All Products
Search

This Product

    Alibaba Cloud SDK:Create a client

    Document Center

    Alibaba Cloud SDK:Create a client

    Last Updated:Feb 23, 2022

    Create a client

    You can create multiple clients at the same time. Each client has independent configurations. You can specify different clients for different API requests. If you do not specify a client, the default client is used to send API requests. You can manually create and manage clients. You can also load configuration files to allow Classic SDK for Go to automatically create clients. Different types of SDK clients have different credentials and signatures. You can also specify a custom credential and signature for a client.

    Create clients that authenticate servers based on different credentials

    You can manage your AccessKey pairs on the Security Management page. AccessKey pairs are granted full permissions on the resources that belong to your Alibaba Cloud account. Keep your AccessKey pairs confidential. For security purposes, we recommend that you do not share an AccessKey pair of your Alibaba Cloud account with a developer. Instead, you can create a Resource Access Management (RAM) user on the Users page and grant the required permissions to the RAM user on the Grants page. This way, the developer can use an AccessKey pair of the RAM user to call API operations. 

    client, err := sdk.NewClientWithAccessKey("regionId", "accessKeyId", "accessKeySecret")

    To ensure the security of your business, you can apply for temporary security credentials (TSC) from Security Token Service (STS) to create a temporary client. 

    client, err := sdk.NewClientWithStsToken("regionId", "subaccessKeyId", "subaccessKeySecret", "stsToken")

    You can assign a RAM role to a client on the Roles page. Then, the client can automatically apply for and maintain STS tokens before the client initiates an API request. This way, the client becomes an STS client that has a validity period. You can also apply for an STS token and create an STS client.

    The following code provides an example on how to create a client that authenticates servers based on RamRoleArn credentials: 

    client, err := sdk.NewClientWithRamRoleArn("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession")

    If you want to limit the permissions that are granted to an STS token, you can create a policy. The following code provides an example on how to create a client that authenticates servers based on RamRoleArn credentials and limit the permissions that are granted to an STS token:

    client, err := sdk.NewClientWithRamRoleArnAndPolicy("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession", "policy")

    You can assign a RAM role to a client. Then, the client can automatically apply for and maintain STS tokens before the client initiates an API request. This way, the client becomes an STS client that has a validity period. You can also apply for an STS token and create an STS client.

    The following code provides an example on how to create a client that authenticates servers based on EcsRamRole credentials: 

    client, err := NewClientWithEcsRamRole("regionid", "roleName")

    If your Cloud Call Center (CCC) uses clients that authenticate servers based on bearer tokens, you must apply for and maintain bearer tokens.

    The following code provides an example on how to create a client that authenticates servers based on bearer tokens: 

    client, err := NewClientWithBearerToken("regionId", "bearerToken")

    You can specify a public key ID and a private key file to allow a client to automatically apply for and maintain an AccessKey pair before the client initiates an API request. This way, the client becomes an AccessKey client that has a validity period. The feature is supported only on the Japan site.

    The following code provides an example on how to create a client that authenticates servers based on Rivest–Shamir–Adleman (RSA) key pairs: 

    client, err := NewClientWithRsaKeyPair("regionid", "publicKey", "privateKey", 3600)

    Automatically create a client

    If you do not create a client before you send an API request, the default credential provider chain is used to search for credentials to create a client. You can also create a custom credential provider chain.

    The default credential provider chain searches for and uses credentials in the following order:

    The credential provider chain searches for credentials in environment variables. If you define the environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET, the credential provider chain uses the environment variables to create a default client. If the client that is specified in a request is not the default client, the credential provider chain searches for and loads clients in the configuration file.

    If a default file exists in the home directory of the user, the credential provider chain automatically creates a client based on the specified type and name. The path for the default file is ~/.alibabacloud/credentials. In Windows, the path is C:\Users\USER_NAME\.alibabacloud\credentials. The default file may not exist. However, an exception is thrown if a parsing error occurs. The client name is not case-sensitive. If two clients have the same name, the most recent client overwrites the client that is created earlier. You can also load a specific file by running AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...);. Different projects or tools can share this configuration file because the file is stored outside the projects and cannot be accidentally committed to version control. In Windows, you can reference your home directory by using the environment variable %UserProfile%. In Unix-like systems, you can use the environment variable $HOME or a tilde (~). You can modify the path of the default file when you define the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable. 

    [default]                          # The default client.
type = access_key                  # Specifies that the client authenticates servers based on AccessKey pairs.
access_key_id = foo                # Key
access_key_secret = bar            # Secret

[client1]                          # The client named client1.
type = ecs_ram_role                # Specifies that the client authenticates servers based on EcsRamRole credentials.
role_name = EcsRamRoleTest         # Role Name

[client2]                          # The client named client2.
type = ram_role_arn                # Specifies that the client authenticates servers based on RamRoleArn credentials.
access_key_id = foo
access_key_secret = bar
role_arn = role_arn
role_session_name = session_name

[client3]                          # The client named client3.
type = rsa_key_pair                # Specifies that the client authenticates servers based on RSA key pairs.
public_key_id = publicKeyId        # Public Key ID
private_key_file = /your/pk.pem    # The private key file.

    If you define the environment variable ALIBABA_CLOUD_ECS_METADATA and the environment variable is not empty, the credential provider chain uses the value of the environment variable as the role name, sends a request to http://100.100.100.200/latest/meta-data/ram/security-credentials/ to obtain temporary security credentials, and then creates a default client.

    You can use a custom credential provider chain to search for credentials, or write a closure to pass the provider. 

    client, err := sdk.NewClientWithProvider("regionId", ProviderInstance, ProviderProfile, ProviderEnv)