This topic describes how to use an access credential instead of a hard-coded AccessKey pair to call API operations of Alibaba Cloud in various scenarios.
Background information
An AccessKey pair is provided by Alibaba Cloud and used to complete identity authentication when you call API operations. Each AccessKey pair consists of an AccessKey ID and an AccessKey secret. You must keep the AccessKey pair confidential.
If you hard code a plaintext AccessKey pair in your code to call API operations of Alibaba Cloud, the AccessKey pair may be leaked due to improper permission management of the code repository. This may pose threats to the security of all resources that belong to your account. We recommend that you use an access credential to call API operations of Alibaba Cloud to ensure the security of resources that belong to your account.
Solution overview
Solution | Scenario |
Assume RAM roles by using applications that are deployed in an ACK cluster | If your applications are deployed in a Container Service for Kubernetes (ACK) cluster, you can enable the RAM Roles for Service Accounts (RRSA) feature for the ACK cluster. This way, each application that is deployed in the ACK cluster can assume a different Resource Access Management (RAM) role to call API operations. |
If your application is deployed on an Elastic Compute Service (ECS) instance, you can attach an instance RAM role that has specific permissions to the ECS instance. This way, the application that is deployed on the ECS instance can call API operations of Alibaba Cloud. | |
If the preceding solutions are not applicable, we recommend that you configure system environment variables to call API operations of Alibaba Cloud. |
Assume a RAM role by using an application that is deployed in an ACK cluster
Prerequisites
An Alibaba Cloud service that works with RAM is used. For more information, see Services that work with RAM.
RRSA supports only Kubernetes 1.22 and later. The cluster types that support RRSA include ACK standard cluster, ACK Pro cluster, ACK Serverless standard cluster, and ACK Serverless Pro cluster.
Alibaba Cloud SDK V2.0 is installed.
The self-developed SDKs of services that use self-managed gateways are not installed.
Working principles
By using the RRSA feature, you can allow different applications in an ACK cluster to assume different RAM roles. Applications can obtain STS tokens, use the tokens to assume specific RAM roles, and then access relevant cloud services. This enforces the principle of least privilege
and implements fine-grained access control on the pods of different applications in multi-tenant scenarios. This also allows you to use STS tokens as temporary access tokens when ACK Serverless clusters and elastic container instances are used.
The following steps show how an application accesses a cloud resource when RRSA is used to enforce access control:
The tenant deploys a pod for which the feature of service account token volume projection is enabled.
The ACK cluster creates a service account OpenID Connect (OIDC) token file and mounts the token file to the pod.
The application in the pod uses the OIDC token file to call the AssumeRoleWithOIDC API operation of STS and obtain the STS token that is used to assume a RAM role.
NoteTo enable the application to perform these operations, you must first create an OIDC identity provider and allow the service account used by the pod to assume the specified RAM role. For more information, see AssumeRoleWithOIDC.
The application in the pod uses the obtained STS token to assume the specified RAM role and then calls the API of the relevant cloud service.
Configuration methods
Enable the RRAS feature for an ACK cluster. For more information, see Enable RRSA.
Use the RRAS feature in an ACK cluster. For more information, see Work with RRSA.
Sample code
Some Alibaba Cloud SDKs allow applications to call the APIs of specific cloud services by using the OIDC tokens of RRSA. The following table describes the supported SDK versions.
Programming language | Supported SDK version | Example |
Go | Alibaba Cloud Credentials for Go 1.2.6 and later | |
Java | Alibaba Cloud Credentials for Java 0.2.10 and later | |
Python 3 | Alibaba Cloud Credentials for Python 0.3.1 and later | |
Node.js and TypeScript | Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later |
Assume an instance RAM role
Prerequisites
An Alibaba Cloud service that supports RAM is used. For more information, see Services that work with RAM.
Alibaba Cloud SDK V2.0 is installed.
The self-developed SDKs of services that use self-managed gateways are not installed.
Working principles
You can attach an instance Resource Access Management (RAM) role to an Elastic Compute Service (ECS) instance. Then, the ECS instance can use the Security Token Service (STS) temporary credential of the instance RAM role to access the APIs of other Alibaba Cloud services. The STS temporary credential is updated on a periodic basis. This ensures the security of your AccessKey pair and implements fine-grained access control and permissions management by using RAM.
An application accesses ECS instance metadata to obtain a Security Token Service (STS) token. For more information, see Overview of ECS instance metadata.
The application uses the STS token to access cloud resources. For more information, see What is STS?
Configuration methods
Attach an instance RAM role to an ECS instance. For more information, see Attach an instance RAM role to an ECS instance.
Sample code
Alibaba Cloud Credentials is a credential management tool provided by Alibaba Cloud for developers. You can use Alibaba Cloud Credentials to attach an instance RAM role to an ECS instance in a convenient manner. The following sample code provides an example on how to call the DescribeRegions operation of ECS.
Programming language | References |
Go | |
Java | |
Python | |
PHP | |
Node.js | |
.NET |
Configure system environment variables
Configuration methods
Configure the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables.
Linux and macOS
Run the following commands:
export ALIBABA_CLOUD_ACCESS_KEY_ID=<access_key_id> export ALIBABA_CLOUD_ACCESS_KEY_SECRET=<access_key_secret>Replace
<access_key_id>with your AccessKey ID and<access_key_secret>with your AccessKey secret.Windows
Create an environment variable file, add the
ALIBABA_CLOUD_ACCESS_KEY_IDandALIBABA_CLOUD_ACCESS_KEY_SECRETenvironment variables to the file, and then specify your AccessKey ID for ALIBABA_CLOUD_ACCESS_KEY_ID and your AccessKey secret for ALIBABA_CLOUD_ACCESS_KEY_SECRET.Restart the Windows operating system.
Sample code of Alibaba Cloud SDKs
Alibaba Cloud SDKs allow you to configure the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables to create a default credential. When you call an API operation, the system reads the AccessKey pair from the default credential and uses the AccessKey pair to complete authentication. The following sample code provides an example on how to call the DescribeRegions operation of ECS.
Programming language | References |
Go | |
Java | |
Python | |
PHP | |
Node.js | |
.NET |
Common sample code
For self-developed SDKs of services that use self-managed gateways, the following sample code provides an example on how to load environment variables by using Java:
import com.aliyun.credentials.Client;
import com.aliyun.credentials.models.Config;
public class DemoTest {
public static void main(String[] args) throws Exception{
Config config = new Config();
// Which type of credential you want
config.setType("access_key");
// AccessKeyId of your ram user
config.setAccessKeyId(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"));
// AccessKeySecret of your ram user
config.setAccessKeySecret(System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"));
Client client = new Client(config);
}
}References
For more information about best practices for cloud security, see the following topics: