All Products
Search

This Product

    Alibaba Cloud SDK:Manage access credentials

    Document Center

    Alibaba Cloud SDK:Manage access credentials

    Last Updated:Apr 03, 2025

    When you call API operations to manage cloud resources by using Alibaba Cloud SDKs, you must configure valid credential information. The Credentials tool of Alibaba Cloud provides a set of easy-to-use features and supports various types of credentials, including the default credential, AccessKey pairs, and Security Token Service (STS) tokens. The Credentials tool helps you obtain and manage credentials. This topic describes the order based on which the Credentials tool obtains the default credential. You can develop a thorough knowledge of configuring and managing credentials in Alibaba Cloud SDKs. This ensures that you can perform operations on cloud resources in an efficient and secure manner.

    Background information

    A credential is a set of information that is used to prove the identity of a user. When you log on to the system, you must use a valid credential to complete identity authentication. The following types of credentials are commonly used:

    1. The AccessKey pair of an Alibaba Cloud account or a Resource Access Management (RAM) user. An AccessKey pair is permanently valid and consists of an AccessKey ID and an AccessKey secret.

    2. An STS token of a RAM role. An STS token is a temporary credential. You can specify a validity period and access permissions for an STS token. For more information, see What is STS?

    3. A bearer token. It is used for identity authentication and authorization.

    Prerequisites

    Install the Credentials tool

    • Run the go get command to install Alibaba Cloud Credentials for Go. 

      $ go get -u github.com/aliyun/credentials-go

    • If you use the dep tool to manage dependencies for Go, run the following command to install Alibaba Cloud Credentials for Go: 

      dep ensure -add github.com/aliyun/credentials-go

    We recommend that you use the latest version of Alibaba Cloud Credentials for Go. This ensures that all credentials are supported.

    Initialize a Credentials client

    You can use one of the following methods to initialize a Credentials client based on your business requirements:

    Important

    If you use a plaintext AccessKey pair in a project, the AccessKey pair may be leaked due to improper permission management on the code repository. This may threaten the security of all resources within the account to which the AccessKey pair belongs. We recommend that you store the AccessKey pair in environment variables or configuration files.

    Method 1: Use the default credential provider chain

    If you do not specify a method to initialize a Credentials client, the default credential provider chain is used. For more information about how to obtain the default credential provider chain, see the Default credential provider chain section of this topic. 

    package main

import (
	"fmt"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	// Do not specify a method to initialize a Credentials client.
	credential, err := credentials.NewCredential(nil)
}

    Example

    The following sample code provides an example on how to call the DescribeRegions operation of Elastic Compute Service (ECS). Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	// Use the default credential to initialize a Credentials client. 
	credentialClient, _err := credentials.NewCredential(nil)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 2: Use an AccessKey pair

    You can create an AccessKey pair that is used to call API operations for your Alibaba Cloud account or a RAM user. For more information, see Create an AccessKey pair. Then, you can use the AccessKey pair to initialize a Credentials client.

    Warning

    An Alibaba Cloud account has full permissions on resources within the account. AccessKey pair leaks of an Alibaba Cloud account pose critical threats to the system.

    Therefore, we recommend that you use an AccessKey pair of a RAM user that is granted permissions based on the principle of least privilege (PoLP) to initialize a Credentials client. 

    import (
	"fmt"
	"os"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	config := new(credentials.Config).
		SetType("access_key").
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))

	akCredential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}
	accessKeyId, err := akCredential.GetAccessKeyId()
	accessSecret, err := akCredential.GetAccessKeySecret()
	credentialType := akCredential.GetType()
	fmt.Println(accessKeyId, accessSecret, credentialType)
}

    Example

    You can use the Credentials tool to read an AccessKey pair and use the AccessKey pair as a credential to call the API operations of Alibaba Cloud services.

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	// Use an AccessKey pair and a RAM role to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("access_key").
		// Specify the AccessKey ID. 
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		// Specify the AccessKey secret. 
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 3: Use an STS token

    You can call the AssumeRole operation of STS as a RAM user to obtain an STS token. You can specify the maximum validity period of the STS token. The following example shows how to initialize a Credentials client by using an STS token. The example does not show how to obtain an STS token. 

    package main

import (
	"fmt"
	"github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	config := new(credentials.Config).
		SetType("sts").
		// Obtain the AccessKey ID from the environment variable. 
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		// Obtain the AccessKey secret from the environment variable.
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).
		// Obtain the STS token from the environment variable. 
		SetSecurityToken(os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN"))

	stsCredential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}
	credential, err := stsCredential.GetCredential()
	accessKeyId := credential.AccessKeyId
	accessKeySecret := credential.AccessKeySecret
	securityToken := credential.SecurityToken
	credentialType := credential.Type
	fmt.Println(accessKeyId, accessKeySecret, securityToken, credentialType)
}

    Example

    You can use the Credentials tool to read an STS token and use the STS token as a credential to call the API operations of Alibaba Cloud services.

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go and STS SDK for Go. 

    package main

import (
	"os"

	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	sts20150401 "github.com/alibabacloud-go/sts-20150401/v2/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	// Create an STS client and call the AssumeRole operation to obtain the STS token.
	stsConfig := &openapi.Config{}
	stsConfig.SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID"))
	stsConfig.SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
	stsConfig.SetEndpoint("sts.cn-hangzhou.aliyuncs.com")
	client, _err := sts20150401.NewClient(stsConfig)
	if _err != nil {
		panic(_err)
	}
	assumeRoleRequest := &sts20150401.AssumeRoleRequest{}
	// Specify the Alibaba Cloud Resource Name (ARN) of the RAM role to be assumed. Example: acs:ram::123456789012****:role/adminrole. You can obtain the value from the ALIBABA_CLOUD_ROLE_ARN environment variable.
	assumeRoleRequest.SetRoleArn("<RoleArn>")
	// Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
	assumeRoleRequest.SetRoleSessionName("<RoleSessionName>")
	assumeRoleRequest.SetDurationSeconds(3600)
	result, _err := client.AssumeRole(assumeRoleRequest)
	if _err != nil {
		panic(_err)
	}
	assumeRoleResponseBodyCredentials := result.Body.Credentials

	// Use an STS token to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("sts").
		SetAccessKeyId(*assumeRoleResponseBodyCredentials.AccessKeyId).
		SetAccessKeySecret(*assumeRoleResponseBodyCredentials.AccessKeySecret).
		SetSecurityToken(*assumeRoleResponseBodyCredentials.SecurityToken)

	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-hangzhou.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 4: Use an AccessKey pair and a RAM role

    The underlying logic of this method is to use an STS token to initialize a Credentials client. After you specify the ARN of a RAM role, the Credentials tool can obtain an STS token from STS. You can also use the SetPolicy method to limit the permissions of the RAM role. 

    package main

import (
	"fmt"
	"os"

	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	config := new(credentials.Config).
		SetType("ram_role_arn").
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).
		// Specify the ARN of the RAM role to be assumed. Example: acs:ram::123456789012****:role/adminrole. You can obtain the value from the ALIBABA_CLOUD_ROLE_ARN environment variable.
		SetRoleArn("<RoleArn>").
		// Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
		SetRoleSessionName("<RoleSessionName>").
		// Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}.
		SetPolicy("<Policy>").
		// Optional. Specify the validity period of the session. 
		SetRoleSessionExpiration(3600).
		// Optional. The external ID. This parameter is provided by an external party and is used to prevent the confused deputy problem. 
		SetExternalId("ExternalId").
		// Optional. The endpoint of STS. The default value is sts.aliyuncs.com. We recommend that you use the STS endpoint of a region that is geographically closest to you to ensure network connectivity.
		SetSTSEndpoint("sts.cn-hangzhou.aliyuncs.com")

	arnCredential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}

	credential, err := arnCredential.GetCredential()
	accessKeyId := credential.AccessKeyId
	accessKeySecret := credential.AccessKeySecret
	securityToken := credential.SecurityToken
	credentialType := credential.Type
	fmt.Println(accessKeyId, accessKeySecret, securityToken, credentialType)
}

    Example

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	"github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	// Use the ARN of your RAM role to initialize the Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("ram_role_arn").
		// Specify the AccessKey ID. 
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		// Specify the AccessKey secret. 
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).
		// Specify the ARN of the RAM role to be assumed. Example: acs:ram::123456789012****:role/adminrole. You can obtain the value from the ALIBABA_CLOUD_ROLE_ARN environment variable.
		SetRoleArn("<RoleArn>").
		// Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
		SetRoleSessionName("<RoleSessionName>").
		// Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}.
		SetPolicy("<Policy>").
		// Optional. Specify the validity period of the session. 
		SetRoleSessionExpiration(3600).
		// Optional. The endpoint of STS. The default value is sts.aliyuncs.com. We recommend that you use the STS endpoint of a region that is geographically closest to you to ensure network connectivity.
		SetSTSEndpoint("sts.cn-hangzhou.aliyuncs.com")
	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 5: Use the RAM role of an ECS instance

    ECS instances and elastic container instances can be assigned RAM roles. Programs that run on the instances can use the Credentials tool to automatically obtain an STS token for the RAM role. The STS token can be used to initialize the Credentials client.

    By default, the Credentials tool accesses the metadata server of ECS in security hardening mode (IMDSv2). If an exception is thrown, the Credentials tool switches to the normal mode (IMDSv1). You can also configure the disableIMDSv1 parameter or the ALIBABA_CLOUD_IMDSV1_DISABLE environment variable to specify the exception handling logic. Valid values:

    • false (default): The Credentials tool continues to obtain the access credential in normal mode (IMDSv1).

    • true: The exception is thrown and the Credentials tool continues to obtain the access credential in security hardening mode (IMDSv2).

    The configurations for the metadata server determine whether the server supports the security hardening mode (IMDSv2).

    In addition, you can specify ALIBABA_CLOUD_ECS_METADATA_DISABLED=true to disable access from the Credentials tool to the metadata server of ECS.

    Note

    • If you obtain an STS token in security hardening mode (IMDSv2), make sure that the version of credentials-go is 1.3.10 or later.

    • For more information about ECS instance metadata, see Obtain instance metadata.

    • For more information about how to attach a RAM role to an ECS instance, see the "Create an instance RAM role and attach the instance RAM role to an ECS instance" section of the Instance RAM roles topic. For more information about how to attach a RAM role to an elastic container instance, see the "Assign the instance RAM role to an elastic container instance" section of the Use an instance RAM role by calling API operations topic. 

    package main

import (
	"fmt"
	"github.com/aliyun/credentials-go/credentials"
)

func _main(args []*string) {
	// Use the RAM role of an ECS instance to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("ecs_ram_role").
		// Optional. Specify the name of the RAM role of the ECS instance by specifying the ALIBABA_CLOUD_ECS_METADATA environment variable. If you do not specify this parameter, the value is automatically obtained. We recommend that you specify this parameter to reduce the number of requests.
		SetRoleName("<RoleName>")
	# Default value: false. This parameter is optional. true: The security hardening mode (IMDSv2) is forcibly used. false: The system preferentially attempts to obtain the access credential in security hardening mode (IMDSv2). If the attempt fails, the system switches to the normal mode (IMDSv1) to obtain access credentials.
	// credentialsConfig.SetDisableIMDSv1(true)
	credentialClient, err := credentials.NewCredential(credentialsConfig)
	if err != nil {
		return
	}
	credential, err := credentialClient.GetCredential()
	accessKeyId := credential.AccessKeyId
	accessKeySecret := credential.AccessKeySecret
	securityToken := credential.SecurityToken
	credentialType := credential.Type
	fmt.Println(accessKeyId, accessKeySecret, securityToken, credentialType)
}

    Example

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	credentials "github.com/aliyun/credentials-go/credentials"
)

func _main(args []*string) {
	// Use the RAM role of an ECS instance to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("ecs_ram_role").
		// Optional. Specify the name of the RAM role of the ECS instance by specifying the ALIBABA_CLOUD_ECS_METADATA environment variable. If you do not specify this parameter, the value is automatically obtained. We recommend that you specify this parameter to reduce the number of requests.
		SetRoleName("<RoleName>")
	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 6: Use the RAM role of an OIDC IdP

    After you attach a RAM role to a worker node in an Container Service for Kubernetes, applications in the pods on the worker node can use the metadata server to obtain an STS token the same way in which applications on ECS instances do. However, if an untrusted application is deployed on the worker node, such as an application that is submitted by your customer and whose code is not available to you, you may not want the application to use the metadata server to obtain an STS token of the RAM role attached to the worker node. To ensure the security of cloud resources and enable untrusted applications to securely obtain required STS tokens, you can use the RAM Roles for Service Accounts (RRSA) feature to grant permissions to an application based on the PoLP. In this case, the ACK cluster creates a service account OpenID Connect (OIDC) token file, associates the token file with a pod, and then injects relevant environment variables into the pod. Then, the Credentials tool uses the environment variables to call the AssumeRoleWithOIDC operation of STS and obtains an STS token of the RAM role. For more information about the RRSA feature, see Use RRSA to authorize different pods to access different cloud services.

    The following environment variables are injected into the pod:

    ALIBABA_CLOUD_ROLE_ARN: the ARN of the RAM role.

    ALIBABA_CLOUD_OIDC_PROVIDER_ARN: the ARN of the OIDC identity provider (IdP).

    ALIBABA_CLOUD_OIDC_TOKEN_FILE: the path of the OIDC token file.

    package main

import (
	"fmt"
	"github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	config := new(credentials.Config).
		SetType("oidc_role_arn").
		// Specify the ARN of the OIDC identity provider (IdP) by specifying the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
		SetOIDCProviderArn(os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN")).
		// Specify the path of the OIDC token file by specifying the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
		SetOIDCTokenFilePath(os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")).
		// Specify the ARN of the RAM role by specifying the ALIBABA_CLOUD_ROLE_ARN environment variable.
		SetRoleArn(os.Getenv("ALIBABA_CLOUD_ROLE_ARN")).
		// Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
		SetRoleSessionName(os.Getenv("ALIBABA_CLOUD_ROLE_SESSION_NAME")).
		// Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}.
		SetPolicy("<Policy>").
		// Optional. Specify the validity period of the session.
		SetRoleSessionExpiration(3600).
		// Optional. The endpoint of STS. The default value is sts.aliyuncs.com. We recommend that you use the STS endpoint of a region that is geographically closest to you to ensure network connectivity.
		SetSTSEndpoint("sts.cn-hangzhou.aliyuncs.com")
	oidcCredential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}
	credential, err := oidcCredential.GetCredential()
	accessKeyId := credential.AccessKeyId
	accessKeySecret := credential.AccessKeySecret
	securityToken := credential.SecurityToken
	credentialType := credential.Type
	fmt.Println(accessKeyId, accessKeySecret, securityToken, credentialType)
}

    Example

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	credentials "github.com/aliyun/credentials-go/credentials"
	"os"
)

func _main(args []*string) {
	// Use the RAM role of an OIDC IdP to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("oidc_role_arn").
		// Specify the ARN of the OIDC IdP by specifying the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable.
		SetOIDCProviderArn(os.Getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN")).
		// Specify the path of the OIDC token file by specifying the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable.
		SetOIDCTokenFilePath(os.Getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE")).
		// Specify the ARN of the RAM role by specifying the ALIBABA_CLOUD_ROLE_ARN environment variable.
		SetRoleArn(os.Getenv("ALIBABA_CLOUD_ROLE_ARN")).
		// Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable.
		SetRoleSessionName(os.Getenv("ALIBABA_CLOUD_ROLE_SESSION_NAME")).
		// Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}.
		SetPolicy("<Policy>").
		// Specify the validity period of the session.
		SetRoleSessionExpiration(3600)
	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = credentialClient
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 7: Use a credential URI

    The underlying logic of this method is to use an STS token to initialize a Credentials client. The Credentials tool uses the uniform resource identifier (URI) that you provide to obtain an STS token. The STS token is then used to initialize a Credentials client. 

    package main

import (
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	config := new(credentials.Config).
		SetType("credentials_uri").
                // Specify the URI of the credential in the http://local_or_remote_uri/ format by specifying the ALIBABA_CLOUD_CREDENTIALS_URI environment variable.
		SetCredentialsUri("<CredentialsUri>")

	uriCredential, err := credentials.NewCredential(config)
}

    Example

    To call the API operations of Alibaba Cloud services, you can specify a local or remote URI for credentials and use Alibaba Cloud Credentials to obtain and automatically update an access token based on the local or remote URI.

    The following sample code provides an example on how to call the DescribeRegions operation of ECS. Before you call this operation, you must install ECS SDK for Go. 

    package main

import (
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	ecs20140526 "github.com/alibabacloud-go/ecs-20140526/v4/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	credentials "github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	config := new(credentials.Config).
		SetType("credentials_uri").
		// Specify the URI of the credential in the http://local_or_remote_uri/ format by specifying the ALIBABA_CLOUD_CREDENTIALS_URI environment variable.
		SetCredentialsUri("<CredentialsUri>")

	uriCredential, _err := credentials.NewCredential(config)
	if _err != nil {
		panic(_err)
	}

	ecsConfig := &openapi.Config{}
	// Specify the endpoint of ECS. 
	ecsConfig.Endpoint = tea.String("ecs.cn-beijing.aliyuncs.com")
	// Use the SDK Credentials package to configure a credential. 
	ecsConfig.Credential = uriCredential
	// Initialize the ECS SDK client. 
	ecsClient, _err := ecs20140526.NewClient(ecsConfig)
	// Initialize the request to call the DescribeRegions operation. 
	describeInstancesRequest := &ecs20140526.DescribeRegionsRequest{}
	// Initialize the runtime configuration. 
	runtime := &util.RuntimeOptions{}
	// Call the DescribeRegions operation and obtain a response. 
	response, _err := ecsClient.DescribeRegionsWithOptions(describeInstancesRequest, runtime)
	if _err != nil {
		panic(_err)
	}
	panic(response.Body.String())
}

    Method 8: Use a bearer token

    Only Cloud Call Center allows you to use a bearer token to initialize an SDK client. 

    package main

import (
	"fmt"
	"github.com/aliyun/credentials-go/credentials"
)

func main() {
	config := new(credentials.Config).
		SetType("bearer").
		// Enter the bearer token.
		SetBearerToken("<BearerToken>")
	bearerCredential, err := credentials.NewCredential(config)
	if err != nil {
		return
	}
	bearerToken := bearerCredential.GetBearerToken()
	credentialType := bearerCredential.GetType()
	fmt.Println(bearerToken, credentialType)
}

    Example

    The following sample code provides an example on how to call the GetInstance operation of Cloud Call Center. Before you call this operation, you must install Cloud Call Center SDK for Go. 

    package main

import (
	ccc20200701 "github.com/alibabacloud-go/ccc-20200701/v2/client"
	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
	util "github.com/alibabacloud-go/tea-utils/v2/service"
	"github.com/alibabacloud-go/tea/tea"
	credentials "github.com/aliyun/credentials-go/credentials"
)

func _main() (_err error) {
	// Use a bearer token to initialize a Credentials client. 
	credentialsConfig := new(credentials.Config).
		// Specify the credential type. 
		SetType("bearer").
		SetBearerToken("<BearerToken>")
	credentialClient, _err := credentials.NewCredential(credentialsConfig)
	if _err != nil {
		return _err
	}

	// Use the Credentials client to initialize the Cloud Call Center SDK client. 
	config := &openapi.Config{}
	config.Endpoint = tea.String("ccc.cn-shanghai.aliyuncs.com") // Specify the endpoint of Cloud Call Center. 
	config.Credential = credentialClient                         // Use the SDK Credentials package to configure a credential. 
	cccClient, _err := ccc20200701.NewClient(config)
	if _err != nil {
		return _err
	}
	getInstanceRequest := &ccc20200701.GetInstanceRequest{
		InstanceId: tea.String("ccc-test"),
	}
	runtime := &util.RuntimeOptions{}
	response, _err := cccClient.GetInstanceWithOptions(getInstanceRequest, runtime)
	if _err != nil {
		return _err
	}
	panic(response.Body.String())
}

func main() {
	err := _main()
	if err != nil {
		panic(err)
	}
}

    Default credential provider chain

    If you want to use different types of credentials in the development and production environments, you generally need to obtain the environment information from the code and write code branches to obtain different credentials for the development and production environments. The default credential provider chain of the Credentials tool allows you to use the same code to obtain credentials for different environments based on configurations independent of the application. If you use NewCredential() to initialize a Credentials client without specifying an initialization method, the Credentials tool obtains the credential information in the following order:

    1. Obtain the credential information from environment variables

    If no credential information is found in the system attributes, the Credentials continues to check the environment variables.

    • If both the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are specified, they are used as the default credential.

    • If ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET, and ALIBABA_CLOUD_SECURITY_TOKEN are specified, the STS token is used as the default credential.

    2. Obtain the credential information by using the RAM role of an OIDC IdP

    If no credentials with a higher priority are found, the Credentials tool checks the following environment variables that are related to the RAM role of the OIDC IdP:

    • ALIBABA_CLOUD_ROLE_ARN: the ARN of the RAM role.

    • ALIBABA_CLOUD_OIDC_PROVIDER_ARN: the ARN of the OIDC IdP.

    • ALIBABA_CLOUD_OIDC_TOKEN_FILE: the file path of the OIDC token.

    If the preceding three environment variables are specified and valid, the Credentials tool uses the environment variables to call the AssumeRoleWithOIDC operation of STS to obtain an STS token as the default credential.

    3. Obtain the credential information from the config.json file

    If no credentials with a higher priority are found, the Credentials tool attempts to load the config.json file. Default file path:

    • Linux: ~/.aliyun/config.json

    • Windows: C:\Users\USER_NAME\.aliyun\config.json

    If the config.json file exists, the Credentials tool initializes a Credentials client by using the credential information that is specified by the current parameter in the config.json file. You can also specify the ALIBABA_CLOUD_PROFILE environment variable to specify the credential information. For example, you can set the ALIBABA_CLOUD_PROFILE environment variable to client1.

    The mode parameter in the config.json file specifies the method that is used to obtain the credential information. Valid values:

    • AK: uses the AccessKey pair of a RAM user to obtain the credential information.

    • RamRoleArn: uses the ARN of a RAM role to obtain the credential information.

    • EcsRamRole: uses the RAM role attached to an ECS instance to obtain the credential information.

    • OIDC: uses the ARN of an OIDC IdP and the OIDC token file to obtain the credential information.

    • ChainableRamRoleArn: uses a role chain and specifies an access credential in another JSON file to obtain the credential information.

    Configuration example:

    {
	"current": "default",
	"profiles": [
		{
			"name": "default",
			"mode": "AK",
			"access_key_id": "<ALIBABA_CLOUD_ACCESS_KEY_ID>",
			"access_key_secret": "<ALIBABA_CLOUD_ACCESS_KEY_SECRET>"
		},
		{
			"name":"client1",
			"mode":"RamRoleArn",
			"access_key_id":"<ALIBABA_CLOUD_ACCESS_KEY_ID>",
			"access_key_secret":"<ALIBABA_CLOUD_ACCESS_KEY_SECRET>",
			"ram_role_arn":"<ROLE_ARN>",
			"ram_session_name":"<ROLE_SESSION_NAME>",
			"expired_seconds":3600
		},
		{
			"name":"client2",
			"mode":"EcsRamRole",
			"ram_role_name":"<RAM_ROLE_ARN>"
		},
		{
			"name":"client3",
			"mode":"OIDC",
			"oidc_provider_arn":"<OIDC_PROVIDER_ARN>",
			"oidc_token_file":"<OIDC_TOKEN_FILE>",
			"ram_role_arn":"<ROLE_ARN>",
			"ram_session_name":"<ROLE_SESSION_NAME>",
			"expired_seconds":3600
		},
		{
			"name":"client4",
			"mode":"ChainableRamRoleArn",
			"source_profile":"<PROFILE_NAME>",
			"ram_role_arn":"<ROLE_ARN>",
			"ram_session_name":"<ROLE_SESSION_NAME>",
			"expired_seconds":3600
		}
	]
}

    4. Obtain the credential information by using the RAM role of an ECS instance

    If no credentials with a higher priority are found, the Credentials tool attempts to use the RAM role assigned to the ECS instance to obtain a credential. By default, the Credentials tool accesses the metadata server of ECS in security hardening mode (IMDSv2) to obtain the STS token of the RAM role used by the ECS instance and uses the STS token as the default credential. The Credentials tool automatically accesses the metadata server of ECS to obtain the name of the RAM role (RoleName) and then obtains the credential. Two requests are sent in this process. If you want to send only one request, add the ALIBABA_CLOUD_ECS_METADATA environment variable to specify the name of the RAM role. If an exception occurs in the security hardening mode (IMDSv2), the Credentials tool obtains the access credential in normal mode (IMDSv1). You can also configure the ALIBABA_CLOUD_IMDSV1_DISABLE environment variable to specify an exception handling logic. Valid values:

    1. false: The Credentials tool continues to obtain the access credential in normal mode (IMDSv1).

    2. true: The exception is thrown and the Credentials tool continues to obtain the access credential in security hardening mode (IMDSv2).

    The configurations for the metadata server determine whether the server supports the security hardening mode (IMDSv2).

    In addition, you can set the ALIBABA_CLOUD_ECS_METADATA_DISABLED=true environment variable to disable access from the Credentials tool to the metadata server of ECS.

    Note

    • For more information about ECS instance metadata, see Obtain instance metadata.

    • For more information about how to attach a RAM role to an ECS instance, see the "Create an instance RAM role and attach the instance RAM role to an ECS instance" section of the Instance RAM roles topic. For more information about how to attach a RAM role to an elastic container instance, see the "Assign the instance RAM role to an elastic container instance" section of the Use an instance RAM role by calling API operations topic.

    5. Obtain the credential information based on a URI

    If no valid credential is obtained by using the preceding methods, the Credentials tool checks the ALIBABA_CLOUD_CREDENTIALS_URI environment variable. If this environment variable exists and specifies a valid URI, the Credentials tool initiates an HTTP requests to obtain an STS token as the default credential.

    Switch between credentials

    You can use the following method to use different credentials to call different API operations in your application:

    Use multiple Credentials clients

    Initialize multiple Credentials clients to pass different credentials to different request clients. 

    package main

import (
	credentials "github.com/aliyun/credentials-go/credentials"
	"os"
)

func main() {
	config1 := new(credentials.Config).
		SetType("access_key").
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET"))
	akCredential, err1 := credentials.NewCredential(config1)

	config2 := new(credentials.Config).
		SetType("sts").
		SetAccessKeyId(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_ID")).
		SetAccessKeySecret(os.Getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET")).
		SetSecurityToken(os.Getenv("ALIBABA_CLOUD_SECURITY_TOKEN"))

	akCredential, err2 := credentials.NewCredential(config2)
}

    Related operations