DocsICP FilingConsole
官方文档
首页

Endpoints and access credentials

更新时间:
复制 MD 格式
产品详情
我的收藏

To send Simple Message Queue (SMQ) requests using the Java SDK, you must configure endpoints and access credentials. Alibaba Cloud services use access credentials to verify your identity and access permissions. You can select different types of access credentials depending on the authentication and authorization requirements of your use case. This topic describes how to configure endpoints, temporary access credentials, and long-term access credentials.

Configure endpoints

Configure the public or internal endpoint for ApsaraMQ in the aliyun-mns.properties file. This file is typically at ${user.home}/.aliyun-mns.properties.

On Linux and macOS, the aliyun-mns.properties file is at ~/.aliyun-mns.properties.

On Windows, the aliyun-mns.properties file is at %USERPROFILE%\.aliyun-mns.properties.

Configure the aliyun-mns.properties file as follows:

mns.accountendpoint=http://120228xxxxxxx.mns.cn-xxxxxx.aliyuncs.com

You can find the endpoint for ApsaraMQ in the Endpoint section on the Queue Details or Topic Details page in the console.

Access credentials

You can use the following types of access credentials.

  • Long-term access credentials: For best security, use temporary access credentials instead of long-term access credentials. Long-term access credentials are convenient because they do not require frequent refreshing. Rotate your long-term access credentials every three months to enhance account security. If a long-term access credential is compromised or no longer in use, delete or disable it immediately to prevent security risks.

  • Temporary access credentials: For high-security use cases, such as temporarily authorizing an application to access SMQ, use temporary access credentials. These credentials are valid only for a limited time, which reduces the risk of credential compromise. Additionally, they support fine-grained access control, which helps avoid the security risks associated with excessive permissions.

Long-term access credentials

When you are ready to use the SDK for Java in your application or service for long-term access to ApsaraMQ, configure a long-term access credential using the following methods.

Configure the AccessKey pair for a RAM user: If you need long-term access to your SMQ, you can access your SMQ by using an AccessKey pair for a RAM user.

  1. Obtain an AccessKey pair for a RAM user.

    For instructions on how to obtain an AccessKey pair for a RAM user, see Create an AccessKey pair for a RAM user.

    Important

    As a security best practice, rotate your AccessKey pair if it has been used for more than three months. If an AccessKey pair is not used for a long period, disable or delete it to reduce the risk of leaks.

  2. Configure the RAM user's AccessKey pair.

    Environment variables

    1. Configure the environment variables.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile

      3. Add the following lines to the end of the file:

        export ALIBABA_CLOUD_ACCESS_KEY_ID=LTA****
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=moiEs****

      4. Press Ctrl+X, press Y to confirm, and then press Enter to save and exit.

      5. Run the following command to apply the changes:

        source ~/.bash_profile

      6. Run the following commands to verify the configuration:

        echo $ALIBABA_CLOUD_ACCESS_KEY_ID
echo $ALIBABA_CLOUD_ACCESS_KEY_SECRET

        The following output indicates a successful configuration:

        LTA****
moiEs****

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile

      3. Add the following lines to the end of the file:

        export ALIBABA_CLOUD_ACCESS_KEY_ID=LTA****
export ALIBABA_CLOUD_ACCESS_KEY_SECRET=moiEs****

      4. Press Esc to exit edit mode, enter :wq, and then press Enter to save and exit.

      5. Run the following command to apply the changes:

        source /etc/profile

      6. Run the following commands to verify the configuration:

        echo $ALIBABA_CLOUD_ACCESS_KEY_ID
echo $ALIBABA_CLOUD_ACCESS_KEY_SECRET

        The following output indicates a successful configuration:

        LTA****
moiEs****

      Windows

      GUI

      The following steps show how to set the AccessKey pair as environment variables by using the GUI in Windows 10.

      1. On your desktop, right-click This PC and select Properties. Navigate to Advanced system settings > Environment Variables. In the System variables or User variables section, click New.

      2. Add the following environment variables.

        Parameter

        Value

        ALIBABA_CLOUD_ACCESS_KEY_ID

        LTA****

        ALIBABA_CLOUD_ACCESS_KEY_SECRET

        moiEs****

      3. To verify the configuration, open a new Command Prompt window and run the following commands:

        echo %ALIBABA_CLOUD_ACCESS_KEY_ID%
echo %ALIBABA_CLOUD_ACCESS_KEY_SECRET%

        The following output indicates a successful configuration:

        LTA****
moiEs****

      Command Prompt (CMD)

      1. Open Command Prompt.

      2. Run the following commands to configure the RAM user's AccessKey pair.

        set ALIBABA_CLOUD_ACCESS_KEY_ID=LTA****
set ALIBABA_CLOUD_ACCESS_KEY_SECRET=moiEs****

      3. To make these variables persistent across sessions, run the following commands:

        setx ALIBABA_CLOUD_ACCESS_KEY_ID "%ALIBABA_CLOUD_ACCESS_KEY_ID%"
setx ALIBABA_CLOUD_ACCESS_KEY_SECRET "%ALIBABA_CLOUD_ACCESS_KEY_SECRET%"

      4. Run the following commands to verify that the environment variables are configured.

        echo %ALIBABA_CLOUD_ACCESS_KEY_ID%
echo %ALIBABA_CLOUD_ACCESS_KEY_SECRET%

        The following output indicates a successful configuration:

        LTA****
moiEs****

      Windows PowerShell

      1. Press Win+X.

      2. Choose one of the following methods to set the AccessKey pair:

        Current session

        1. From the menu that appears, select Windows PowerShell.

        2. Add the following environment variables for the current session.

          $env:ALIBABA_CLOUD_ACCESS_KEY_ID = "LTA****"
$env:ALIBABA_CLOUD_ACCESS_KEY_SECRET = "moiEs****"
        New sessions

        1. From the menu that appears, select Windows PowerShell.

        2. Add the following environment variables for all new sessions.

          [System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_ID', 'LTA****', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_SECRET', 'moiEs****', [System.EnvironmentVariableTarget]::User)
        All users

        1. From the menu that appears, select Windows PowerShell (Administrator).

        2. Add the following environment variables for all users.

          [System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_ID', 'LTA****', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('ALIBABA_CLOUD_ACCESS_KEY_SECRET', 'moiEs****', [System.EnvironmentVariableTarget]::Machine)

      3. To verify the configuration, run the following commands in a new PowerShell window:

        echo $env:ALIBABA_CLOUD_ACCESS_KEY_ID
echo $env:ALIBABA_CLOUD_ACCESS_KEY_SECRET

        The following output indicates a successful configuration:

        LTA****
moiEs****

    2. Your application can then obtain the AccessKey pair from the environment variables. The following Java code shows an example of creating a client that implicitly uses these variables:

      // The SDK client implicitly uses environment variables for authentication
// when no explicit credentials are provided.
CloudAccount account = new CloudAccount(ServiceSettings.getMNSAccountEndpoint());

    Embed in code

    Warning

    Embedding access credentials in your code poses a security risk. If your access credentials are leaked, attackers can use them to access your SMQ resources. For enhanced security, we recommend using a more secure method, such as obtaining access credentials from environment variables.

    CloudAccount account = new CloudAccount("LTA****", "moiEs****", ServiceSettings.getMNSAccountEndpoint());

Temporary access credentials

To use the Java SDK to temporarily access ApsaraMQ for Kafka, use one of the following methods to configure temporary access credentials:

  • Configure STS temporary access credentials: To access SMQ for a limited time, use STS to issue a temporary access credential. This credential allows secure access to SMQ without exposing your RAM user's AccessKey pair.

  • Configure a RAM role: To grant access to SMQ within your account or across accounts, use a RAM role. A RAM user can then assume the role to access SMQ.

  • Configure a RAM role for an ECS instance: If you need to access your SMQ from an Alibaba Cloud ECS instance, you can use an ECS instance RAM role to access SMQ. An instance RAM role allows you to associate a role with an ECS instance and access SMQ from within the instance by using STS temporary credentials. The STS temporary credentials are automatically generated and updated by the system, and your application can use a specified instance metadata URL to obtain the temporary credentials without requiring any manual management.

STS temporary access credentials

  1. Create a RAM user.

    For more information, see Create a RAM user.

  2. Attach the AliyunSTSAssumeRoleAccess policy to the RAM user.

    For more information, see Manage RAM user permissions.

  3. Use the RAM user to call the AssumeRole operation of STS to obtain STS temporary access credentials.

    For more information, see AssumeRole.

  4. Configure the STS temporary access credentials.

    Environment variables

    1. Set the environment variables using the obtained STS temporary access credentials.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile

      3. Add the temporary access credentials (AccessKey ID, AccessKey Secret, and security token) to the end of the file.

        export MNS_ACCESS_KEY_ID=LTA****
export MNS_ACCESS_KEY_SECRET=moiEs****
export MNS_SESSION_TOKEN=CAES****

      4. Press Ctrl+X, press Y to save the changes, and then press Enter to exit.

      5. Run the following command to apply the changes:

        source ~/.bash_profile

      6. Run the following commands to verify the environment variables:

        echo $MNS_ACCESS_KEY_ID
echo $MNS_ACCESS_KEY_SECRET
echo $MNS_SESSION_TOKEN

        The following is a sample output:

        LTA****
moiEs**** 
CAES****

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile

      3. Add the temporary access credentials (AccessKey ID, AccessKey Secret, and security token) to the end of the file.

        export MNS_ACCESS_KEY_ID=LTA****
export MNS_ACCESS_KEY_SECRET=moiEs****
export MNS_SESSION_TOKEN=CAES****

      4. Press ESC to exit the editing mode, enter :wq, and then press Enter to save and exit the file.

      5. Run the following command to apply the changes:

        source /etc/profile

      6. Run the following commands to verify the environment variables:

        echo $MNS_ACCESS_KEY_ID
echo $MNS_ACCESS_KEY_SECRET
echo $MNS_SESSION_TOKEN

        The following is a sample output:

        LTA****
moiEs**** 
CAES****

      Windows

      GUI

      This section shows how to set STS temporary access credentials as environment variables by using the GUI in Windows 10.

      1. On your desktop, right-click This PC and select Properties > Advanced system settings > Environment Variables. In the User variables or System variables section, click New.

      2. Add the following environment variables:

        Parameter

        Value

        MNS_ACCESS_KEY_ID

        LTA****

        MNS_ACCESS_KEY_SECRET

        moiEs****

        MNS_SESSION_TOKEN

        CAES****

      3. Run the following commands to verify the environment variables:

        echo %MNS_ACCESS_KEY_ID%
echo %MNS_ACCESS_KEY_SECRET%
echo %MNS_SESSION_TOKEN%

        The following is a sample output:

        LTA****
moiEs**** 
CAES****

      Command Prompt

      1. Open Command Prompt.

      2. Run the following commands to set the temporary access credentials (AccessKey ID, AccessKey Secret, and security token).

        set MNS_ACCESS_KEY_ID=LTA****
set MNS_ACCESS_KEY_SECRET=moiEs**** 
set MNS_SESSION_TOKEN=CAES****

      3. Run the following commands to apply the changes:

        setx MNS_ACCESS_KEY_ID "%MNS_ACCESS_KEY_ID%"
setx MNS_ACCESS_KEY_SECRET "%MNS_ACCESS_KEY_SECRET%"
setx MNS_SESSION_TOKEN "%MNS_SESSION_TOKEN%"

      4. Run the following commands to verify the environment variables:

        echo %MNS_ACCESS_KEY_ID%
echo %MNS_ACCESS_KEY_SECRET%
echo %MNS_SESSION_TOKEN%

        The following is a sample output:

        LTA****
moiEs**** 
CAES****

      Windows PowerShell

      1. Press Win + X.

      2. Set the STS temporary access credentials.

        Current session

        1. From the menu that appears, select Windows PowerShell.

        2. Set the following environment variables for the current session:

          $env:MNS_ACCESS_KEY_ID = "LTA****"
$env:MNS_ACCESS_KEY_SECRET = "moiEs****"
$env:MNS_SESSION_TOKEN = "CAE****"
        New sessions

        1. From the menu that appears, select Windows PowerShell.

        2. Set the following environment variables for all new sessions:

          [System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', 'LTA****', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', 'moiEs****', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_SESSION_TOKEN', 'CAES****', [System.EnvironmentVariableTarget]::User)
        All users

        1. From the menu that appears, select Windows PowerShell (Administrator).

        2. Set the following environment variables for all users:

          [System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', 'LTA****', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', 'moiEs****', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_SESSION_TOKEN', 'CAES****', [System.EnvironmentVariableTarget]::Machine)

      3. Run the following commands to verify the environment variables:

        Get-ChildItem env:MNS_ACCESS_KEY_ID
Get-ChildItem env:MNS_ACCESS_KEY_SECRET
Get-ChildItem env:MNS_SESSION_TOKEN

        The following is a sample output:

        LTA****
moiEs**** 
CAES****

    2. Obtain the STS temporary access credentials from the environment variables.

      // Obtain the STS temporary access credentials from environment variables. 
String accessKeyId = System.getenv("MNS_ACCESS_KEY_ID"); 
String accessKeySecret = System.getenv("MNS_ACCESS_KEY_SECRET");
String sessionToken = System.getenv("MNS_SESSION_TOKEN"); 
AlibabaCloudCredentials credentials = new BasicSessionCredentials(accessKeyId,accessKeySecret,sessionToken); 
AlibabaCloudCredentialsProvider provider = new StaticCredentialsProvider(credentials);

    Embed in code

    Warning

    Embedding access credentials in your code poses a security risk. If leaked, these credentials can be used by attackers to access your MNS resources. For enhanced security, we recommend using a more secure method, such as obtaining access credentials from environment variables.

    // WARNING: Hardcoding credentials is a security risk.
String accessKeyId = "LTAI************"; // Replace with your AccessKey ID.
String accessKeySecret = "K_VTN*******************"; // Replace with your AccessKey Secret.
String sessionToken = "CAES********************"; // Replace with your security token.
AlibabaCloudCredentials credentials = new BasicSessionCredentials(accessKeyId,accessKeySecret,sessionToken);
AlibabaCloudCredentialsProvider provider = new StaticCredentialsProvider(credentials);
String endpoint = ServiceSettings.getMNSAccountEndpoint();
CloudAccount account = new CloudAccount(endpoint, provider);

RAM role

  1. Obtain the AccessKey pair of the RAM user.

    For more information, see Create an AccessKey pair for a RAM user.

    Important

    To reduce the risk of an AccessKey pair leak, we recommend that you rotate an AccessKey pair if it has been used for more than three months. If an AccessKey pair is no longer needed, disable and delete it promptly.

  2. Obtain the RAM Role ARN of the target RAM role.

    Note

    A RAM Role ARN is the Alibaba Cloud Resource Name (ARN) of a RAM role, which identifies the role to assume. It follows the format: acs:ram::$accountID:role/$roleName, where $accountID is the ID of your Alibaba Cloud account and $roleName is the name of the RAM role.

    For more information, see View a RAM role.

  3. Configure the AccessKey pair of the RAM user and the RAM Role ARN of the target RAM role as the access credentials.

    Environment variables

    1. Set environment variables using the RAM user's AccessKey pair and the target RAM Role ARN.

      macOS

      1. Open the terminal.

      2. Run the following command:

        nano ~/.bash_profile

      3. Add the RAM user's AccessKey pair and the RAM Role ARN to the end of the file.

        export MNS_ACCESS_KEY_ID=LTAI****
export MNS_ACCESS_KEY_SECRET=IrVTNZNy****  
export MNS_STS_ROLE_ARN=acs:ram::17464958********:role/mnsststest

      4. Press Ctrl+X, press Y to save the changes, and then press Enter to exit.

      5. Run the following command to apply the changes:

        source ~/.bash_profile

      6. Run the following commands to verify the environment variables:

        echo $MNS_ACCESS_KEY_ID
echo $MNS_ACCESS_KEY_SECRET
echo $MNS_STS_ROLE_ARN

        The following is a sample output:

        LTAI****
IrVTNZNy****  
acs:ram::17464958********:role/mnsststest

      Linux

      1. Open the terminal.

      2. Run the following command:

        sudo vim /etc/profile

      3. Add the RAM user's AccessKey pair and the RAM Role ARN to the end of the file.

        export MNS_ACCESS_KEY_ID=LTAI****
export MNS_ACCESS_KEY_SECRET=IrVTNZNy****  
export MNS_STS_ROLE_ARN=acs:ram::17464958********:role/mnsststest

      4. Press ESC to exit the editing mode, enter :wq, and then press Enter to save and exit the file.

      5. Run the following command to apply the changes:

        source /etc/profile

      6. Run the following commands to verify the environment variables:

        echo $MNS_ACCESS_KEY_ID
echo $MNS_ACCESS_KEY_SECRET
echo $MNS_STS_ROLE_ARN

        The following is a sample output:

        LTAI****
IrVTNZNy****  
acs:ram::17464958********:role/mnsststest

      Windows

      GUI

      This section shows how to use the GUI in Windows 10 to set environment variables for the RAM user's AccessKey pair and the target RAM Role ARN.

      1. On your desktop, right-click This PC and select Properties > Advanced system settings > Environment Variables. In the User variables or System variables section, click New.

      2. Add the following environment variables:

        Parameter

        Value

        MNS_ACCESS_KEY_ID

        LTAI****

        MNS_ACCESS_KEY_SECRET

        IrVTNZNy****

        MNS_STS_ROLE_ARN

        acs:ram::17464958********:role/mnsststest

      3. Run the following commands to verify the environment variables:

        echo %MNS_ACCESS_KEY_ID%
echo %MNS_ACCESS_KEY_SECRET%
echo %MNS_STS_ROLE_ARN%

        The following is a sample output:

        LTAI****
IrVTNZNy**** 
acs:ram::17464958********:role/mnsststest

      Command Prompt

      1. Open Command Prompt.

      2. Run the following commands to set the AccessKey pair of the RAM user and the RAM Role ARN:

        set MNS_ACCESS_KEY_ID=LTAI****
set MNS_ACCESS_KEY_SECRET=IrVTNZNy****  
set MNS_STS_ROLE_ARN=acs:ram::17464958********:role/mnsststest

      3. Run the following commands to apply the changes:

        setx MNS_ACCESS_KEY_ID "%MNS_ACCESS_KEY_ID%"
setx MNS_ACCESS_KEY_SECRET "%MNS_ACCESS_KEY_SECRET%"
setx MNS_STS_ROLE_ARN "%MNS_STS_ROLE_ARN%"

      4. Run the following commands to verify the environment variables:

        echo %MNS_ACCESS_KEY_ID%
echo %MNS_ACCESS_KEY_SECRET%
echo %MNS_STS_ROLE_ARN%

        The following is a sample output:

        LTAI****
IrVTNZNy****  
acs:ram::17464958********:role/mnsststest

      Windows PowerShell

      1. Press Win + X.

      2. Set the AccessKey pair of the RAM user and the RAM Role ARN of the target RAM role.

        Current session

        1. From the menu that appears, select Windows PowerShell.

        2. Set the following environment variables for the current session:

          $env:MNS_ACCESS_KEY_ID = "LTAI****"
$env:MNS_ACCESS_KEY_SECRET = "IrVTNZNy****"
$env:MNS_STS_ROLE_ARN = "acs:ram::17464958********:role/mnsststest"

        New sessions

        1. From the menu that appears, select Windows PowerShell.

        2. Set the following environment variables for all new sessions:

          [System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable('MNS_STS_ROLE_ARN', 'acs:ram::17464958********:role/mnsststest', [System.EnvironmentVariableTarget]::User)

        All users

        1. From the menu that appears, select Windows PowerShell (Administrator).

        2. Set the following environment variables for all users:

          [System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_ID', 'LTAI****', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_ACCESS_KEY_SECRET', 'IrVTNZNy****', [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable('MNS_STS_ROLE_ARN', 'acs:ram::17464958********:role/mnsststest', [System.EnvironmentVariableTarget]::Machine)

      3. Run the following commands to verify the environment variables:

        Get-ChildItem env:MNS_ACCESS_KEY_ID
Get-ChildItem env:MNS_ACCESS_KEY_SECRET
Get-ChildItem env:MNS_STS_ROLE_ARN

        The following is a sample output:

        LTAI****
IrVTNZNy**** 
acs:ram::17464958********:role/mnsststest

    2. Obtain the AccessKey pair of the RAM user and the RAM Role ARN from the environment variables.

      // The region where STSAssumeRole is authorized. This example uses China (Hangzhou).
String region = "cn-hangzhou";
// Obtain the AccessKey pair (AccessKey ID and AccessKey Secret) of the RAM user from the environment variables.
String accessKeyId = System.getenv("MNS_ACCESS_KEY_ID");
String accessKeySecret = System.getenv("MNS_ACCESS_KEY_SECRET");
// Obtain the RAM Role ARN from the environment variable.
String roleArn = System.getenv("MNS_STS_ROLE_ARN");
// Configure the access credentials by using the AccessKey pair of the RAM user and the RAM Role ARN obtained from the environment variables.
STSAssumeRoleSessionCredentialsProvider credentialsProvider = CredentialsProviderFactory
        .newSTSAssumeRoleSessionCredentialsProvider(
                region, 
                accessKeyId, 
                accessKeySecret, 
                roleArn
        );

    Embed in code

    Warning

    Embedding access credentials in your code poses a security risk. If leaked, these credentials can be used by attackers to access your MNS resources. For enhanced security, we recommend using a more secure method, such as obtaining access credentials from environment variables.

    // WARNING: Hardcoding credentials is a security risk.
// The region ID must match the MNS endpoint.
String regionId = "cn-hangzhou";
// Replace the following with your RAM user's AccessKey pair and the target RAM Role ARN.
String accessKeyId = "LTAI************"; // The AccessKey ID of the RAM user.
String accessKeySecret = "K_VTN*******************"; // The AccessKey Secret of the RAM user.
String roleArn = "acs:ram::17464958********:role/mnsststest"; // The ARN of the RAM role to assume.
DefaultProfile profile = DefaultProfile.getProfile(regionId);
AlibabaCloudCredentialsProvider provider = new STSAssumeRoleSessionCredentialsProvider(
    new BasicCredentials(accessKeyId, accessKeySecret),
    roleArn,
    profile
);
String endpoint = ServiceSettings.getMNSAccountEndpoint();
CloudAccount account = new CloudAccount(endpoint, provider);

ECS RAM role

  1. Assign a RAM role to an ECS instance.

    For more information, see Attach an instance RAM role.

  2. Configure the ECS instance RAM role as the access credentials.

    // Obtain access credentials from the 'ecs-ram-role' ECS instance RAM role.
CredentialsProvider provider = new InstanceProfileCredentialsProvider("ecs-ram-role");
Previous:Install SMQ SDK for JavaNext:Use queues