Microservices Registry Professional Edition instances support service authentication, configuration authentication, and configuration encryption and decryption. The Nacos client version determines which authentication modes and encryption features are available.
Recommended versions
For full authentication and encryption support, use these minimum versions:
| Language | Minimum version | Authentication | Configuration encryption |
|---|---|---|---|
| Java | 2.2.1 or later | All 7 modes (service + configuration) | Supported |
| Go | 2.1.1 or later | AccessKey only (service + configuration) | Supported |
| Python | 0.1.10 or later | AccessKey only (service + configuration) | Not supported |
If you only need AccessKey-based authentication, Java 1.2.0 and later, Go 1.1.4 and later, and Python 0.1.10 and later all support it.
Authentication modes
MSE supports seven authentication modes. Each mode differs in how the client establishes its identity with the server:
| Mode | Description | Prerequisites |
|---|---|---|
| AccessKey | Authenticates with a static AccessKey ID and AccessKey secret | Configure an AccessKey pair |
| Automatic AccessKey rotation | Rotates AccessKey credentials automatically through Key Management Service (KMS) | Activate KMS and configure rotation |
| STS token | Authenticates with temporary credentials from Security Token Service (STS) | Get and maintain temporary credentials |
| RAM role ARN | Assumes a RAM role using an AccessKey pair with role-assumption permissions | Configure a RAM role ARN |
| ECS role | Authenticates using a RAM role attached to an Elastic Compute Service (ECS) instance | Configure an ECS RAM role |
| OIDC role ARN | Authenticates through OpenID Connect (OIDC) with RAM Roles for Service Accounts (RRSA) on Container Service for Kubernetes (ACK) | Activate ACK, enable RRSA, and configure OIDC |
| Credentials URI | Authenticates with temporary STS token credentials fetched from a custom URI endpoint | Build a credentials service |
Java client compatibility
Versions to avoid
Do not use versions earlier than Java 1.1.X. These versions lack authentication and encryption support.
Version summary
Use this table to find the minimum Java client version for each capability:
| Capability | Minimum version |
|---|---|
| AccessKey authentication (service + configuration) | 1.2.0 |
| Configuration encryption and decryption | 1.4.2 |
| ECS role for service authentication | 1.4.5 |
| All authentication modes for configuration authentication | 2.1.0 |
| All authentication modes for both service and configuration authentication | 2.2.1 |
Detailed compatibility by version
The following table shows which authentication modes each Java client version supports. A dash (-) indicates that the mode is not supported.
| Version range | Service auth | Config auth | Config encryption |
|---|---|---|---|
| 1.2.0 -- 1.4.1 | AccessKey | AccessKey, ECS role | Not supported |
| 1.4.2 -- 1.4.4 | AccessKey | AccessKey, ECS role | Supported |
| 1.4.5 -- 1.4.X | AccessKey, ECS role | AccessKey, ECS role | Supported |
| 2.0.0 -- 2.0.4 | AccessKey | AccessKey, ECS role | Supported |
| 2.1.0 -- 2.2.0 | All except ECS role | All 7 modes | Supported |
| 2.2.1 and later | All 7 modes | All 7 modes | Supported |
Java 2.1.0 -- 2.2.0 supports all authentication modes for configuration authentication, but ECS role is not supported for service authentication. Upgrade to 2.2.1 or later for full service authentication support.
Go client compatibility
Versions to avoid
Earlier than Go 1.1.4: Not recommended.
Go 2.0.0 -- 2.1.0: Not recommended.
Supported versions
Go clients only support AccessKey-based authentication. No other authentication modes are available.
| Version range | Service auth (AccessKey) | Config auth (AccessKey) | Config encryption |
|---|---|---|---|
| 1.1.4 -- 1.1.X | Supported | Supported | Supported |
| 2.1.1 and later | Supported | Supported | Supported |
Python client compatibility
Python clients only support AccessKey-based authentication. Configuration encryption is not supported in any Python client version.
| Version range | Service auth (AccessKey) | Config auth (AccessKey) | Config encryption |
|---|---|---|---|
| Earlier than 0.1.10 | Not supported | Supported | Not supported |
| 0.1.10 and later | Supported | Supported | Not supported |