An AccessKey pair is a security credential for accessing Alibaba Cloud resources through API operations. Use it to sign API requests for authentication.
What is an AccessKey?
An AccessKey pair is a long-term security credential that Alibaba Cloud issues for programmatic access. It consists of an AccessKey ID and an AccessKey secret.
-
AccessKey ID: The public, unique identifier for an AccessKey pair.
-
AccessKey secret: The private key used to sign programmatic requests. This signature verifies the authenticity and integrity of the request. You must keep your AccessKey secret strictly confidential.
To reduce the risk of compromise, the AccessKey secret is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.
How to use an AccessKey
AccessKey pairs authenticate programmatic calls to Alibaba Cloud APIs through the CLI, SDKs, or Terraform. They cannot be used to sign in to the console.
Avoid using AccessKey pairs directly in applications. Alibaba Cloud provides AccessKey-free solutions that use temporary security credentials (STS tokens) instead. Application development scenarios.
If you must use an AccessKey pair, follow the guidance in Properly store and use unavoidable AccessKey pairs.
How an AccessKey works
RAM generates the AccessKey ID and AccessKey secret using a cryptographic algorithm. Alibaba Cloud encrypts them during storage and transmission.
When an application sends a request, it includes the AccessKey ID and a signature derived from the AccessKey secret. Alibaba Cloud uses these to verify the sender's identity and request integrity. V3 request body & signature mechanism.
Create a RAM user AccessKey
Complete these steps as a RAM administrator (with the AliyunRAMFullAccess policy). If you do not have a RAM user, create one first.
A RAM user follows the steps in Create an Alibaba Cloud account AccessKey (Not recommended) to create their own AccessKey pair.
Console
-
Sign in to the RAM console. In the left-side navigation pane, choose .
-
On the user list, find the target RAM User and click their username.
-
On the AccessKey tab, click Create AccessKey.
NoteEach RAM user can have a maximum of two AccessKey pairs. One is for active use, and the other can be created for rotation to replace the old one.
-
In the dialog box, review the use cases and recommendations. If you must create an AccessKey pair, select a use case, select I confirm that it is necessary to create an AccessKey, and then click Continue. The selected use case does not affect the created AccessKey pair.
-
Complete the security verification as prompted.
-
In the Create AccessKey dialog box, save the AccessKey ID and AccessKey secret, and then click OK.
Configure a network access control policy for the AccessKey pair (Optional): Restrict source IP addresses for OpenAPI requests to confine calls to trusted networks. Click Configure network access policy to set up restrictions. Configure an AccessKey-level network access control policy for a RAM user.
ImportantTo reduce the risk of compromise, the AccessKey secret is displayed only when you create it. You cannot retrieve it later. Be sure to store it securely.
OpenAPI
Call the CreateAccessKey operation and specify the following parameter:
-
UserPrincipalName: The logon name of the user who owns the AccessKey pair, in the formattest@example.onaliyun.com. You can view the logon name of the user in the RAM console.
To reduce the risk of compromise, the AccessKey secret is returned only in the response of the CreateAccessKey operation. You cannot retrieve it later. Be sure to store it securely.