An API Key, also known as a Service Credential in OpenAPI (ServiceCredential), is a type of credential issued by Resource Access Management (RAM) for accessing a specific cloud service. It is used exclusively for making API calls to that service. This topic describes API Keys and how to manage their lifecycle.
When making programmatic calls to a specific cloud service's OpenAPI, you can use an API Key for authentication. Each API Key is bound to a single cloud service upon creation and can only be used to call the APIs of that service. This design narrows the security scope, making it a more secure alternative to an AccessKey.
Key features
Service-level isolation: Each API Key is bound to a single cloud service (specified by its
ServiceName) at creation. It can only be used to call the APIs of that service and cannot be used for cross-service calls. You cannot expand its scope with permission policies.Minimized permission scope: The effective permissions of an API Key are the intersection of the associated RAM user's permissions and the scope of the bound cloud service. Even if the RAM user has permissions for multiple services, the API Key remains restricted to its designated service.
Restricted to RAM users: Only RAM users can create API Keys. Alibaba Cloud accounts (root accounts) cannot create them. This practice helps reduce the potential impact of a credential leak.
Naming conventions:
ServiceCredentialis the term used in OpenAPI and SDKs, while the console uses the more user-friendly term API Key. Both terms refer to the same resource.
API Keys vs. AccessKeys
Both API Keys and AccessKeys are long-term credentials for RAM users. However, they differ in service scope, issuance methods, and use cases.
Feature | API Key | AccessKey |
Service scope | Bound to a single cloud service upon creation and can only call that service's OpenAPI. | Unrestricted by service. Can call any cloud service the RAM user is authorized to access. |
Permission model | Effective permissions are the intersection of the RAM user's permissions and the bound cloud service's scope. | Fully inherits all permissions granted to the RAM user. |
Supported identities | Only RAM users can create them. Alibaba Cloud accounts (root accounts) are not supported. | Both Alibaba Cloud accounts and RAM users can create them. |
Quota | Two per RAM user per cloud service. This quota is fixed. | Two per identity. |
Expiration period | Expiration can be set from 1 to 36,600 days or to never expire. Expired keys are permanently deactivated and cannot be recovered. | Long-term validity with no built-in expiration mechanism. |
Typical use cases | Calling AI models, integrating with third-party platforms or developer tools, and scenarios that require service-level credential isolation. | General OpenAPI/SDK calls, cross-service orchestration, and CI/CD automation. |
Lifecycle states
An API Key can be in one of the following three states during its lifecycle:
Active: The credential can be used to call the OpenAPI of the bound cloud service. This is the default state upon creation.
Inactive: The credential is temporarily disabled. You can reactivate it to the
Activestate. A key must be inactive before you can delete it.Expired: The system automatically changes the key's status to Expired when its expiration time is reached. The credential becomes permanently invalid and cannot be recovered. You must create a new key.
Quotas and expiration
Quota: Each RAM user can create a maximum of two API Keys per cloud service, including both
ActiveandInactivekeys. This quota is fixed. Expired keys count toward this quota; deleted keys do not.Expiration period unit: Days.
Value range: The console provides presets for 1, 7, 30, and 90 days, or you can set a key to never expire. Custom values are also supported.
OpenAPI default: If you omit the
CredentialAgeDaysparameter when calling theCreateServiceCredentialoperation, the key is set to never expire.Expiration is final: When a key expires, its status changes to
Expired, and it becomes permanently invalid. It cannot be reactivated. You must delete the expired key and create a new one.
As a security best practice, set a reasonable expiration period for API Keys based on your application's lifecycle instead of creating keys that never expire. Rotate the credentials in your application before they expire to avoid business interruptions.
Supported cloud services
In the RAM console, go to the User Details page > Credential Management tab > API Keys section and click Create API Key. The Cloud Service dropdown list lists the services available to your account. Refer to the specific service's documentation for a list of supported APIs.
Self-management for RAM users
An Alibaba Cloud account or a RAM administrator with sufficient permissions can use the AllowUserToManageServiceCredential setting in the RAM security settings to control whether RAM users can manage their own API Keys. This setting has the following two states:
Allow self-management: A RAM user can log on to the console or call OpenAPI to create, update, or delete their own API Keys, provided that these actions are not explicitly denied by an administrator in a permission policy (that is, no explicit Deny policy exists).
Self-management not allowed: RAM users cannot manage their own API Keys. The keys must be created and maintained by an administrator who has permissions such as
ram:CreateServiceCredential.
Authorization methods
You can choose one of the following three methods to grant permissions based on your security and governance requirements:
Grant a system policy to RAM administrators (Centralized Management): Attach the
AliyunRAMFullAccesssystem policy to your administrators, allowing them to create and maintain API Keys for all users. This policy provides full administrative access to RAM and is suitable for environments where a dedicated team manages all RAM user credentials.Enable the global self-management setting (Not Recommended for Production): After you enable
AllowUserToManageServiceCredentialin the RAM security settings, all RAM users can manage their own API Keys unless explicitly restricted by aDenypolicy. This option offers flexibility for teams but grants broad permissions. We recommend using it only in controlled test or sandbox environments.Attach a custom policy (Recommended): Keep the global self-management setting disabled and attach a custom policy only to specific RAM users who need to manage their own API Keys. Restrict the
Resourceto the user's own identity. If needed, you can add aram:ServiceCredentialServiceNamecondition to further restrict permissions to a specific cloud service. This method allows you to grant precise permissions to individual users without enabling self-management for the entire account.
When the global AllowUserToManageServiceCredential setting is enabled, all RAM users can manage their own API Keys (including create, enable, disable, and delete operations) unless an administrator attaches a permission policy that denies these actions. For production environments, we strongly recommend keeping this setting disabled and using custom policies to grant permissions on a case-by-case basis.
Custom policy examples
The following example policies restrict the Resource to the RAM user's own identity. Once attached to a RAM user, the policy allows them to perform the specified actions on their own account. Before using a policy, replace ACCOUNT_ID with your account ID (which you can find in the Alibaba Cloud Account Center) and replace USER_NAME with the logon name of the target RAM user (without the @ suffix).
Create API keys
This policy allows a user to create and list their own API Keys but does not allow them to modify or delete keys. This is suitable for granting minimal permissions according to the principle of least privilege.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceCredential",
"ram:ListServiceCredentials"
],
"Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
}
]
}Full lifecycle management
This policy allows a user to perform all management operations for their own API Keys, including creating, listing, renaming, enabling, disabling, and deleting them.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceCredential",
"ram:ListServiceCredentials",
"ram:GetServiceCredential",
"ram:UpdateServiceCredential",
"ram:DeleteServiceCredential"
],
"Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
}
]
}Service-specific management
This policy builds on the full management permissions by adding a ram:ServiceCredentialServiceName condition. It only allows the user to manage API Keys for a specific cloud service (in this example, ak.aliyuncs.com). This is useful for granular authorization scenarios where credential management is delegated based on cloud service.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceCredential",
"ram:ListServiceCredentials",
"ram:GetServiceCredential",
"ram:UpdateServiceCredential",
"ram:DeleteServiceCredential"
],
"Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME",
"Condition": {
"StringEquals": {
"ram:ServiceCredentialServiceName": "ak.aliyuncs.com"
}
}
}
]
}API Key data structure
Each API Key consists of the following core fields. The field names returned by OpenAPI are prefixed with ServiceCredential, while the field names in the console are more user-friendly.
OpenAPI field | Console field | Description |
ServiceCredentialId | ID | A system-generated unique ID, prefixed with |
ServiceCredentialName | Name | A user-friendly name to identify the key's purpose. The console automatically populates this with a name like |
ServiceName | Cloud Service | The identifier of the bound cloud service, such as |
ServiceCredentialSecret | API Key | The credential's secret. It is displayed only once upon creation and is not retrievable afterward through the API or console. |
CreateTime | Creation Time | The creation time in UTC, formatted in ISO-8601. The console displays this value in your local time. |
ExpirationTime | Expiration Time | The time when the credential expires and its status changes to |
Status | Status | The credential status. Valid values are |
UserPrincipalName | User | The logon name of the RAM user (User Principal Name), such as |
Security recommendations
Set an expiration period for API Keys. Avoid setting short-term test keys to never expire. For other use cases, set an appropriate expiration period, such as 30 or 90 days, based on the service's usage cycle and rotate the key before it expires.
Immediately copy the API Key secret or download the CSV file after creating a key. Once you close the pop-up window, you cannot retrieve the secret again. If you lose the secret, you must delete the key and create a new one.
Treat API Keys as highly sensitive credentials. Do not commit them in plaintext to code repositories, configuration files, or logs. We recommend using a secrets management service or encrypting them with KMS before storage.