Set Up PHP SDK Access for SMQ with Secure Credentials - Simple Message Queue

Simple Message Queue (SMQ, formerly MNS) SDK for PHP requires a service endpoint and access credentials to send requests. This topic describes how to configure endpoints, long-term access credentials (AccessKey pairs), and temporary access credentials (STS tokens).

Prerequisites

Before you begin, make sure that you have:

An Alibaba Cloud account with SMQ activated
The SMQ SDK for PHP installed
A Resource Access Management (RAM) user with the required permissions

Configure an endpoint

When you use SMQ SDK for PHP to initiate a request, you need to configure an endpoint in the lower part of the PHP file. Configure an endpoint in the $endPoint = "" field.

$accessId = getenv(Constants::ALIYUN_AK_ENV_KEY);
$accessKey = getenv(Constants::ALIYUN_SK_ENV_KEY);
$endPoint = "";

To find the endpoint, open the SMQ console and go to the Queue Details or Topic Details page. The endpoint is displayed in the Endpoint section.

Configure access credentials

SMQ SDK for PHP supports two credential types:

Credential type	When to use	Security
Long-term (AccessKey pair)	Persistent access from a trusted application or service	Rotate every three months. Disable unused AccessKey pairs immediately.
Temporary (STS token)	Short-lived access, cross-account delegation, or least-privilege scenarios	Expires automatically. Supports fine-grained access control.

Use long-term access credentials

Long-term credentials consist of an AccessKey pair associated with a RAM user. Store the AccessKey pair in environment variables rather than embedding it in source code.

Step 1: Obtain an AccessKey pair

Create an AccessKey pair for a RAM user. For details, see the "Create an AccessKey pair for a RAM user" section of Create an AccessKey pair.

Important

Rotate AccessKey pairs that have been in use for more than three months. Disable and delete AccessKey pairs that are no longer in use.

Step 2: Set environment variables

Replace the placeholder values with your actual AccessKey ID and AccessKey secret.

Linux and macOS

# Add to ~/.bash_profile (macOS) or /etc/profile (Linux)
export ALIBABA_CLOUD_ACCESS_KEY_ID=<your-access-key-id>
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<your-access-key-secret>

Apply the changes:

# macOS
source ~/.bash_profile

# Linux
source /etc/profile

Verify:

echo $ALIBABA_CLOUD_ACCESS_KEY_ID
echo $ALIBABA_CLOUD_ACCESS_KEY_SECRET

Windows

CMD

set ALIBABA_CLOUD_ACCESS_KEY_ID=<your-access-key-id>
set ALIBABA_CLOUD_ACCESS_KEY_SECRET=<your-access-key-secret>

:: Persist across sessions
setx ALIBABA_CLOUD_ACCESS_KEY_ID "%ALIBABA_CLOUD_ACCESS_KEY_ID%"
setx ALIBABA_CLOUD_ACCESS_KEY_SECRET "%ALIBABA_CLOUD_ACCESS_KEY_SECRET%"

PowerShell

# Current session only
$env:ALIBABA_CLOUD_ACCESS_KEY_ID = "<your-access-key-id>"
$env:ALIBABA_CLOUD_ACCESS_KEY_SECRET = "<your-access-key-secret>"

# Persist for the current user
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_ID', '<your-access-key-id>', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_SECRET', '<your-access-key-secret>', [System.EnvironmentVariableTarget]::User)

# Persist for all users (requires administrator privileges)
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_ID', '<your-access-key-id>', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_SECRET', '<your-access-key-secret>', [System.EnvironmentVariableTarget]::Machine)

GUI (Windows 10 and later)

Right-click This PC and select Properties.
Click Advanced system settings, then click Environment Variables on the Advanced tab.
In the User variables or System variables section, click New and add the following variables:

Variable	Example
`ALIBABA_CLOUD_ACCESS_KEY_ID`	`LTA****`
`ALIBABA_CLOUD_ACCESS_KEY_SECRET`	`moiEs****`

Step 3: Initialize the client

Load the credentials from environment variables and create an SMQ client:

// Read the AccessKey pair from environment variables
$accessId = getenv("ALIBABA_CLOUD_ACCESS_KEY_ID");
$accessKey = getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET");

// Set the endpoint (find this in the SMQ console)
$endPoint = "example.endpoint";

// Create the SMQ client
$client = new Client($endPoint, $accessId, $accessKey);

Warning

Do not embed AccessKey pairs directly in source code. Leaked credentials can grant unauthorized access to your resources and lead to data breaches. Always load credentials from environment variables.

Use temporary access credentials

Temporary credentials from Security Token Service (STS) are time-limited and support fine-grained access control. Use them when an application needs short-lived access to SMQ without exposing a long-term AccessKey pair.

Step 1: Set up STS

Create a RAM user. For details, see Create a RAM user.
Attach the AliyunSTSAssumeRoleAccess policy to the RAM user. For details, see Grant permissions to a RAM user.
Call the AssumeRole operation as the RAM user to obtain temporary credentials. For details, see AssumeRole.

Step 2: Set environment variables

Replace the placeholder values with the AccessKey ID, AccessKey secret, and security token returned by STS.

Linux and macOS

# Add to ~/.bash_profile (macOS) or /etc/profile (Linux)
export MNS_ACCESS_KEY_ID=<your-sts-access-key-id>
export MNS_ACCESS_KEY_SECRET=<your-sts-access-key-secret>
export MNS_SESSION_TOKEN=<your-sts-session-token>

Apply the changes:

# macOS
source ~/.bash_profile

# Linux
source /etc/profile

Verify:

echo $MNS_ACCESS_KEY_ID
echo $MNS_ACCESS_KEY_SECRET
echo $MNS_SESSION_TOKEN

Windows

CMD

set MNS_ACCESS_KEY_ID=<your-sts-access-key-id>
set MNS_ACCESS_KEY_SECRET=<your-sts-access-key-secret>
set MNS_SESSION_TOKEN=<your-sts-session-token>

:: Persist across sessions
setx MNS_ACCESS_KEY_ID "%MNS_ACCESS_KEY_ID%"
setx MNS_ACCESS_KEY_SECRET "%MNS_ACCESS_KEY_SECRET%"
setx MNS_SESSION_TOKEN "%MNS_SESSION_TOKEN%"

PowerShell

# Current session only
$env:MNS_ACCESS_KEY_ID = "<your-sts-access-key-id>"
$env:MNS_ACCESS_KEY_SECRET = "<your-sts-access-key-secret>"
$env:MNS_SESSION_TOKEN = "<your-sts-session-token>"

# Persist for the current user
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', '<your-sts-access-key-id>', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', '<your-sts-access-key-secret>', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_SESSION_TOKEN', '<your-sts-session-token>', [System.EnvironmentVariableTarget]::User)

# Persist for all users (requires administrator privileges)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', '<your-sts-access-key-id>', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', '<your-sts-access-key-secret>', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_SESSION_TOKEN', '<your-sts-session-token>', [System.EnvironmentVariableTarget]::Machine)

GUI (Windows 10 and later)

Right-click This PC and select Properties.
Click Advanced system settings, then click Environment Variables on the Advanced tab.
In the User variables or System variables section, click New and add the following variables:

Variable	Example
`MNS_ACCESS_KEY_ID`	`LTA****`
`MNS_ACCESS_KEY_SECRET`	`moiEs****`
`MNS_SESSION_TOKEN`	`CAES****`

Step 3: Initialize the client

Load the temporary credentials from environment variables and create an SMQ client:

// Read the STS temporary credentials from environment variables
$accessId = getenv("MNS_ACCESS_KEY_ID");
$accessKey = getenv("MNS_ACCESS_KEY_SECRET");
$securityToken = getenv("MNS_SESSION_TOKEN");

// Set the endpoint (find this in the SMQ console)
$endPoint = "example.endpoint";

// Create the SMQ client with the security token
$client = new Client($endPoint, $accessId, $accessKey, $securityToken);

Warning

Do not embed access credentials directly in source code. Leaked credentials can grant unauthorized access to your resources and lead to data breaches. Always load credentials from environment variables.

Placeholder reference

Replace the following placeholders with your actual values:

Placeholder	Description	Example
`<your-access-key-id>`	AccessKey ID of a RAM user	`LTA****`
`<your-access-key-secret>`	AccessKey secret of a RAM user	`moiEs****`
`<your-sts-access-key-id>`	AccessKey ID from STS	`LTA****`
`<your-sts-access-key-secret>`	AccessKey secret from STS	`moiEs****`
`<your-sts-session-token>`	Security token from STS	`CAES****`