Manage access credentials
Configure the authentication credentials for the Alibaba Cloud Python SDK V1.0 client to make API requests.
The SDK supports five credential types. Choose the one that matches your deployment environment:
|
Credential type |
Use when |
|
AccessKey pair |
Local development and testing with a RAM user account |
|
STS credentials |
Short-lived access is required, or you need to grant temporary permissions to other services |
|
RAM role credentials |
Your application assumes a RAM role and needs automatic STS token refresh |
|
ECS RAM role credentials |
Your code runs on an ECS instance with an attached RAM role |
|
Default credentials |
You want the SDK to discover credentials automatically from environment variables |
Never hardcode credentials in source code or commit them to version control. Store credentials in environment variables or a secrets manager.
Use an AccessKey pair
Use this method for local development and testing when authenticating as a RAM user. Store the AccessKey ID and AccessKey secret in environment variables, then pass them to AcsClient.
import os
from aliyunsdkcore.client import AcsClient
from aliyunsdkecs.request.v20140526.DescribeRegionsRequest import DescribeRegionsRequest
# Initialize the client.
client = AcsClient(
os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'), # Get the AccessKey ID of the RAM user from an environment variable.
os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), # Get the AccessKey secret of the RAM user from an environment variable.
'<region_id>' # The region ID.
)
# Create an API request and set parameters.
request = DescribeRegionsRequest()
# Send the request.
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
Use STS credentials
Use this method when you need short-lived access. Security Token Service (STS) issues temporary security credentials — an AccessKey ID, AccessKey secret, and security token — that expire automatically.
import os
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.auth.credentials import StsTokenCredential
from aliyunsdkecs.request.v20140526.AcceptInquiredSystemEventRequest import AcceptInquiredSystemEventRequest
cred = StsTokenCredential(
sts_access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'), # Obtain the AccessKey ID provided by STS from environment variables.
sts_access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), # Obtain the AccessKey secret provided by STS from environment variables.
sts_token=os.environ.get('ALIBABA_CLOUD_SECURITY_TOKEN') # Obtain the STS token provided by STS from environment variables.
)
client = AcsClient(
region_id='<region_id>',
credential=cred
)
request = AcceptInquiredSystemEventRequest()
request.set_accept_format('json')
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
Use RAM role credentials
Use this method when your application needs to assume a RAM role. The client automatically requests and refreshes STS tokens before each API call. You can also manually request STS tokens and create an STS client.
import os
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.auth.credentials import RamRoleArnCredential
from aliyunsdkecs.request.v20140526.DescribeRegionsRequest import DescribeRegionsRequest
cred = RamRoleArnCredential(
sts_access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'), # Get the AccessKey ID of the RAM user from an environment variable.
sts_access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), # Get the AccessKey secret of the RAM user from an environment variable.
role_arn='<ram_role_arn>',
session_role_name='<session_role_name>'
)
client = AcsClient(
region_id='<region_id>',
credential=cred
)
request = DescribeRegionsRequest()
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
Use ECS RAM role credentials
Use this method when your code runs on an ECS instance with an attached RAM role. The SDK retrieves temporary security credentials automatically from the instance metadata endpoint at http://100.100.100.200/latest/meta-data/ram/security-credentials/<role_name>. Your code requires no credential configuration.
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.auth.credentials import EcsRamRoleCredential
from aliyunsdkecs.request.v20140526.AcceptInquiredSystemEventRequest import AcceptInquiredSystemEventRequest
cred = EcsRamRoleCredential(
role_name='<ram_role_name>'
)
client = AcsClient(
region_id='<region_id>',
credential=cred
)
request = AcceptInquiredSystemEventRequest()
request.set_accept_format('json')
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
Use the default credential
Use this method when you want the SDK to discover credentials automatically. The SDK checks the ALIYUN_ACCESS_KEY_ID and ALIYUN_ACCESS_KEY_SECRET environment variables. If both are set and non-empty, the SDK uses them to create a default credential.
from aliyunsdkcore.client import AcsClient
from aliyunsdkecs.request.v20140526.DescribeRegionsRequest import DescribeRegionsRequest
# Initialize the client.
client = AcsClient(
region_id='<region_id>' # The region ID.
)
# Create an API request and set parameters.
request = DescribeRegionsRequest()
# Send the request.
response = client.do_action_with_exception(request)
print(str(response, encoding='utf-8'))
Security best practices
Use environment variables or a secrets manager. Never hardcode credentials in source code or commit them to a repository.
Follow least privilege. Grant RAM users and RAM roles only the permissions they need.
Prefer RAM role or ECS RAM role credentials in production. Both credential types issue short-lived STS tokens and rotate them automatically, reducing the risk of credential exposure.
Rotate AccessKey pairs regularly. Revoke any AccessKey pairs that are no longer in use.
Use STS credentials for temporary access. When granting access to a third party or a short-lived process, issue STS credentials with an appropriate expiration time instead of sharing a long-lived AccessKey pair.