How to create, use, and delete an AccessKey pair,use STS tokens to securely make API calls - Resource Access Management

This topic demonstrates how to create an AccessKey pair in Resource Access Management (RAM), view and retrieve its information, and use it to access Alibaba Cloud resources. This topic uses the Alibaba Cloud CLI as an example.

Important

As a best practice, avoid using long-term AccessKey pairs to access Alibaba Cloud resources directly. For more information, see Best practices for machine identities.

What is an AccessKey pair?

An AccessKey pair comprises an AccessKey ID and an AccessKey secret. AccessKey pairs are primarily used to authenticate the identity of an application or service when it calls Alibaba Cloud APIs.

An AccessKey pair is associated with a specific RAM user and is a long-term credential. As long-term credentials, they pose a high security risk if exposed.

Procedure

Create an AccessKey pair for a specified RAM user.
Configure the Alibaba Cloud CLI and use the AccessKey pair to call an API directly or indirectly.
Remove the local credential configuration, and then disable and delete the AccessKey pair.

Prerequisites

Create a RAM user. Do not use your Alibaba Cloud account to create an AccessKey pair.
Aattach the AliyunRAMFullAccess system policy to the RAM user. Remove the policy after you complete this tutorial.
Install Alibaba Cloud CLI.

Create an AccessKey pair

Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
Find the target RAM user and click its name.
On the Authentication tab, in the AccessKey section, click Create AccessKey.
Note
Each RAM user can have a maximum of two AccessKey pairs. One AccessKey pair is for active use, and the second should be created only when you need to rotate AccessKey pairs. If the current RAM user has reached the limit, you can create an AccessKey pair for another RAM user, or delete an unused AccessKey pair after you confirm that it is safe to do so.
In the confirmation dialog box that appears, select CLI, select I confirm that it is necessary to create an AccessKey, then click Continue.
Follow the on-screen instructions to complete multi-factor authentication (MFA).
In the Create AccessKey dialog box, click Download CSV File to save the AccessKey ID and AccessKey secret. Then, click OK.
Important
The AccessKey secret is displayed only at the time of creation and cannot be retrieved later. Make sure to store it securely.

Use an AccessKey pair to call an API

Note

This topic uses the Alibaba Cloud CLI as an example of how to use an AccessKey pair. To learn how to use an AccessKey pair in your code, see the following reference:

"Method 2: Use an AccessKey pair" and "Method 4: Use an AccessKey pair and a RAM role" sections of the Manage access credentials topic

Use an AccessKey pair directly

This method is simple but poses risks, such as hard-coding keys or granting excessive permissions, because it configures the AccessKey pair directly on the client. It is not recommended for production environments.

Attach the AliyunRAMReadOnlyAccess policy to the RAM user that owns the AccessKey pair to grant it the read-only access to RAM.
1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
2. Find the target RAM user and click Add Permissions in the Actions column.
3. In the Grant Permission panel, search for and select AliyunRAMReadOnlyAccess system policy, and click OK.
4. Return to the Users page and click the target RAM user's name. On the Permissions > Individual tab, verify that the AliyunRAMReadOnlyAccess policy is displayed.

Open your local terminal and run the following command to configure identity credentials interactively.
```
aliyun configure --profile AkProfile
```

Follow the command-line prompts to enter the AccessKey ID and AccessKey secret that you saved in the Create an AccessKey pair step. Then, set the region and language.

Configuring profile 'AkProfile' in 'AK' authenticate mode...
Access Key Id []: <yourAccessKeyID>
Access Key Secret []: <yourAccessKeySecret>
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[AkProfile] ...Done.

If the AccessKey pair and other configurations are correct, the following output is returned in the terminal. If an error occurs, delete the cached Alibaba Cloud CLI credentials, check the configuration, then run the command in Step 2 again.

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Run the following command to test the API call.

aliyun ram ListUsers --profile AkProfile

If the configuration is correct, the command returns a list of RAM users. The output is similar to the following:

{
  "IsTruncated": false,
  "RequestId": "B3CDEF9E-A3F4-58B0-80BE-54576991****",
  "Users": {
    "User": [
      {
        "Comments": "",
        "CreateDate": "2025-10-29T02:47:52Z",
        "DisplayName": "username",
        "UpdateDate": "2025-10-29T02:47:52Z",
        "UserId": "20376656170607****",
        "UserName": "username"
      },
      ...
    ]
  }
}

Use an AccessKey pair indirectly

This method uses an AccessKey pair to obtain a temporary Security Token Service (STS) token and uses it to call an API. This method is more complex to configure but reduces the risk of exposing a long-term AccessKey pair. It also allows for dynamic permission granting through RAM roles, making it a more secure approach.

Attach the AliyunSTSAssumeRoleAccess policy to the RAM user to grant it the permission to call the AssumeRole operation of the STS service.
1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
2. Find the target RAM user and click Add Permissions in the Actions column.
3. In the Grant Permission panel, search for and select AliyunSTSAssumeRoleAccess system policy, and click OK.
4. Return to the Users page and click the target RAM user's name. On the Permissions > Individual tab, verify that the AliyunSTSAssumeRoleAccess policy is displayed.
Create a RAM role and obtain its Alibaba Cloud Resource Name (ARN).
1. Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles.
2. On the Roles page, click Create Role.
3. On the Create Role page, set Principal Type to Cloud Account, specify an Alibaba Cloud account, then click OK.
4. In the Create Role dialog box, enter a role name, such as cli-test-role. Click OK.
5. On the role details page, find the ARN in the Basic Information section and click Copy.
Attach the AliyunRAMReadOnlyAccess policy to the RAM role to grant it read-only access to RAM.
On the Roles page. Click Grant Permission in the Actions column and configure permissions in the same way as in Step 1.
Open your local terminal and run the following command to configure identity credentials interactively.
```
aliyun configure --profile RamRoleArnProfile --mode RamRoleArn
```

Follow the command-line prompts to enter the AccessKey ID and AccessKey secret that you saved in the Create an AccessKey pair step, and the RAM role's ARN that you obtained in Step 2. For other configurations, see the following example.

Configuring profile 'RamRoleArnProfile' in 'RamRoleArn' authenticate mode...
Access Key Id []: <yourAccessKeyID>
Access Key Secret []: <yourAccessKeySecret>
Sts Region []: cn-shanghai
Ram Role Arn []: acs:ram::012345678910****:role/cli-test-role
Role Session Name []: cli-test-role
External ID []: abcd1234
Expired Seconds [900]: 900
Default Region Id []: cn-shanghai
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en: en
Saving profile[RamRoleArnProfile] ...Done.

Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Run the following command to test the API call.

aliyun ram ListUsers --profile RamRoleArnProfile

If the configuration is correct, the command returns a list of RAM users. The output is similar to the following:

{
  "IsTruncated": false,
  "RequestId": "B3CDEF9E-A3F4-58B0-80BE-54576991****",
  "Users": {
    "User": [
      {
        "Comments": "",
        "CreateDate": "2025-10-29T02:47:52Z",
        "DisplayName": "username",
        "UpdateDate": "2025-10-29T02:47:52Z",
        "UserId": "20376656170607****",
        "UserName": "username"
      },
      ...
    ]
  }
}

Remove credentials

Delete the cached Alibaba Cloud CLI credentials

In the terminal, run the following command to delete the cached credentials.

If you followed the steps in Use an AccessKey pair directly, run the following command:
```
aliyun configure delete --profile AkProfile 
```
If you followed the steps in Use an AccessKey pair indirectly, run the following command:
```
aliyun configure delete --profile RamRoleArnProfile
```

Disable and delete the AccessKey pair

Log on to the RAM console. In the left-side navigation pane, choose Identities > Users.
Find the target RAM user and click its name.
Disable the AccessKey pair: On the Authentication tab, in the AccessKey section, find the target AccessKey pair and click Disable in the Actions column. In the Disable dialog box that appears, click Disable.
Move the AccessKey pair to the recycle bin: Find the target AccessKey pair and click Delete in the Actions column. In the Delete dialog box, enter the current AccessKey ID and click Move to Recycle Bin.
Permanently delete the AccessKey pair: On the user details page, in the AccessKey Pair Recycle Bin section, find the target AccessKey pair and click Delete in the Actions column. In the Delete dialog box, enter the current AccessKey ID and click Delete.

Resource Access Management:Quick start: Create and use an AccessKey pair for programmatic access