Manage service credentials (API keys)

更新时间:
复制 MD 格式

An API Key, also known as a Service Credential in OpenAPI (ServiceCredential), is a type of credential issued by Resource Access Management (RAM) for accessing a specific cloud service. It is used exclusively for making API calls to that service. This topic describes API Keys and how to manage their lifecycle.

When making programmatic calls to a specific cloud service's OpenAPI, you can use an API Key for authentication. Each API Key is bound to a single cloud service upon creation and can only be used to call the APIs of that service. This design narrows the security scope, making it a more secure alternative to an AccessKey.

Key features

  • Service-level isolation: Each API Key is bound to a single cloud service (specified by its ServiceName) at creation. It can only be used to call the APIs of that service and cannot be used for cross-service calls. You cannot expand its scope with permission policies.

  • Minimized permission scope: The effective permissions of an API Key are the intersection of the associated RAM user's permissions and the scope of the bound cloud service. Even if the RAM user has permissions for multiple services, the API Key remains restricted to its designated service.

  • Restricted to RAM users: Only RAM users can create API Keys. Alibaba Cloud accounts (root accounts) cannot create them. This practice helps reduce the potential impact of a credential leak.

  • Naming conventions: ServiceCredential is the term used in OpenAPI and SDKs, while the console uses the more user-friendly term API Key. Both terms refer to the same resource.

API Keys vs. AccessKeys

Both API Keys and AccessKeys are long-term credentials for RAM users. However, they differ in service scope, issuance methods, and use cases.

Feature

API Key

AccessKey

Service scope

Bound to a single cloud service upon creation and can only call that service's OpenAPI.

Unrestricted by service. Can call any cloud service the RAM user is authorized to access.

Permission model

Effective permissions are the intersection of the RAM user's permissions and the bound cloud service's scope.

Fully inherits all permissions granted to the RAM user.

Supported identities

Only RAM users can create them. Alibaba Cloud accounts (root accounts) are not supported.

Both Alibaba Cloud accounts and RAM users can create them.

Quota

Two per RAM user per cloud service. This quota is fixed.

Two per identity.

Expiration period

Expiration can be set from 1 to 36,600 days or to never expire. Expired keys are permanently deactivated and cannot be recovered.

Long-term validity with no built-in expiration mechanism.

Typical use cases

Calling AI models, integrating with third-party platforms or developer tools, and scenarios that require service-level credential isolation.

General OpenAPI/SDK calls, cross-service orchestration, and CI/CD automation.

Lifecycle states

An API Key can be in one of the following three states during its lifecycle:

  • Active: The credential can be used to call the OpenAPI of the bound cloud service. This is the default state upon creation.

  • Inactive: The credential is temporarily disabled. You can reactivate it to the Active state. A key must be inactive before you can delete it.

  • Expired: The system automatically changes the key's status to Expired when its expiration time is reached. The credential becomes permanently invalid and cannot be recovered. You must create a new key.

Quotas and expiration

  • Quota: Each RAM user can create a maximum of two API Keys per cloud service, including both Active and Inactive keys. This quota is fixed. Expired keys count toward this quota; deleted keys do not.

  • Expiration period unit: Days.

  • Value range: The console provides presets for 1, 7, 30, and 90 days, or you can set a key to never expire. Custom values are also supported.

  • OpenAPI default: If you omit the CredentialAgeDays parameter when calling the CreateServiceCredential operation, the key is set to never expire.

  • Expiration is final: When a key expires, its status changes to Expired, and it becomes permanently invalid. It cannot be reactivated. You must delete the expired key and create a new one.

Important

As a security best practice, set a reasonable expiration period for API Keys based on your application's lifecycle instead of creating keys that never expire. Rotate the credentials in your application before they expire to avoid business interruptions.

Supported cloud services

In the RAM console, go to the User Details page > Credential Management tab > API Keys section and click Create API Key. The Cloud Service dropdown list lists the services available to your account. Refer to the specific service's documentation for a list of supported APIs.

Self-management for RAM users

An Alibaba Cloud account or a RAM administrator with sufficient permissions can use the AllowUserToManageServiceCredential setting in the RAM security settings to control whether RAM users can manage their own API Keys. This setting has the following two states:

  • Allow self-management: A RAM user can log on to the console or call OpenAPI to create, update, or delete their own API Keys, provided that these actions are not explicitly denied by an administrator in a permission policy (that is, no explicit Deny policy exists).

  • Self-management not allowed: RAM users cannot manage their own API Keys. The keys must be created and maintained by an administrator who has permissions such as ram:CreateServiceCredential.

Authorization methods

You can choose one of the following three methods to grant permissions based on your security and governance requirements:

  • Grant a system policy to RAM administrators (Centralized Management): Attach the AliyunRAMFullAccess system policy to your administrators, allowing them to create and maintain API Keys for all users. This policy provides full administrative access to RAM and is suitable for environments where a dedicated team manages all RAM user credentials.

  • Enable the global self-management setting (Not Recommended for Production): After you enable AllowUserToManageServiceCredential in the RAM security settings, all RAM users can manage their own API Keys unless explicitly restricted by a Deny policy. This option offers flexibility for teams but grants broad permissions. We recommend using it only in controlled test or sandbox environments.

  • Attach a custom policy (Recommended): Keep the global self-management setting disabled and attach a custom policy only to specific RAM users who need to manage their own API Keys. Restrict the Resource to the user's own identity. If needed, you can add a ram:ServiceCredentialServiceName condition to further restrict permissions to a specific cloud service. This method allows you to grant precise permissions to individual users without enabling self-management for the entire account.

Warning

When the global AllowUserToManageServiceCredential setting is enabled, all RAM users can manage their own API Keys (including create, enable, disable, and delete operations) unless an administrator attaches a permission policy that denies these actions. For production environments, we strongly recommend keeping this setting disabled and using custom policies to grant permissions on a case-by-case basis.

Custom policy examples

The following example policies restrict the Resource to the RAM user's own identity. Once attached to a RAM user, the policy allows them to perform the specified actions on their own account. Before using a policy, replace ACCOUNT_ID with your account ID (which you can find in the Alibaba Cloud Account Center) and replace USER_NAME with the logon name of the target RAM user (without the @ suffix).

Create API keys

This policy allows a user to create and list their own API Keys but does not allow them to modify or delete keys. This is suitable for granting minimal permissions according to the principle of least privilege.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateServiceCredential",
        "ram:ListServiceCredentials"
      ],
      "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
    }
  ]
}

Full lifecycle management

This policy allows a user to perform all management operations for their own API Keys, including creating, listing, renaming, enabling, disabling, and deleting them.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateServiceCredential",
        "ram:ListServiceCredentials",
        "ram:GetServiceCredential",
        "ram:UpdateServiceCredential",
        "ram:DeleteServiceCredential"
      ],
      "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME"
    }
  ]
}

Service-specific management

This policy builds on the full management permissions by adding a ram:ServiceCredentialServiceName condition. It only allows the user to manage API Keys for a specific cloud service (in this example, ak.aliyuncs.com). This is useful for granular authorization scenarios where credential management is delegated based on cloud service.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateServiceCredential",
        "ram:ListServiceCredentials",
        "ram:GetServiceCredential",
        "ram:UpdateServiceCredential",
        "ram:DeleteServiceCredential"
      ],
      "Resource": "acs:ram:*:ACCOUNT_ID:user/USER_NAME",
      "Condition": {
        "StringEquals": {
          "ram:ServiceCredentialServiceName": "ak.aliyuncs.com"
        }
      }
    }
  ]
}

API Key data structure

Each API Key consists of the following core fields. The field names returned by OpenAPI are prefixed with ServiceCredential, while the field names in the console are more user-friendly.

OpenAPI field

Console field

Description

ServiceCredentialId

ID

A system-generated unique ID, prefixed with SC. Use this ID to reference the key in management operations like enabling, disabling, and deleting.

ServiceCredentialName

Name

A user-friendly name to identify the key's purpose. The console automatically populates this with a name like {CloudServiceName}_apikey_{RandomCharacters}. You can change this name after creation.

ServiceName

Cloud Service

The identifier of the bound cloud service, such as ak.aliyuncs.com. This is set at creation and cannot be changed.

ServiceCredentialSecret

API Key

The credential's secret. It is displayed only once upon creation and is not retrievable afterward through the API or console.

CreateTime

Creation Time

The creation time in UTC, formatted in ISO-8601. The console displays this value in your local time.

ExpirationTime

Expiration Time

The time when the credential expires and its status changes to Expired. The value is null for keys that never expire, which is shown as "Never expires" in the console.

Status

Status

The credential status. Valid values are Active, Inactive, and Expired.

UserPrincipalName

User

The logon name of the RAM user (User Principal Name), such as us**@account.onaliyun.com.

Security recommendations

  • Set an expiration period for API Keys. Avoid setting short-term test keys to never expire. For other use cases, set an appropriate expiration period, such as 30 or 90 days, based on the service's usage cycle and rotate the key before it expires.

  • Immediately copy the API Key secret or download the CSV file after creating a key. Once you close the pop-up window, you cannot retrieve the secret again. If you lose the secret, you must delete the key and create a new one.

  • Treat API Keys as highly sensitive credentials. Do not commit them in plaintext to code repositories, configuration files, or logs. We recommend using a secrets management service or encrypting them with KMS before storage.