Alibaba Cloud Credentials for Java
English | 简体中文
Alibaba Cloud Credentials for Java is a tool for Java developers to manage credentials.
This document introduces how to obtain and use Credentials for Java.
<dependency><groupId>com.aliyun</groupId><artifactId>credentials-java</artifactId><version>Use the version shown in the maven badge</version></dependency>
Before you begin, you need to sign up for an Alibaba Cloud account and retrieve your Credentials.
Setup access_key credential through User Information Management, it have full authority over the account, please keep it safe. Sometimes for security reasons, you cannot hand over a primary account AccessKey with full access to the developer of a project. You may create a sub-account RAM Sub-account , grant its authorization,and use the AccessKey of RAM Sub-account.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception{Config config = new Config();// Which type of credential you wantconfig.setType("access_key");// AccessKeyId of your accountconfig.setAccessKeyId("AccessKeyId");// AccessKeySecret of your accountconfig.setAccessKeySecret("AccessKeySecret");Client client = new Client(config);}}
Create a temporary security credential by applying Temporary Security Credentials (TSC) through the Security Token Service (STS).
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception{Config config = new Config();// Which type of credential you wantconfig.setType("sts");// AccessKeyId of your accountconfig.setAccessKeyId("AccessKeyId");// AccessKeySecret of your accountconfig.setAccessKeySecret("AccessKeySecret");// Temporary Security Tokenconfig.setSecurityToken("SecurityToken");Client client = new Client(config);}}
By specifying RAM Role, the credential will be able to automatically request maintenance of STS Token. If you want to limit the permissions(How to make a policy) of STS Token, you can assign value for Policy.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception{Config config = new Config();// Which type of credential you wantconfig.setType("ram_role_arn");// AccessKeyId of your accountconfig.setAccessKeyId("AccessKeyId");// AccessKeySecret of your accountconfig.setAccessKeySecret("AccessKeySecret");// Format: acs:ram::USER_Id:role/ROLE_NAME// roleArn can be replaced by setting environment variable: ALIBABA_CLOUD_ROLE_ARNconfig.setRoleArn("RoleArn");// Role Session Nameconfig.setRoleSessionName("RoleSessionName");// Not required, limit the permissions of STS Tokenconfig.setPolicy("policy");// Not required, the external ID of the RAM role// This parameter is provided by an external party and is used to prevent the confused deputy problem.config.setExternalId("externalId");// Not required, limit the Valid time of STS Tokenconfig.setRoleSessionExpiration(3600);Client client = new Client(config);}}
By specifying OIDC Role, the credential will be able to automatically request maintenance of STS Token. If you want to limit the permissions(How to make a policy) of STS Token, you can assign value for Policy.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception{Config config = new Config();// Which type of credential you wantconfig.setType("oidc_role_arn");// Format: acs:ram::USER_Id:role/ROLE_NAME// roleArn can be replaced by setting environment variable: ALIBABA_CLOUD_ROLE_ARNconfig.setRoleArn("RoleArn");// Format: acs:ram::USER_Id:oidc-provider/OIDC Providers// oidcProviderArn can be replaced by setting environment variable: ALIBABA_CLOUD_OIDC_PROVIDER_ARNconfig.setOidcProviderArn("OIDCProviderArn");// Format: path// OIDCTokenFilePath can be replaced by setting environment variable: ALIBABA_CLOUD_OIDC_TOKEN_FILEconfig.setOidcTokenFilePath("/Users/xxx/xxx");// Role Session Nameconfig.setRoleSessionName("RoleSessionName");// Not required, limit the permissions of STS Tokenconfig.setPolicy("policy");// Not required, limit the Valid time of STS Tokenconfig.setRoleSessionExpiration(3600);Client client = new Client(config);}}
By specifying the role name, the credential will be able to automatically request maintenance of STS Token.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception {Config config = new Config();// Which type of credential you wantconfig.setType("ecs_ram_role");// `roleName` is optional. It will be retrieved automatically if not set. It is highly recommended to set it up to reduce requestsconfig.setRoleName("RoleName");// `disableIMDSv1` is optional and is recommended to be turned on. It can be replaced by setting environment variable: ALIBABA_CLOUD_IMDSV1_DISABLEDconfig.setDisableIMDSv1(true);Client client = new Client(config);}}
By specifying the url, the credential will be able to automatically request maintenance of STS Token.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception {Config config = new Config();// Which type of credential you wantconfig.setType("credentials_uri");// Format: http url. `credentialsURI` can be replaced by setting environment variable: ALIBABA_CLOUD_CREDENTIALS_URIconfig.setCredentialsUri("http://xxx");Client client = new Client(config);}}
If credential is required by the Cloud Call Centre (CCC), please apply for Bearer Token maintenance by yourself.
import com.aliyun.credentials.Client;import com.aliyun.credentials.models.Config;public class DemoTest {public static void main(String[] args) throws Exception {Config config = new Config();// Which type of credential you wantconfig.setType("bearer");// BearerToken of your accountconfig.setBearerToken("BearerToken");Client client = new Client(config);}}
If you call Client client = new Client(), it will use provider chain to get credential for you.
The default credential provider chain looks for available credentials, with following order:
System Properties
Look for environment credentials in system properties. If the alibabacloud.accessKeyId and alibabacloud.accessKeySecret system properties are defined and not empty, the program will use them to create default credentials. If the alibabacloud.accessKeyId, alibabacloud.accessKeySecret and alibabacloud.sessionToken environment variables are defined and are not empty, the program will use them to create temporary security credentials(STS). Note: This token has an expiration time, it is recommended to use it in a temporary environment.
Environment Credentials
Look for environment credentials in environment variable. If the ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables are defined and are not empty, the program will use them to create default credentials. If the ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET and ALIBABA_CLOUD_SECURITY_TOKEN environment variables are defined and are not empty, the program will use them to create temporary security credentials(STS). Note: This token has an expiration time, it is recommended to use it in a temporary environment.
Credentials File
If there is ~/.alibabacloud/credentials default file (Windows shows C:\Users\USER_NAME\.alibabacloud\credentials), the program automatically creates credentials with the specified type and name. The default file is not necessarily exist, but a parse error will throw an exception. The name of configuration item is lowercase.This configuration file can be shared between different projects and between different tools. Because it is outside of the project and will not be accidentally committed to the version control. The path to the default file can be modified by defining the ALIBABA_CLOUD_CREDENTIALS_FILE environment variable. If not configured, use the default configuration default. You can also set the environment variables ALIBABA_CLOUD_PROFILE to use the configuration.
[default] # default settingenable = true # Enable,Enabled by default if this option is not presenttype = access_key # Certification type: access_keyaccess_key_id = foo # Keyaccess_key_secret = bar # Secret[client1] # configuration that is named as `client1`type = ecs_ram_role # Certification type: ecs_ram_rolerole_name = EcsRamRoleTest # Role Name[client2] # configuration that is named as `client2`enable = false # Disabletype = ram_role_arn # Certification type: ram_role_arnregion_id = cn-testpolicy = test # optional Specify permissionsaccess_key_id = fooaccess_key_secret = barrole_arn = role_arn # can be replaced by setting environment variable: ALIBABA_CLOUD_ROLE_ARNrole_session_name = session_name # optional[client3] # configuration that is named as `client3`enable = false # Disabletype = oidc_role_arn # Certification type: oidc_role_arnregion_id = cn-testpolicy = test # optional Specify permissionsrole_arn = role_arn # can be replaced by setting environment variable: ALIBABA_CLOUD_ROLE_ARNoidc_provider_arn = oidc_provider_arn # can be replaced by setting environment variable: ALIBABA_CLOUD_OIDC_PROVIDER_ARNoidc_token_file_path = /xxx/xxx # can be replaced by setting environment variable: ALIBABA_CLOUD_OIDC_TOKEN_FILErole_session_name = session_name # optional
Opening an Issue, Issues not conforming to the guidelines may be closed immediately.
Detailed changes for each release are documented in the release notes.
Please make sure to read the Contributing Guide before making a pull request.
Copyright 2009-present Alibaba Cloud All rights reserved.