Outbound
Agent Identity features are categorized as inbound or outbound based on the workflow direction. Outbound is the process where an agent, after completing inbound authentication and authorization, uses a Workload Access Token to call Agent Identity service APIs and obtain credentials to access downstream Alibaba Cloud services or third-party resources.
Choose an outbound credential
Agent Identity lets you obtain three types of outbound credentials: STS Token, OAuth Access Token, and API Key. You can choose the most suitable credential based on the type and authentication method of the downstream resource.
|
Scenario |
Outbound credential |
Method |
|
Access Alibaba Cloud services |
OAuth Access Token |
Register an OAuth credential provider. Call the |
|
STS Token |
The agent calls the |
|
|
Access an LLM or third-party resources |
API Key |
Register an API Key credential provider. Call the |
|
OAuth Access Token |
Register an OAuth credential provider. Call the |
For more information, see Obtain credentials.
Outbound authorization
Outbound authorization is required to call Agent Identity APIs and obtain outbound credentials, such as GetReourceOAuth2Token.
You can grant the required permissions by creating a custom policy for the RAM role that is associated with the workload identity used to obtain outbound credentials.
Policy example:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"agentidentitydata:GetResourceOAuth2Token",
"agentidentitydata:GetResourceAPIKey",
],
"Resource": "*"
}
],
"Version": "1"
}
Credential provider management
Agent Identity lets you configure two types of credential providers: OAuth and API Key. For information about how to configure and manage them, see:
To simplify the configuration process, Agent Identity provides pre-configurations for common OAuth credential providers, such as Alibaba Cloud. For more information, see Tutorials: Set up typical OAuth credential providers.