All Products
Search

This Product

    Resource Access Management:Configure OAuth authentication for Alibaba Cloud CLI

    Document Center

    Resource Access Management:Configure OAuth authentication for Alibaba Cloud CLI

    Last Updated:Dec 07, 2025

    This topic describes how to configure and use OAuth to log on to the Alibaba Cloud CLI. This method replaces traditional AccessKey pair authentication and improves the security of your credentials.

    Overview

    The Alibaba Cloud CLI version 3.0.299 or later supports OAuth as a credential type. This method uses a browser logon based on the OAuth 2.0 Proof Key for Code Exchange (PKCE) flow to obtain a token that represents the user's identity for accessing Alibaba Cloud resources.

    OAuth authentication has the following advantages over traditional AccessKey pair authentication:

    • Improved security: Eliminates the need to store plaintext AccessKey pairs in local configuration files. This reduces the risk of credential leakage.

    • Integration with existing authentication systems: Works with logon methods such as passkeys, multi-factor authentication (MFA), and single sign-on (SSO), including user-based SSO and role-based SSO.

    Prerequisites

    Before you begin, make sure the following requirements are met:

    • CLI version: You must have Alibaba Cloud CLI version 3.0.299 or later installed.

    • Administrator permissions: The initial setup requires a RAM administrator with the AliyunRAMFullAccess policy attached.

    • Environment requirements: The device running the Alibaba Cloud CLI must have a graphical user interface (GUI) and a web browser. This authentication method does not work in headless environments, such as a remote Linux server accessed via Secure Shell (SSH), because it requires a browser to complete the login flow.

    Procedure

    1. Create a CLI application in Resource Access Management (RAM) for your Alibaba Cloud account in one of the following two ways:

      • Using the Alibaba Cloud CLI: A RAM administrator initiates the first OAuth logon from the CLI. After completing authentication and granting consent in the browser, the system automatically creates an official OAuth application named official-cli.

      • Using the RAM console: A RAM administrator manually installs the official-cli application in the RAM console. Using this method, you do not need to call the AdminConsent operation.

    2. Assign RAM identities. After the CLI application is created, a RAM administrator must assign identities, such as RAM users or RAM roles, to the application. Only assigned identities can use this method to log on to the CLI.

    3. Authorize and log on to the CLI. The assigned RAM user runs the CLI configuration command on their device. The CLI automatically opens a browser. After the user logs on and grants authorization in the browser, the CLI can obtain the token and complete the authentication.

    Step 1: Create a CLI application

    This step must be performed by a RAM administrator attached with the AliyunRAMFullAccess policy.

    Using the Alibaba Cloud CLI

    1. From your terminal, run the following command to start the OAuth configuration: Use a descriptive profile name, such as OAuthProfile. 

      aliyun configure --profile OAuthProfile --mode OAuth

    2. When prompted, choose the login site (OAuth Site Type) for your account.

      aliyun configure --profile OAuthProfile --mode OAuth
Configuring profile 'OAuthProfile' in 'OAuth' authenticate mode...
OAuth Site Type (CN: 0 or INTL: 1, default: CN):

      • Enter 0 or CN for the Alibaba Cloud China site (aliyun.com).

      • Enter 1 or INTL for the Alibaba Cloud international site (alibabacloud.com).

      • Press Enter to select the China site (aliyun.com) (CN) by default.

    3. The CLI will attempt to open your default web browser. If it doesn't, copy the SignIn url from the terminal and paste it into your browser.

      Example prompt:

      If the browser does not open automatically, use the following URL to complete the login process:

SignIn url: https://signin.aliyun.com/oauth2/v1/auth?response_type=code&client_id=...

    4. In the browser, log on using your RAM administrator account.

    5. On the Official Application Authorization page, click Authorize. This action grants administrator consent and creates the official-cli application in your account's RAM console.

      26044A84-9853-42D9-96FD-E53AAF76D6AB

      Important

      Administrator consent is a one-time action that installs the application. It is not required again unless the official-cli application is deleted from RAM.

      During the authorization process, the CLI requests the following OAuth scopes. The scopes define the permissions the application can exercise on the user's behalf.

      OAuth scope

      Description

      openid

      Obtains the OpenID of the RAM user. OpenID is a string that uniquely identifies a user. However, it does not contain sensitive information such as the UID and name of the user.

      /internal/ram/usersts

      Obtains an STS token to call Alibaba Cloud service APIs.

      Note

      This scope can only be used by the official CLI application.

    Using the RAM console

    1. Log on to the RAM console.

    2. In the left-side pane, choose Integrations > OAuth Preview.

    3. On the Third-party Application tab, click Provision Official Application.

    4. In the Provision Official Application dialog box, select Official CLI and click OK.

      C5F0E52E-378B-4FD6-9E64-6935C3A6E904

    5. On the Third-party Application tab, verify that the official-cli application now appears in the list of third-party applications.

    Step 2: Assign RAM identities to the application

    After creating the application, you must specify which RAM users or RAM roles are allowed to use it for CLI authentication. If you created the CLI application using the Alibaba Cloud CLI, you are prompted to assign identities immediately after successful authorization. If you installed the application in the RAM console, skip step 1 below.

    1. Navigate to the official-cli application's details page.

      • If you just completed Method 1, your browser may show a success page with a Go now button to take you to the page.

        3376963A-C832-49E4-834A-A78FFFCA3165

      • Alternatively, log on to the RAM console and choose Integrations > OAuth Preview. On the Third-party Application tab, click the official-cli application.  

    2. Click the Assignments tab, and click Create Assignment.

    3. In the Create Assignment panel, select the RAM identities (RAM users or RAM roles) that you want to grant CLI access to, and click OK.  

      9A6ADEC6-B635-4E63-B61C-87CB05122249

      Note

      You can only assign RAM users and RAM roles. Assigning user groups is not supported.

    Step 3: Authorize and log on to the CLI

    Any user who has been assigned to the official-cli application by an administrator can follow these steps to configure their local CLI.

    1. Run the following command to start the configuration process: 

      aliyun configure --profile OAuthProfile --mode OAuth

    2. When prompted, select the login site (CN or INTL) that corresponds to your account.

    3. Your default web browser will open to an Alibaba Cloud login page. Log on with your assigned RAM user identity.

    4. If this is your first time logging in with this method, you will be prompted to grant permissions to the CLI. On the User Authorization page, click Authorize.

      ED1E8AA1-4FA3-4DDB-8B55-BD09945222AC

      Important

      User authorization is a one-time action for your first logon and is not required for subsequent logons, unless the official-cli application is deleted from RAM.

      You can also use this method to authenticate as a RAM role. Before running aliyun configure, first assume the role in your browser session. You can do this in one of two ways:

      • SSO: Log in to the Alibaba Cloud console via your Identity Provider (IdP) using role-based SSO.

      • Console switch role: Log in to the console as a RAM user, and switch to your target RAM role.

      Once you have assumed the role in your browser, run aliyun configure --profile OAuthProfile --mode OAuth in your terminal. The CLI will use your active role session to complete the authentication.

      Note

      Administrator consent and user authorization are two different, required steps.

      • Administrator consent: A one-time action by an admin to install the official-cli application in the account.

      • User authorization: A one-time action by each user to allow the CLI to perform operations on their behalf.

    5. Set the default region. After the authorization is successful, you will be prompted to set a default region. 

      Default Region Id []: cn-hangzhou
      Note

      Some cloud services do not support cross-region access. We recommend that you specify the region of your resources.

    6. The terminal displays Configure Done and a welcome message, which indicates that the configuration is successful.

    7. (Optional) Verify your identity. To confirm that you are logged in with the correct identity, run the following command:

      aliyun sts GetCallerIdentity --profile OAuthProfile

    Troubleshooting

    An error "You are not allowed to do this action" appears during administrator consent

    928A24C5-F30E-42E4-A0DF-D51A71F11442

    Cause: The user you logged in with in the browser does not have the required AliyunRAMFullAccess policy. Administrator consent can only be granted by a RAM administrator.  

    Solution: In your browser, log out of Alibaba Cloud. Restart the aliyun configure process, and when the browser opens, ensure you log in with a RAM user that has the AliyunRAMFullAccess policy. If you are not a RAM administrator, contact an administrator to perform the operation.

    References