
In a terminal that can access the public network, you can use the curl command or integrate it into your code to verify the final call chain.
Parameter description:
<Domain Name>: Replace this with the Public domain name from the section on the AI Gateway instance's details page.NoteThe default public domain name provided by AI Gateway has a daily call limit of 1,000. It is for testing only. Do not use it in a production environment.
In a production environment, you can create a CNAME record to resolve your own business domain name to this public domain name, and then make calls using your business domain name.
<M2M Token>: Replace this with theaccess_tokenobtained in the previous step.<Prompt>: Replace this with the prompt that you want to send to the large language model.
Ensure there is a single space between Bearer and <M2M Token>. Replace <M2M Token> with the access_token from the previous step.
Call using curl
curl --location '<Domain Name, for example: http://env-d4t6******kv0-cn-hangzhou.alicloudapi.com>/v1/chat/completions' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <M2M Token>' \
--data '{
"model": "qwen-max",
"stream": true,
"max_tokens": 1024,
"top_p": 0.95,
"temperature": 1,
"messages": [
{
"role": "user",
"content": "<Prompt>"
}
]
}'Call using Python code
from openai import OpenAI
# Configure
API_BASE_URL = "<Domain Name, for example: http://env-d4t6******kv0-cn-hangzhou.alicloudapi.com>/v1"
AUTH_TOKEN = "Bearer <M2M Token>"
# Initialize the client
client = OpenAI(
base_url=API_BASE_URL,
api_key="unset",
default_headers={"Authorization": AUTH_TOKEN}
)
# Send the request and process the streaming response
stream = client.chat.completions.create(
model="qwen-max",
messages=[{"role": "user", "content": "<Prompt>"}],
stream=True,
max_tokens=1024,
top_p=0.95,
temperature=1
)
for chunk in stream:
# Check if the choices list is not empty before accessing its content
if chunk.choices and chunk.choices[0].delta.content:
print(chunk.choices[0].delta.content, end="", flush=True)
Going live
Obtaining M2M tokens
Use a federated identity for authentication, such as OpenID Connect (OIDC) federated authentication, PKCS#7 signature authentication, or PrivateCA certificate authentication.
Token caching
Cache the retrieved Access Token on the client side and reuse it within its validity period (
expires_in). This avoids the need to request a new token from IDaaS for each call and reduces latency and authentication overhead.Principle of least privilege
Grant API keys created for Alibaba Cloud Model Studio only the minimum model access permissions required to perform their tasks.
Limit the permissions assigned to M2M clients in IDaaS to the minimum scope required for their intended functions.