Leaked AccessKey pairs or STS tokens from Alibaba Cloud accounts or RAM users can compromise your cloud resources and business. Follow these practices to secure credentials and prevent unauthorized access.
Alibaba Cloud uses two credential types: AccessKey pairs and Security Token Service (STS) tokens. For more information, see Credentials.
Common mistakes
-
Hardcoding AccessKey pairs in code exposes them to anyone with repository access. Publishing such code to open-source platforms or hosting services amplifies the risk.
-
Embedding AccessKey pairs in client-side code lets attackers extract them through decompilation.
-
Shared documentation or materials expose AccessKey pairs.
-
Sample code in documentation exposes AccessKey pairs.
-
API responses expose AccessKey pairs beyond the intended management scope.
Security solutions
Avoid transmitting or hardcoding credentials during development.
Do not use your Alibaba Cloud account AccessKey pair
An Alibaba Cloud account has full permissions on all resources, so a leaked AccessKey pair poses critical risks. Never use an Alibaba Cloud account AccessKey pair directly.
Avoid hardcoding credentials in code
Store credentials in environment variables. The following example uses ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET. For more information, see Configure environment variables in Linux, macOS, and Windows.
Sample code:
public static com.aliyun.ecs20140526.Client createClient() throws Exception {
com.aliyun.teaopenapi.models.Config config = new com.aliyun.teaopenapi.models.Config()
.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
config.endpoint = "ecs.cn-shanghai.aliyuncs.com";
return new com.aliyun.ecs20140526.Client(config);
}Use KMS to manage credentials
Key Management Service (KMS) manages your credentials securely. For more information, see Secret management. Secrets Manager in KMS rotates RAM secrets on a schedule or on demand. With the RAM secret plug-in installed, your application retrieves the current AccessKey pair dynamically. For more information, see Manage and use RAM secrets.
Use an instance RAM role
Attach an instance RAM role to an Elastic Compute Service (ECS) instance, an elastic container instance, or a Container Service for Kubernetes (ACK) worker node. The ECS metadata server provides STS tokens, eliminating hardcoded AccessKey pairs. For more information, see Instance RAM roles, Use an instance RAM role using API operations, and Assign a RAM role to an ECI pod.
Use the RRSA feature
In ACK, a worker node may host pods from multiple services. Any pod can access the ECS metadata server and obtain the worker node's RAM role STS token, causing permission leaks. RAM Roles for Service Accounts (RRSA) provides pod-level access control by injecting OpenID Connect (OIDC) information into environment variables. Use the Alibaba Cloud Credentials tool to obtain STS tokens. For more information, see Use RRSA for pod-level access control.
Use the Alibaba Cloud Credentials tool
The Alibaba Cloud Credentials tool provides a default credential provider chain that eliminates hardcoded credentials. For more information, see Manage credentials.
Detect AccessKey leaks with Security Center
Security Center monitors GitHub in real time for exposed AccessKey pairs of Alibaba Cloud accounts and RAM users and alerts on detection. Handle leak events immediately. For more information, see AccessKey pair leak detection.
Handle AccessKey pair leaks
AccessKey pair leaks
-
Disable or delete an AccessKey pair
Immediately disable or delete the compromised AccessKey pair and create a replacement. For more information, see Disable a RAM user's access key and Delete a RAM user's AccessKey.
-
Query AccessKey pair events
Use the AccessKey pair audit feature of ActionTrail to query AccessKey pair details, including accessed services, IP addresses, and resources. This helps trace usage and identify leaks.
STS token leaks
An STS token is valid for 15 minutes to 12 hours. Even within this window, a leaked token poses serious security risks. To invalidate a compromised STS token:
-
Log on to the RAM console.
-
Detach all policies from the RAM role.
For more information, see Revoke permissions from a RAM role.
-
Or, delete the RAM role entirely.
For more information, see Delete a RAM role.
This action immediately invalidates all unexpired STS tokens for that role.
To resume using the role afterward, create a new role with the same name and policies.
References
Related topics: