When you call services in AI Open Search Platform by calling API operations or by using SDKs, AI Open Search Platform authenticates your identity or verifies your permissions. This topic describes the methods for identity authentication and permission verification.
(Recommended) Use an API key
You can use an API key provided by AI Open Search Platform for identity authentication and permission verification.
You can log on to the AI Open Search Platform console and create and manage API keys in a workspace. If you want to authorize a Resource Access Management (RAM) user to use an API key in a workspace, grant the RAM user the permissions to use the API key. For more information, see Create RAM users and grant permissions.
API keys are workspace-specific in AI Open Search Platform. If a RAM user is authorized to use an enabled API key in a workspace and you specify the API key in the code for calling services in the workspace, the RAM user can call all services within the workspace by calling API operations or by using SDKs without additional authorization.
To prevent API key leaks, take note of the following items:
Do not disclose API keys in any way. This prevents security risks or financial losses due to unauthorized use.
Make sure that all API calls are initiated from servers. API calls initiated from a client, such as a browser, an application, or a mini program, may cause API key leaks.
If suspicious API key leaks are found, log on to the AI Open Search Platform console to disable the API key and then delete the API key. After an API key is disabled, you cannot call the API operations of AI Open Search Platform by using the API key.
Use an AccessKey pair
You can also use an AccessKey pair for identity authentication and permission verification. An AccessKey pair is a permanent access credential provided by Alibaba Cloud, which consists of an AccessKey ID and an AccessKey secret.
AccessKey pairs are not used to log on to Alibaba Cloud service consoles. AccessKey pairs are used to access Alibaba Cloud services by using development tools such as APIs, CLI, SDKs, and Terraform. In each request, a signature is generated based on the request content that is encrypted by using an AccessKey pair. The signature is used to verify the identity of the user who sends the request and the validity of the request.
We recommend that you create a dedicated RAM user for calling API operations, create an AccessKey pair for the RAM user, and then grant permissions to the RAM user based on the principle of least privilege. Then, the RAM user can call API operations to use the services in AI Open Search Platform. For more information, see Create RAM user and grant permissions.
To prevent security risks caused by the hard coding of AccessKey pairs into your business code, we recommend that you manage AccessKey pairs by configuring environment variables. For more information, see Configure environment variables in Linux, macOS, and Windows.