You must configure access credentials to make Object Storage Service (OSS) requests using the C++ software development kit (SDK). Alibaba Cloud services use access credentials to authenticate your identity and access permissions. You can choose different types of access credentials based on the authentication and authorization requirements of your scenario. This topic describes how to configure temporary and long-term access credentials.
Prerequisites
Before you can configure access credentials, you must install the OSS C++ SDK. For more information, see Installation (C++ SDK).
Initialize a credential provider
Select a credential provider
OSS supports multiple ways to initialize a credential provider. You can choose a method based on the authentication and authorization requirements of your scenario.
Credential provider initialization method | Scenarios | Requires a pre-configured AccessKey pair or STS token? | Underlying credential type | Credential validity | Credential rotation or refresh method |
For applications that run in a secure and stable environment not prone to external attacks, and require long-term access to Alibaba Cloud services without frequent credential rotation. | Yes | AccessKey pair | Long-term | Manual rotation | |
For applications that run in an untrusted environment and require control over access duration and permissions. | Yes | STS token | Temporary | Manual refresh | |
If the preceding methods do not meet your requirements, you can define a custom method to obtain credentials. | Custom | Custom | Custom | Custom |
Method 1: Use an AccessKey pair
If your application runs in a secure and stable environment that is not prone to external attacks, requires long-term access to OSS, and cannot rotate credentials frequently, you can use the AccessKey pair (AccessKey ID and AccessKey Secret) of an Alibaba Cloud account or a Resource Access Management (RAM) user to initialize the credential provider. Note that this method requires you to manually maintain an AccessKey pair, which increases security threats and maintenance complexity. For information about how to obtain an AccessKey pair, see CreateAccessKey.
Environment variables
An Alibaba Cloud account has full permissions on all resources. If an AccessKey pair is leaked, it poses significant security threats to your system. Using the AccessKey pair of an Alibaba Cloud account is not recommended. Instead, use the AccessKey pair of a RAM user with the minimum required permissions.
Set environment variables using the AccessKey pair.
Mac OS X/Linux/Unix
export OSS_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID> export OSS_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>Windows
set OSS_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID> set OSS_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET>Pass the credential information using the environment variables.
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>(); OssClient client(Endpoint, credentialsProvider, conf);
Static credentials
You can use variables in your code to reference credentials. At runtime, these variables are populated with the actual credential values from environment variables, configuration files, or other external data sources.
After you configure the credential information, use the following sample code to pass the information.
std::string accessKeyId = std::getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"); std::string accessKeySecret = std::getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"); auto credentialsProvider = std::make_shared<SimpleCredentialsProvider>(accessKeyId, accessKeySecret, ""); OssClient client(Endpoint, credentialsProvider, conf);
Method 2: Use an STS token
If your application requires temporary access to OSS, you can use temporary identity credentials (AccessKey ID, AccessKey Secret, and a security token) obtained from Security Token Service (STS) to initialize the credential provider. Note that this method requires you to manually maintain an STS token, which increases security threats and maintenance complexity. In addition, to temporarily access OSS multiple times, you must manually refresh the STS token. For information about how to obtain an STS token, see AssumeRole.
Set environment variables using the temporary identity credentials.
Mac OS X/Linux/Unix
export OSS_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID> export OSS_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET> export OSS_SESSION_TOKEN=<ALIBABA_CLOUD_SECURITY_TOKEN>Windows
set OSS_ACCESS_KEY_ID=<ALIBABA_CLOUD_ACCESS_KEY_ID> set OSS_ACCESS_KEY_SECRET=<ALIBABA_CLOUD_ACCESS_KEY_SECRET> set OSS_SESSION_TOKEN=<ALIBABA_CLOUD_SECURITY_TOKEN>Pass the credential information using the environment variables.
auto credentialsProvider = std::make_shared<EnvironmentVariableCredentialsProvider>(); OssClient client(Endpoint, credentialsProvider, conf);
Method 3: Use custom access credentials
If the preceding methods do not meet your requirements, you can implement the `Credential Providers` interface to define a custom credential provider.
#include <alibabacloud/oss/OssClient.h>
using namespace AlibabaCloud::OSS;
class CustomCredentialsProvider : public CredentialsProvider
{
public:
CustomCredentialsProvider()
{
}
~CustomCredentialsProvider()
{
}
Credentials getCredentials() override
{
std::string accessKeyId;
std::string accessKeySecret;
//std::string token;
//TODO
// Custom method to obtain access credentials.
// Return long-term credentials: accessKeyId, accessKeySecret
auto cred = Credentials(accessKeyId, accessKeySecret, "");
// Return temporary credentials: accessKeyId, accessKeySecret, token
// For temporary credentials, you must refresh them based on their expiration time.
// auto cred = Credentials(accessKeyId, accessKeySecret, token);
return cred;
}
private:
};
ClientConfiguration conf;
auto credentialsProvider = std::make_shared<CustomCredentialsProvider>();
OssClient client(Endpoint, credentialsProvider, conf);
What to do next
After you configure access credentials, you must initialize the `OssClient`. For more information, see Initialization (C++ SDK).