From ebcda2e628180b4df235b46a86e1d014c561f5d9 Mon Sep 17 00:00:00 2001 From: yndu13 Date: Wed, 16 Oct 2024 20:36:39 +0800 Subject: [PATCH] docs: update README --- README-zh-CN.md | 307 ++++++++++++++++++++++++++++++++++++++---------- README.md | 282 +++++++++++++++++++++++++++++++++++--------- 2 files changed, 473 insertions(+), 116 deletions(-) diff --git a/README-zh-CN.md b/README-zh-CN.md index a0ffe53..d9bd593 100644 --- a/README-zh-CN.md +++ b/README-zh-CN.md @@ -35,9 +35,8 @@ composer require alibabacloud/credentials ### 凭证类型 -#### AccessKey - -通过[用户信息管理][ak]设置 access_key,它们具有该账户完全的权限,请妥善保管。有时出于安全考虑,您不能把具有完全访问权限的主账户 AccessKey 交于一个项目的开发者使用,您可以[创建RAM子账户][ram]并为子账户[授权][permissions],使用RAM子用户的 AccessKey 来进行API调用。 +#### 使用默认凭据链 +当您在初始化凭据客户端不传入任何参数时,Credentials工具会使用默认凭据链方式初始化客户端。默认凭据的读取逻辑请参见[默认凭据链](#默认凭证提供程序链)。 ```php getCredential(); $credential->getAccessKeyId(); $credential->getAccessKeySecret(); +$credential->getSecurityToken(); +``` + +#### AccessKey + +通过[用户信息管理][ak]设置 access_key,它们具有该账户完全的权限,请妥善保管。有时出于安全考虑,您不能把具有完全访问权限的主账户 AccessKey 交于一个项目的开发者使用,您可以[创建RAM子账户][ram]并为子账户[授权][permissions],使用RAM子用户的 AccessKey 来进行API调用。 + +```php + 'access_key', - 'access_key_id' => '', - 'access_key_secret' => '', +$config = new Config([ + 'type' => 'access_key', + 'accessKeyId' => '', + 'accessKeySecret' => '', ]); -$ak->getAccessKeyId(); -$ak->getAccessKeySecret(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); ``` #### STS @@ -67,86 +83,244 @@ $ak->getAccessKeySecret(); 'sts', - 'access_key_id' => '', - 'accessKey_secret' => '', - 'security_token' => '', +$config = new Config([ + 'type' => 'sts', + 'accessKeyId' => '', + 'accessKeySecret' => '', + 'securityToken' => '', ]); -$sts->getAccessKeyId(); -$sts->getAccessKeySecret(); -$sts->getSecurityToken(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); ``` #### RamRoleArn -通过指定[RAM角色][RAM Role],让凭证自动申请维护 STS Token。你可以通过为 `Policy` 赋值来限制获取到的 STS Token 的权限。 +通过指定RAM角色的ARN(Alibabacloud Resource Name),Credentials工具可以帮助开发者前往STS换取STS Token。您也可以通过为 `Policy` 赋值来限制RAM角色到一个更小的权限集合。 ```php 'ram_role_arn', - 'access_key_id' => '', - 'access_key_secret' => '', - 'role_arn' => '', - 'role_session_name' => '', - 'policy' => '', +namespace AlibabaCloud\Credentials\Credential\Config; + +$config = new Config([ + 'type' => 'ram_role_arn', + 'accessKeyId' => '', + 'accessKeySecret' => '', + // 要扮演的RAM角色ARN,示例值:acs:ram::123456789012****:role/adminrole,可以通过环境变量ALIBABA_CLOUD_ROLE_ARN设置role_arn + 'roleArn' => '', + // 角色会话名称,可以通过环境变量ALIBABA_CLOUD_ROLE_SESSION_NAME设置role_session_name + 'roleSessionName' => '', + // 设置更小的权限策略,非必填。示例值:{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} + 'policy' => '', + # 设置session过期时间 + 'roleSessionExpiration' => 3600, ]); -$ramRoleArn->getAccessKeyId(); -$ramRoleArn->getAccessKeySecret(); -$ramRoleArn->getRoleArn(); -$ramRoleArn->getRoleSessionName(); -$ramRoleArn->getPolicy(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); ``` #### EcsRamRole -通过指定角色名称,让凭证自动申请维护 STS Token +Credentials工具会自动获取ECS实例绑定的RAM角色,调用ECS的元数据服务(Meta Data Server)换取STS Token,完成凭据客户端初始化。ECI实例,容器服务 Kubernetes 版的Worker节点均支持绑定实例RAM角色。 ```php 'ecs_ram_role', - 'role_name' => '', +$config = new Config([ + 'type' => 'ecs_ram_role', + // 选填,该ECS角色的角色名称,不填会自动获取,但是建议加上以减少请求次数,可以通过环境变量ALIBABA_CLOUD_ECS_METADATA设置role_name + 'roleName' => '', ]); -$ecsRamRole->getRoleName(); -// Note: `role_name` is optional. It will be retrieved automatically if not set. It is highly recommended to set it up to reduce requests. +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); ``` -#### Bearer Token +#### OIDCRoleArn -如呼叫中心(CCC)需用此凭证,请自行申请维护 Bearer Token。 +在容器服务 Kubernetes 版中设置了Worker节点RAM角色后,对应节点内的Pod中的应用也就可以像ECS上部署的应用一样,通过元数据服务(Meta Data Server)获取关联角色的STS Token。但如果容器集群上部署的是不可信的应用(比如部署您的客户提交的应用,代码也没有对您开放),您可能并不希望它们能通过元数据服务获取Worker节点关联实例RAM角色的STS Token。为了避免影响云上资源的安全,同时又能让这些不可信的应用安全地获取所需的 STS Token,实现应用级别的权限最小化,您可以使用RRSA(RAM Roles for Service Account)功能。阿里云容器集群会为不同的应用Pod创建和挂载相应的服务账户OIDC Token文件,并将相关配置信息注入到环境变量中,Credentials工具通过获取环境变量的配置信息,调用STS服务的AssumeRoleWithOIDC - OIDC角色SSO时获取扮演角色的临时身份凭证接口换取绑定角色的STS Token。详情请参见[通过RRSA配置ServiceAccount的RAM权限实现Pod权限隔离](https://help.aliyun.com/zh/ack/ack-managed-and-ack-dedicated/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services#task-2142941)。 ```php 'oidc_role_arn', + // OIDC提供商ARN,可以通过环境变量ALIBABA_CLOUD_OIDC_PROVIDER_ARN设置oidc_provider_arn + 'oidcProviderArn' => '', + // OIDC Token文件路径,可以通过环境变量ALIBABA_CLOUD_OIDC_TOKEN_FILE设置oidc_token_file_path + 'oidcTokenFilePath' => '', + // 要扮演的RAM角色ARN,示例值:acs:ram::123456789012****:role/adminrole,可以通过环境变量ALIBABA_CLOUD_ROLE_ARN设置role_arn + 'roleArn' => '', + // 角色会话名称,可以通过环境变量ALIBABA_CLOUD_ROLE_SESSION_NAME设置role_session_name + 'roleSessionName' => '', + // 设置更小的权限策略,非必填。示例值:{"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} + 'policy' => '', + # 设置session过期时间 + 'roleSessionExpiration' => 3600, +]); +$client = new Credential($config); -$bearerToken = new Credential([ - 'type' => 'bearer', - 'bearer_token' => '', +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); +``` + +#### Credentials URI + +通过指定提供凭证的自定义网络服务地址,让凭证自动申请维护 STS Token。 + +```php + 'credentials_uri', + // 凭证的 URI,格式为http://local_or_remote_uri/,可以通过环境变量ALIBABA_CLOUD_CREDENTIALS_URI设置credentials_uri + 'credentialsURI' => '', ]); -$bearerToken->getBearerToken(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getBearerToken(); ``` -## 默认凭证提供程序链 +#### Bearer Token -默认凭证提供程序链查找可用的凭证,寻找顺序如下: +目前只有云呼叫中心 CCC 这款产品支持 Bearer Token 的凭据初始化方式。 -### 1. 环境凭证 +```php + 'bearer', + // 填入您的Bearer Token + 'bearerToken' => '', +]); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getBearerToken(); +``` + +## 默认凭证提供程序链 -### 2. 配置文件 +当您的程序开发环境和生产环境采用不同的凭据类型,常见做法是在代码中获取当前环境信息,编写获取不同凭据的分支代码。借助Credentials工具的默认凭据链,您可以用同一套代码,通过程序之外的配置来控制不同环境下的凭据获取方式。当您在不传入参数的情况下,直接使用$credential = new Credential();初始化凭据客户端时,阿里云SDK将会尝试按照如下顺序查找相关凭据信息。 + +### 1. 使用环境变量 + +Credentials工具会优先在环境变量中获取凭据信息。 + +- 如果系统环境变量 `ALIBABA_CLOUD_ACCESS_KEY_ID`(密钥Key) 和 `ALIBABA_CLOUD_ACCESS_KEY_SECRET`(密钥Value) 不为空,Credentials工具会优先使用它们作为默认凭据。 + +- 如果系统环境变量 `ALIBABA_CLOUD_ACCESS_KEY_ID`(密钥Key)、`ALIBABA_CLOUD_ACCESS_KEY_SECRET`(密钥Value)、`ALIBABA_CLOUD_SECURITY_TOKEN`(Token)均不为空,Credentials工具会优先使用STS Token作为默认凭据。 + +### 2. 使用OIDC RAM角色 +若不存在优先级更高的凭据信息,Credentials工具会在环境变量中获取如下内容: + +`ALIBABA_CLOUD_ROLE_ARN`:RAM角色名称ARN; + +`ALIBABA_CLOUD_OIDC_PROVIDER_ARN`:OIDC提供商ARN; + +`ALIBABA_CLOUD_OIDC_TOKEN_FILE`:OIDC Token文件路径; + +若以上三个环境变量都已设置内容,Credentials将会使用变量内容调用STS服务的[AssumeRoleWithOIDC - OIDC角色SSO时获取扮演角色的临时身份凭证](https://help.aliyun.com/zh/ram/developer-reference/api-sts-2015-04-01-assumerolewithoidc)接口换取STS Token作为默认凭据。 + +### 3. 使用 Aliyun CLI 工具的 config.json 配置文件 + +若不存在优先级更高的凭据信息,Credentials工具会优先在如下位置查找 `config.json` 文件是否存在: +Linux系统:`~/.aliyun/config.json` +Windows系统: `C:\Users\USER_NAME\.aliyun\config.json` +如果文件存在,程序将会使用配置文件中 `current` 指定的凭据信息初始化凭据客户端。当然,您也可以通过环境变量 `ALIBABA_CLOUD_PROFILE` 来指定凭据信息,例如设置 `ALIBABA_CLOUD_PROFILE` 的值为 `AK`。 + +在config.json配置文件中每个module的值代表了不同的凭据信息获取方式: + +- AK:使用用户的Access Key作为凭据信息; +- RamRoleArn:使用RAM角色的ARN来获取凭据信息; +- EcsRamRole:利用ECS绑定的RAM角色来获取凭据信息; +- OIDC:通过OIDC ARN和OIDC Token来获取凭据信息; +- ChainableRamRoleArn:采用角色链的方式,通过指定JSON文件中的其他凭据,以重新获取新的凭据信息。 + +配置示例信息如下: + +```json +{ + "current": "AK", + "profiles": [ + { + "name": "AK", + "mode": "AK", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret" + }, + { + "name": "RamRoleArn", + "mode": "RamRoleArn", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "EcsRamRole", + "mode": "EcsRamRole", + "ram_role_name": "ram_role_name" + }, + { + "name": "OIDC", + "mode": "OIDC", + "ram_role_arn": "ram_role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "oidc_provider_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "ChainableRamRoleArn", + "mode": "ChainableRamRoleArn", + "source_profile": "AK", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + } + ] +} +``` + +### 4. 使用配置文件 > -> 如果用户主目录存在默认文件 `~/.alibabacloud/credentials` (Windows 为 `C:\Users\USER_NAME\.alibabacloud\credentials`),程序会自动创建指定类型和名称的凭证。默认文件可以不存在,但解析错误会抛出异常。 凭证名称不分大小写,若凭证同名,后者会覆盖前者。不同的项目、工具之间可以共用这个配置文件,因为超出项目之外,也不会被意外提交到版本控制。Windows 上可以使用环境变量引用到主目录 %UserProfile%。类 Unix 的系统可以使用环境变量 $HOME 或 ~ (tilde)。 可以通过定义 `ALIBABA_CLOUD_CREDENTIALS_FILE` 环境变量修改默认文件的路径。 +> 如果用户主目录存在默认文件 `~/.alibabacloud/credentials` (Windows 为 `C:\Users\USER_NAME\.alibabacloud\credentials`),程序会自动创建指定类型和名称的凭证。您也可通过环境变量 `ALIBABA_CLOUD_CREDENTIALS_FILE` 指定配置文件路径。如果文件存在,程序将会使用配置文件中 default 指定的凭据信息初始化凭据客户端。当然,您也可以通过环境变量 `ALIBABA_CLOUD_PROFILE` 来指定凭据信息,例如设置 `ALIBABA_CLOUD_PROFILE` 的值为 `client1`。 + +配置示例信息如下: ```ini [default] @@ -164,26 +338,33 @@ access_key_id = foo access_key_secret = bar role_arn = role_arn role_session_name = session_name + +[project3] +type=oidc_role_arn # 认证方式为 oidc_role_arn +oidc_provider_arn=oidc_provider_arn +oidc_token_file_path=oidc_token_file_path +role_arn=role_arn +role_session_name=session_name ``` -### 3. 实例 RAM 角色 +### 5. 使用 ECS 实例RAM角色 如果定义了环境变量 `ALIBABA_CLOUD_ECS_METADATA` 且不为空,程序会将该环境变量的值作为角色名称,请求 `http://100.100.100.200/latest/meta-data/ram/security-credentials/` 获取临时安全凭证作为默认凭证。 -### 自定义凭证提供程序链 +### 6. 使用外部服务 Credentials URI -可通过自定义程序链代替默认程序链的寻找顺序,也可以自行编写闭包传入提供者。 - -```php -getCredential(); $credential->getAccessKeyId(); $credential->getAccessKeySecret(); +$credential->getSecurityToken(); +``` + +#### AccessKey + +Setup access_key credential through [User Information Management][ak], it have full authority over the account, please keep it safe. Sometimes for security reasons, you cannot hand over a primary account AccessKey with full access to the developer of a project. You may create a sub-account [RAM Sub-account][ram] , grant its [authorization][permissions],and use the AccessKey of RAM Sub-account. + +```php + 'access_key', - 'access_key_id' => '', - 'access_key_secret' => '', +$config = new Config([ + 'type' => 'access_key', + 'accessKeyId' => '', + 'accessKeySecret' => '', ]); -$ak->getAccessKeyId(); -$ak->getAccessKeySecret(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); ``` #### STS @@ -67,16 +85,20 @@ Create a temporary security credential by applying Temporary Security Credential 'sts', - 'access_key_id' => '', - 'accessKey_secret' => '', - 'security_token' => '', +$config = new Config([ + 'type' => 'sts', + 'accessKeyId' => '', + 'accessKeySecret' => '', + 'securityToken' => '', ]); -$sts->getAccessKeyId(); -$sts->getAccessKeySecret(); -$sts->getSecurityToken(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); ``` #### RamRoleArn @@ -87,37 +109,104 @@ By specifying [RAM Role][RAM Role], the credential will be able to automatically 'ram_role_arn', - 'access_key_id' => '', - 'access_key_secret' => '', - 'role_arn' => '', - 'role_session_name' => '', - 'policy' => '', +namespace AlibabaCloud\Credentials\Credential\Config; + +$config = new Config([ + 'type' => 'ram_role_arn', + 'accessKeyId' => '', + 'accessKeySecret' => '', + // Specify the ARN of the RAM role to be assumed. Example: acs:ram::123456789012****:role/adminrole. + 'roleArn' => '', + // Specify the name of the role session. + 'roleSessionName' => '', + // Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}. + 'policy' => '', + # Specify the expiration of the session + 'roleSessionExpiration' => 3600, ]); -$ramRoleArn->getAccessKeyId(); -$ramRoleArn->getAccessKeySecret(); -$ramRoleArn->getRoleArn(); -$ramRoleArn->getRoleSessionName(); -$ramRoleArn->getPolicy(); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); ``` #### EcsRamRole -By specifying the role name, the credential will be able to automatically request maintenance of STS Token. +The Credentials tool automatically obtains the RAM role attached to an ECS instance and uses the metadata server of ECS to obtain an STS token. The STS token is then used to initialize a Credentials client. You can also attach a RAM role to an elastic container instance or a worker node in an Alibaba Cloud Container Service for Kubernetes (ACK) cluster. + +```php + 'ecs_ram_role', + // Optional. Specify the name of the RAM role of the ECS instance. If you do not specify this parameter, its value is automatically obtained. To reduce the number of requests, we recommend that you specify this parameter. + 'roleName' => '', +]); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); +``` + +#### OIDCRoleArn + +After you attach a RAM role to a worker node in an Container Service for Kubernetes, applications in the pods on the worker node can use the metadata server to obtain an STS token the same way in which applications on ECS instances do. However, if an untrusted application is deployed on the worker node, such as an application that is submitted by your customer and whose code is unavailable to you, you may not want the application to use the metadata server to obtain an STS token of the RAM role attached to the worker node. To ensure the security of cloud resources and enable untrusted applications to securely obtain required STS tokens, you can use the RAM Roles for Service Accounts (RRSA) feature to grant minimum necessary permissions to an application. In this case, the ACK cluster creates a service account OpenID Connect (OIDC) token file, associates the token file with a pod, and then injects relevant environment variables into the pod. Then, the Credentials tool uses the environment variables to call the AssumeRoleWithOIDC operation of STS and obtains an STS token of the RAM role. For more information about the RRSA feature, see [Use RRSA to authorize different pods to access different cloud services](https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services#task-2142941). ```php 'oidc_role_arn', + // Specify the ARN of the OIDC IdP by specifying the ALIBABA_CLOUD_OIDC_PROVIDER_ARN environment variable. + 'oidcProviderArn' => '', + // Specify the path of the OIDC token file by specifying the ALIBABA_CLOUD_OIDC_TOKEN_FILE environment variable. + 'oidcTokenFilePath' => '', + // Specify the ARN of the RAM role by specifying the ALIBABA_CLOUD_ROLE_ARN environment variable. + 'roleArn' => '', + // Specify the role session name by specifying the ALIBABA_CLOUD_ROLE_SESSION_NAME environment variable. + 'roleSessionName' => '', + // Optional. Specify limited permissions for the RAM role. Example: {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}. + 'policy' => '', + // Optional. Specify the validity period of the session. + 'roleSessionExpiration' => 3600, +]); +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getAccessKeyId(); +$credential->getAccessKeySecret(); +$credential->getSecurityToken(); +``` -$ecsRamRole = new Credential([ - 'type' => 'ecs_ram_role', - 'role_name' => '', +#### Credentials URI + +By specifying the url, the credential will be able to automatically request maintenance of STS Token. + +```php + 'credentials_uri', + // Format: http url. `credentialsURI` can be replaced by setting environment variable: ALIBABA_CLOUD_CREDENTIALS_URI + 'credentialsURI' => '', ]); -$ecsRamRole->getRoleName(); -// Note: `role_name` is optional. It will be retrieved automatically if not set. It is highly recommended to set it up to reduce requests. +$client = new Credential($config); + +$credential = $client->getCredential(); +$credential->getBearerToken(); ``` #### Bearer Token @@ -138,16 +227,96 @@ $bearerToken->getBearerToken(); ## Default credential provider chain -The default credential provider chain looks for available credentials, looking in the following order: +If you want to use different types of credentials in the development and production environments of your application, you generally need to obtain the environment information from the code and write code branches to obtain different credentials for the development and production environments. The default credential provider chain of the Credentials tool allows you to use the same code to obtain credentials for different environments based on configurations independent of the application. If you use $credential = new Credential(); to initialize a Credentials client without specifying an initialization method, the Credentials tool obtains the credential information in the following order: ### 1. Environmental certificate -The program first looks for environment credentials in the environment variable. If the `ALIBABA_CLOUD_ACCESS_KEY_ID` and `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variables are defined and not empty, the program will use them to create default credentials. +Look for environment credentials in environment variable. +- If the `ALIBABA_CLOUD_ACCESS_KEY_ID` and `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variables are defined and are not empty, the program will use them to create default credentials. +- If the `ALIBABA_CLOUD_ACCESS_KEY_ID`, `ALIBABA_CLOUD_ACCESS_KEY_SECRET` and `ALIBABA_CLOUD_SECURITY_TOKEN` environment variables are defined and are not empty, the program will use them to create temporary security credentials(STS). Note: This token has an expiration time, it is recommended to use it in a temporary environment. + +### 2. The RAM role of an OIDC IdP + +If no credentials are found in the previous step, the Credentials tool obtains the values of the following environment variables: + +`ALIBABA_CLOUD_ROLE_ARN`: the ARN of the RAM role. + +`ALIBABA_CLOUD_OIDC_PROVIDER_ARN`: the ARN of the OIDC IdP. + +`ALIBABA_CLOUD_OIDC_TOKEN_FILE`: the path of the OIDC token file. + +If the preceding three environment variables are specified, the Credentials tool uses the environment variables to call the [AssumeRoleWithOIDC](https://www.alibabacloud.com/help/en/ram/developer-reference/api-sts-2015-04-01-assumerolewithoidc) operation of STS to obtain an STS token as the default credential. + +### 3. Using the config.json Configuration File of Aliyun CLI Tool +If there is no higher-priority credential information, the Credentials tool will first check the following locations to see if the config.json file exists: + +Linux system: `~/.aliyun/config.json` +Windows system: `C:\Users\USER_NAME\.aliyun\config.json` +If the file exists, the program will use the credential information specified by `current` in the configuration file to initialize the credentials client. Of course, you can also use the environment variable `ALIBABA_CLOUD_PROFILE` to specify the credential information, for example by setting the value of `ALIBABA_CLOUD_PROFILE` to `AK`. + +In the config.json configuration file, the value of each module represents different ways to obtain credential information: + +- AK: Use the Access Key of the user as credential information; +- RamRoleArn: Use the ARN of the RAM role to obtain credential information; +- EcsRamRole: Use the RAM role bound to the ECS to obtain credential information; +- OIDC: Obtain credential information through OIDC ARN and OIDC Token; +- ChainableRamRoleArn: Use the role chaining method to obtain new credential information by specifying other credentials in the JSON file. + +The configuration example information is as follows: + +```json +{ + "current": "AK", + "profiles": [ + { + "name": "AK", + "mode": "AK", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret" + }, + { + "name": "RamRoleArn", + "mode": "RamRoleArn", + "access_key_id": "access_key_id", + "access_key_secret": "access_key_secret", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "EcsRamRole", + "mode": "EcsRamRole", + "ram_role_name": "ram_role_name" + }, + { + "name": "OIDC", + "mode": "OIDC", + "ram_role_arn": "ram_role_arn", + "oidc_token_file": "path/to/oidc/file", + "oidc_provider_arn": "oidc_provider_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + }, + { + "name": "ChainableRamRoleArn", + "mode": "ChainableRamRoleArn", + "source_profile": "AK", + "ram_role_arn": "ram_role_arn", + "ram_session_name": "ram_session_name", + "expired_seconds": 3600, + "sts_region": "cn-hangzhou" + } + ] +} +``` -### 2. Configuration file +### 4. Configuration file > -> If the user's home directory has the default file `~/.alibabacloud/credentials` (Windows is `C:\Users\USER_NAME\.alibabacloud\credentials`), the program will automatically create credentials with the specified type and name. The default file may not exist, but parsing errors will throw an exception. The voucher name is not case sensitive. If the voucher has the same name, the latter will overwrite the former. This configuration file can be shared between different projects and tools, and it will not be accidentally submitted to version control because it is outside the project. Environment variables can be referenced to the home directory %UserProfile% on Windows. Unix-like systems can use the environment variable $HOME or ~ (tilde). The path to the default file can be modified by defining the `ALIBABA_CLOUD_CREDENTIALS_FILE` environment variable. +> If the user's home directory has the default file `~/.alibabacloud/credentials` (Windows is `C:\Users\USER_NAME\.alibabacloud\credentials`), the program will automatically create credentials with the specified type and name. You can also specify the configuration file path by configuring the `ALIBABA_CLOUD_CREDENTIALS_FILE` environment variable. If the configuration file exists, the application initializes a Credentials client by using the credential information that is specified by default in the configuration file. You can also configure the `ALIBABA_CLOUD_PROFILE` environment variable to modify the default credential information that is read. +Configuration example: ```ini [default] type = access_key # Authentication method is access_key @@ -164,26 +333,33 @@ access_key_id = foo access_key_secret = bar role_arn = role_arn role_session_name = session_name + +[project3] +type=oidc_role_arn # Authentication method is oidc_role_arn +oidc_provider_arn=oidc_provider_arn +oidc_token_file_path=oidc_token_file_path +role_arn=role_arn +role_session_name=session_name ``` -### 3. Instance RAM role +### 5. Instance RAM role If the environment variable `ALIBABA_CLOUD_ECS_METADATA` is defined and not empty, the program will take the value of the environment variable as the role name and request `http://100.100.100.200/latest/meta-data/ram/security-credentials/` to get the temporary Security credentials are used as default credentials. -### Custom credential provider chain +### 6. Using External Service Credentials URI -You can replace the default order of the program chain by customizing the program chain, or you can write the closure to the provider. - -```php -