All Products
Search
Document Center

Alibaba Cloud CLI:Configure identity credentials in Cloud Assistant CLI

Last Updated:Sep 10, 2025

Before you use Cloud Assistant CLI, you must configure your credentials, region, and language. This information is required to make calls to Alibaba Cloud resources.

Note

Ensure that your credential information is accurate during configuration. This helps prevent unnecessary losses from misoperations or failed API calls.

Identity credential configuration methods

Cloud Assistant CLI provides two configuration methods: interactive and non-interactive. The interactive method offers a guided process that helps you quickly configure identity credentials in Cloud Assistant CLI with a low learning curve.

Interactive configuration

General syntax

To configure credentials interactively, you can invoke the aliyun <a baseurl="t395345_v3_0_0.xdita" data-node="395350" data-root="7086" data-tag="xref" href="t395350.xdita#088c4c1fc8x3u" id="a5b02a6e850pt">configure</a> command. The command syntax is as follows:

aliyun configure [--profile <PROFILE_NAME>] [--mode <AUTHENTICATE_MODE>]

Parameters:

  • PROFILE_NAME: The name of the configuration.

    • If the specified configuration exists, it is modified. If it does not exist, a new configuration is created.

    • If you do not specify this option, the current configuration is modified. For more information, see Credential management.

  • AUTHENTICATE_MODE: The type of identity credential. The default is the AK type.

The following is a sample response for a successful configuration:

Configure Done!!! ..............888888888888888888888 ........=8888888888888888888D=.............. ...........88888888888888888888888 ..........D8888888888888888888888I........... .........,8888888888888ZI: ...........................=Z88D8888888888D.......... .........+88888888 ..........................................88888888D.......... .........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D.......... .........+88888888 ............. ************* ..............O8888888D.......... .........+88888888 .... Command Line Interface(Reloaded) ....O8888888D.......... .........+88888888...........................................88888888D.......... ..........D888888888888DO+. ..........................?ND888888888888D.......... ...........O8888888888888888888888...........D8888888888888888888888=........... ............ .:D8888888888888888888.........78888888888888888888O ..............

Non-interactive configuration

General syntax

You can use the <a baseurl="t395345_v3_0_0.xdita" data-node="395350" data-root="7086" data-tag="xref" href="t395350.xdita#289ac5b8e2cvk" id="14941ad19583u">aliyun configure set</a> command to configure credentials in non-interactive mode. Syntax:

aliyun configure set [--profile <PROFILE_NAME>] [--mode <AUTHENTICATE_MODE>] [--settingName <SETTING_VALUE>...]

Options:

  • PROFILE_NAME: Specifies the name of the configuration. If a configuration with the specified name exists, it is modified. Otherwise, a new configuration is created.

  • AUTHENTICATE_MODE: Specifies the credential type for the configuration. The AccessKey (AK) type is used by default. For more information about the supported types, see Identity credential types.

  • SETTING_VALUE: The required information varies depending on the credential type. For more information, see Identity credential types and Create or modify a configuration in non-interactive mode.

After you configure credentials in non-interactive mode, you can use the <a baseurl="t395345_v3_0_0.xdita" data-node="395350" data-root="7086" data-tag="xref" href="t395350.xdita#4addcad7ec44w" id="66c35caaa0oap">aliyun configure list</a> or <a baseurl="t395345_v3_0_0.xdita" data-node="395350" data-root="7086" data-tag="xref" href="t395350.xdita#13d374aa41q2t" id="1bd85226b351e">aliyun configure get</a> command to verify that the configuration was created successfully.

Identity credential types

Cloud Assistant CLI provides the following credential types. You can configure them as needed.

Credential type

Credential refresh policy

Key-free access

AK

Manual refresh

Not supported

StsToken

Manual refresh

Not supported

RamRoleArn

Auto-refresh

Not supported

EcsRamRole

Auto-refresh

Supported

External

Refreshed by an external system

Supported

ChainableRamRoleArn

Follows the refresh policy of the preceding credential

Supported

CredentialsURI

Refreshed by an external system

Supported

OIDC

Auto-refresh

Supported

CloudSSO

Requires browser logon

Supported

OAuth

Requires browser interaction for initial authorization. Can be auto-refreshed later.

Supported

AK

Description

Important

To ensure account security, create a Resource Access Management (RAM) user dedicated to API access and create a corresponding AccessKey. For more information, see Secure use of credentials.

  • The AK credential is the default credential type and uses an AccessKey as the identity credential. When you configure an AK credential, you can ignore the --mode option.

  • Credential parameters:

    Parameter

    Description

    Example

    AccessKey Id

    Your AccessKey ID. For more information about how to obtain an AccessKey ID, see Create an AccessKey pair for a RAM user.

    yourAccessKeyID

    AccessKey Secret

    Your AccessKey secret. For more information about how to obtain an AccessKey secret, see Create an AccessKey pair for a RAM user.

    yourAccessKeySecret

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure an AK credential named AkProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile AkProfile

    Example of the interactive process:

    Example

    Configuring profile 'AkProfile' in 'AK' authenticate mode... Access Key Id []: <yourAccessKeyID> Access Key Secret []: <yourAccessKeySecret> Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[AkProfile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile AkProfile \ --mode AK \ --access-key-id <yourAccessKeyID> \ --access-key-secret <yourAccessKeySecret> \ --region "cn-hangzhou"
    aliyun configure set ` --profile AkProfile ` --mode AK ` --access-key-id <yourAccessKeyID> ` --access-key-secret <yourAccessKeySecret> ` --region "cn-hangzhou"

StsToken

Description

  • Alibaba Cloud Security Token Service (STS) is a service that provides temporary access permission management. For more information, see What is STS?.

  • Credential parameters:

    Parameter

    Description

    Example

    AccessKey Id

    Your temporary AccessKey ID.

    STS.L4aBSCSJVMuKg5U1****

    AccessKey Secret

    Your temporary AccessKey secret.

    yourAccessKeySecret

    STS Token

    Your Security Token Service token.

    yourSecurityToken

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure an StsToken credential named StsProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile StsProfile --mode StsToken

    Example of the interactive process:

    Example

    Configuring profile 'StsProfile' in 'StsToken' authenticate mode... Access Key Id []: STS.L4aBSCSJVMuKg5U1**** Access Key Secret []: <yourAccessKeySecret> Sts Token []: <yourSecurityToken> Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[StsProfile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile StsProfile \ --mode StsToken \ --access-key-id "STS.L4aBSCSJVMuKg5U1****" \ --access-key-secret <yourAccessKeySecret> \ --sts-token <yourSecurityToken> \ --region "cn-hangzhou"
    aliyun configure set ` --profile StsProfile ` --mode StsToken ` --access-key-id "STS.L4aBSCSJVMuKg5U1****" ` --access-key-secret <yourAccessKeySecret> ` --sts-token <yourSecurityToken> ` --region "cn-hangzhou"

RamRoleArn

Description

Note

Starting from version v3.0.276, Cloud Assistant CLI supports External Id in RamRoleArn-type credentials. For more information, see the following table.

  • A RamRoleArn-type credential allows a RAM user to call the <a baseurl="t395345_v3_3_0.xdita" data-node="3314723" data-root="7086" data-tag="xref" href="t2155837.xdita#" id="f4bd816a9bjt1">AssumeRole</a> API operation of the Security Token Service (STS) to obtain temporary identity credentials (STS tokens).

  • Credential parameters:

    Parameter

    Description

    Example

    AccessKey Id

    Your AccessKey ID. For more information about how to obtain an AccessKey ID, see Create an AccessKey pair for a RAM user.

    yourAccessKeyID

    AccessKey Secret

    Your AccessKey secret. For more information about how to obtain an AccessKey secret, see Create an AccessKey pair for a RAM user.

    yourAccessKeySecret

    STS Region

    The region where the call is initiated to obtain an STS token. For more information about the regions supported by STS, see Endpoints.

    cn-hangzhou

    Ram Role Arn

    The Alibaba Cloud Resource Name (ARN) of the RAM role to assume.

    This role is a RAM role whose trusted entity is an Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account or CreateRole.

    You can view the ARN of the role in the RAM console or by calling an API:

    acs:ram::012345678910****:role/Alice

    Role Session Name

    The name of the role session.

    This is a custom parameter. It is usually set to the identity of the user who calls this API, such as a username. In audit logs, even if the same RAM role performs operations, you can distinguish the actual operator based on different RoleSessionName values to implement user-level access auditing.

    The value must be 2 to 64 characters in length and can contain letters, digits, and the special characters .@-_.

    alice

    External Id

    The external ID of the role.

    This parameter is provided by an external party to represent the role. It is mainly used to prevent the confused deputy problem. For more information, see Use an external ID to prevent the confused deputy problem.

    The value must be 2 to 1,224 characters in length and can contain letters, digits, and the special characters =,.@:/-_. The regular expression is [\w+=,.@:\/-]*.

    abcd1234

    Expired Seconds

    The expiration time of the credential, in seconds.

    The default value is 900. The maximum value is the MaxSessionDuration of the role to be assumed.

    900

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure a RamRoleArn credential named RamRoleArnProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile RamRoleArnProfile --mode RamRoleArn

    Example of the interactive process:

    Example

    Configuring profile 'RamRoleArnProfile' in 'RamRoleArn' authenticate mode... Access Key Id []: <yourAccessKeyID> Access Key Secret []: <yourAccessKeySecret> Sts Region []: cn-hangzhou Ram Role Arn []: acs:ram::012345678910****:role/Alice Role Session Name []: alice External ID []: abcd1234 Expired Seconds [900]: 900 Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[RamRoleArnProfile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile RamRoleArnProfile \ --mode RamRoleArn \ --access-key-id <yourAccessKeyID> \ --access-key-secret <yourAccessKeySecret> \ --sts-region "cn-hangzhou" --ram-role-arn "acs:ram::012345678910****:role/Alice" \ --role-session-name "alice" \ --external-id "abcd1234" \ --expired-seconds 900 \ --region "cn-hangzhou"
    aliyun configure set ` --profile RamRoleArnProfile ` --mode RamRoleArn ` --access-key-id <yourAccessKeyID> ` --access-key-secret <yourAccessKeySecret> ` --sts-region "cn-hangzhou" ` --ram-role-arn "acs:ram::012345678910****:role/Alice" ` --role-session-name "alice" ` --external-id "abcd1234" ` --expired-seconds 900 ` --region "cn-hangzhou"

EcsRamRole

Description

Note

  • You do not need to configure an AccessKey for an EcsRamRole credential. When you use Cloud Assistant CLI within an ECS or ECI instance, you can access the Meta Data Service to obtain a temporary identity credential (STS token) for a RAM role to call OpenAPI operations. This method reduces the risk of AccessKey leaks.

  • The instance metadata server supports secure mode and normal mode. Cloud Assistant CLI uses the secure mode (IMDSv2) by default to obtain access credentials. If an exception occurs in secure mode, you can set the ALIBABA_CLOUD_IMDSV1_DISABLED environment variable to specify the exception handling logic. The valid values are:

    • If the value is false (default), Cloud Assistant CLI falls back to normal mode to obtain the access credentials.

    • If the value is true, Cloud Assistant CLI uses only the secure mode to obtain access credentials and throws an exception if it fails.

    Whether the server supports IMDSv2 depends on your server configuration.

    For more information, see Configure environment variables in Linux, macOS, and Windows.

  • Credential parameters:

    Parameter

    Description

    Example

    Ecs Ram Role

    The name of the RAM role granted to the ECS instance.

    If you do not specify this parameter, the program automatically accesses the metadata service of the ECS instance to obtain the RoleName information, and then obtains the credential based on the RoleName. This process requires two requests.

    ECSAdmin

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure an EcsRamRole credential named EcsProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile EcsProfile --mode EcsRamRole

    Example of the interactive process:

    Example

    Configuring profile 'EcsProfile' in 'EcsRamRole' authenticate mode... Ecs Ram Role []: ECSAdmin Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[EcsProfile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile EcsProfile \ --mode EcsRamRole \ --ram-role-name "ECSAdmin" \ --region "cn-hangzhou"
    aliyun configure set ` --profile EcsProfile ` --mode EcsRamRole ` --ram-role-name "ECSAdmin" ` --region "cn-hangzhou"

External

Description

  • An External credential obtains credential data from an external program. When Cloud Assistant CLI uses this credential, it executes the specified program command and uses the output as the credential.

  • Credential parameters:

    Parameter

    Description

    Example

    Process Command

    The external program command. The external program can return two types of static credentials: AccessKey and STS Token.

    acs-sso login --profile sso

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

  • Sample credential returned by an external program:

    AccessKey

    { "mode": "AK", "access_key_id": "<yourAccessKeyID>", "access_key_secret": "<yourAccessKeySecret>" }

    STS Token

    { "mode": "StsToken", "access_key_id": "<yourAccessKeyID>", "access_key_secret": "<yourAccessKeySecret>", "sts_token": "<yourSecurityToken>" }

Examples

The following examples show how to configure an External credential named ExternalProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile ExternalProfile --mode External

    Example of the interactive process:

    Example

    Configuring profile 'ExternalProfile' in 'External' authenticate mode... Process Command []: acs-sso login --profile sso Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[ExternalProfile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile ExternalProfile \ --mode External \ --process-command "acs-sso login --profile sso" \ --region "cn-hangzhou"
    aliyun configure set ` --profile ExternalProfile ` --mode External ` --process-command "acs-sso login --profile sso" ` --region "cn-hangzhou"

ChainableRamRoleArn

Description

Note

Starting from version v3.0.276, Cloud Assistant CLI supports External Id in ChainableRamRoleArn-type credentials. For more information, see the credential parameters in the following table.

  • A ChainableRamRoleArn credential uses a source identity credential configuration to obtain an intermediate credential, such as an AccessKey or an STS token. Then, Cloud Assistant CLI assumes a role using the intermediate credential to obtain the final temporary identity credential, which is an STS token.

  • Credential parameters:

    Parameter

    Description

    Example

    Source Profile

    The name of the source configuration.

    Before you configure a ChainableRamRoleArn credential, you must create a preceding credential as the source configuration. For more information, see Examples.

    RamRoleArnProfile

    STS Region

    The region where the call is initiated to obtain an STS token. For more information about the regions supported by STS, see Endpoints.

    cn-hangzhou

    Ram Role Arn

    The ARN of the RAM role to assume.

    This role is a RAM role whose trusted entity is an Alibaba Cloud account. For more information, see Create a RAM role for a trusted Alibaba Cloud account or CreateRole.

    You can view the ARN of the role in the RAM console or by calling an API:

    acs:ram::012345678910****:role/Alice

    Role Session Name

    The name of the role session.

    This is a custom parameter. It is usually set to the identity of the user who calls this API, such as a username. In audit logs, even if the same RAM role performs operations, you can distinguish the actual operator based on different RoleSessionName values to implement user-level access auditing.

    The value must be 2 to 64 characters in length and can contain letters, digits, and the special characters .@-_.

    alice

    External Id

    The external ID of the role.

    This parameter is provided by an external party to represent the role. It is mainly used to prevent the confused deputy problem. For more information, see Use an external ID to prevent the confused deputy problem.

    The value must be 2 to 1,224 characters in length and can contain letters, digits, and the special characters =,.@:/-_. The regular expression is [\w+=,.@:\/-]*.

    abcd1234

    Expired Seconds

    The expiration time of the credential, in seconds.

    The default value is 900. The maximum value is the MaxSessionDuration of the role to be assumed.

    900

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

Note

Before you configure a ChainableRamRoleArn credential, you must grant the AliyunSTSAssumeRoleAccess system policy to the RAM identity that corresponds to the source identity credential.

The following examples show how to configure a ChainableRamRoleArn credential named ChainableProfile that uses a RamRoleArn credential named RamRoleArnProfile as the source identity credential.

  • Interactive configuration

    1. Configure the source identity credential RamRoleArnProfile. For more information about the configuration process, see the examples in the RamRoleArn section.

    2. Run the following command to configure the ChainableRamRoleArn credential ChainableProfile.

      aliyun configure --profile ChainableProfile --mode ChainableRamRoleArn

      In the following interactive example, enter RamRoleArnProfile as the configuration name for the Source Profile option to use the previously configured credential:

      Example

      Configuring profile 'ChainableProfile' in 'ChainableRamRoleArn' authenticate mode... Source Profile []: RamRoleArnProfile Sts Region []: cn-hangzhou Ram Role Arn []: acs:ram::012345678910****:role/Alice Role Session Name []: alice External ID []: abcd1234 Expired Seconds [900]: 900 Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[ChainableProfile] ...Done.

  • Non-interactive configuration

    Alibaba Cloud CLI version v3.0.298 and later lets you configure ChainableRamRoleArn-type credentials non-interactively by running the aliyun configure set command. The following is a sample command:

    aliyun configure set \ --profile ChainableProfile \ --mode ChainableRamRoleArn \ --source-profile RamRoleArnProfile \ --sts-region "cn-hangzhou" \ --ram-role-arn "acs:ram::012345678910****:role/Alice" \ --role-session-name "alice" \ --external-id "abcd1234" \ --expired-seconds 900 \ --region "cn-hangzhou"
    aliyun configure set ` --profile ChainableProfile ` --mode ChainableRamRoleArn ` --source-profile RamRoleArnProfile ` --sts-region "cn-hangzhou" ` --ram-role-arn "acs:ram::012345678910****:role/Alice" ` --role-session-name "alice" ` --external-id "abcd1234" ` --expired-seconds 900 ` --region "cn-hangzhou"

CredentialsURI

Description

  • A CredentialsURI credential obtains a temporary identity credential (STS token) to call OpenAPI operations by accessing a URI that you provide.

  • Credential parameters:

    Parameter

    Description

    Example

    CredentialsURI

    A local or remote URI.

    If the specified URI does not return an HTTP 200 status code, or if its response content does not match the expected format, Cloud Assistant CLI treats the request as failed.

    http://credentials.uri/

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

  • Sample URI response structure:

    { "Code": "Success", "AccessKeyId": "<yourAccessKeyID>", "AccessKeySecret": "<yourAccessKeySecret>", "SecurityToken": "<yourSecurityToken>", "Expiration": "2006-01-02T15:04:05Z" // utc time }

Examples

The following examples show how to configure a CredentialsURI credential named URIProfile.

  • Interactive configuration

    Command:

    aliyun configure --profile URIProfile --mode CredentialsURI

    Example of the interactive process:

    Example

    Configuring profile 'URIProfile' in 'CredentialsURI' authenticate mode... Credentials URI []: http://credentials.uri/ Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[URIProfile] ...Done.

  • You cannot configure the CredentialsURI non-interactively.

OIDC

Description

  • An OIDC credential obtains a temporary identity credential (STS token) for an attached role by calling the AssumeRoleWithOIDC API operation of STS. For more information, see Use RRSA to configure RAM permissions for a service account and implement pod-level permission isolation.

  • Credential parameters:

    Parameter

    Description

    Example

    OIDCProviderARN

    The ARN of the OIDC IdP.

    You can view the ARN of the OIDC IdP in the RAM console or by calling an API:

    acs:ram::012345678910****:oidc-provider/TestOidcIdp

    OIDCTokenFile

    The path to the OIDC token file. The OIDC token is an OIDC token issued by an external IdP.

    /path/to/oidctoken

    Ram Role Arn

    The ARN of the RAM role to assume.

    You can view the ARN of the role in the RAM console or by calling an API:

    acs:ram::012345678910****:role/Alice

    Role Session Name

    The name of the role session.

    This is a custom parameter. It is usually set to the identity of the user who calls this API, such as a username. In audit logs, even if the same RAM role performs operations, you can distinguish the actual operator based on different RoleSessionName values to implement user-level access auditing.

    The value must be 2 to 64 characters in length and can contain letters, digits, and the special characters .@-_.

    alice

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure an OIDC credential named OIDC_Profile.

  • Interactive configuration

    Command:

    aliyun configure --profile OIDC_Profile --mode OIDC

    Example of the interactive process:

    Example

    Configuring profile 'OIDC_Profile' in 'OIDC' authenticate mode... OIDC Provider ARN []: acs:ram::012345678910****:oidc-provider/TestOidcIdp OIDC Token File []: /path/to/oidctoken RAM Role ARN []: acs:ram::012345678910****:role/Alice Role Session Name []: alice Default Region Id []: cn-hangzhou Default Output Format [json]: json (Only support json) Default Language [zh|en] en: en Saving profile[OIDC_Profile] ...Done.

  • Non-interactive configuration

    Command:

    aliyun configure set \ --profile OIDC_Profile \ --mode OIDC \ --oidc-provider-arn "acs:ram::012345678910****:oidc-provider/TestOidcIdp" \ --oidc-token-file "/path/to/oidctoken" \ --ram-role-arn "acs:ram::012345678910****:role/Alice" \ --role-session-name "alice" \ --region "cn-hangzhou"
    aliyun configure set ` --profile OIDC_Profile ` --mode OIDC ` --oidc-provider-arn "acs:ram::012345678910****:oidc-provider/TestOidcIdp" ` --oidc-token-file "/path/to/oidctoken" ` --ram-role-arn "acs:ram::012345678910****:role/Alice" ` --role-session-name "alice" ` --region "cn-hangzhou"

CloudSSO

Description

Note

Starting from v3.0.271, Cloud Assistant CLI introduces the CloudSSO credential type to simplify the CloudSSO logon process. The method for earlier versions is still available.

  • CloudSSO provides unified identity management and access control based on Alibaba Cloud Resource Directory. When you grant an access configuration for an account in a resource directory to a CloudSSO user or group, a RAM role is deployed in the account. CloudSSO assumes this RAM role to obtain a temporary identity credential (STS token) to call OpenAPI operations. This method reduces the risk of AccessKey leaks.

  • CloudSSO credentials require browser-based logon and user interaction for identity authentication.

  • Credential parameters:

    Parameter

    Description

    Example

    SignIn Url

    The user logon URL.

    To obtain the URL, log on to the CloudSSO console. On the Overview page, find the user logon URL on the right.

    https://signin-******.alibabacloudsso.com/device/login

    Account

    The account in the resource directory.

    • In interactive configuration, select the account by entering the ordinal number before the account name.

    • In non-interactive configuration, specify the account by passing its ID.

      To obtain the ID, log on to the CloudSSO console. On the Multi-account Permission Management page, find the UID of the account on the right.

    012345678910****

    Access Configuration

    The access configuration.

    • In interactive configuration, select the configuration by entering the ordinal number before the configuration name.

    • In non-interactive configuration, specify the configuration by passing its ID.

      To obtain the ID, log on to the CloudSSO console. On the Access Configurations page, find the access configuration ID.

    ac-012345678910abcde****

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

Examples

The following examples show how to configure a CloudSSO credential named SSOProfile.

Interactive configuration

  1. Run the following command to start the configuration of CloudSSO logon information. You can set multiple profiles and quickly switch between logon accounts and access configurations by specifying a profile.

    aliyun configure --profile SSOProfile --mode CloudSSO

  2. Enter the user logon URL SignIn Url as prompted.

    aliyun configure --profile SSOProfile --mode CloudSSO CloudSSO Sign In Url []: https://signin-******.alibabacloudsso.com/device/login

  3. In the browser window that appears, follow the on-screen instructions to complete the CloudSSO user logon. After you log on, close the browser window.

    Note

    If the browser window does not appear, you can manually copy the logon URL (SignIn url) and user code (User code) from the CLI prompt to complete the logon.

    Sample prompt:

    If the browser does not open automatically, use the following URL to complete the login process: SignIn url: https://signin-****.alibabacloudsso.com/device/code User code: *********

  4. The CLI returns a success message and lists the accounts in the resource directory that you can access. Enter the number that corresponds to the account that you want to access.

    Now you can login to your account with SSO configuration in the browser. You have successfully logged in. Please choose an account: 1. <RD Management Account> 2. AccountName Please input the account number: 1

  5. The CLI lists the access configurations you can use. Enter the number that corresponds to the access configuration that you want to use.

    Please choose an access configuration: 1. AccessConfiguration1 2. AccessConfiguration2 Please input the access configuration number: 2

  6. Specify the default region.

    Default Region Id []: cn-hangzhou

  7. After the configuration is successful, `Configure Done` and a welcome message are displayed.

Non-interactive configuration

Note

After you configure a CloudSSO credential in non-interactive mode, you must run the aliyun configure --profile <PROFILE_NAME> command to log on when you use the credential for the first time.

You can use the aliyun configure set command to perform non-interactive configuration. The following is the command:

aliyun configure set \ --profile SSOProfile \ --mode CloudSSO \ --cloud-sso-sign-in-url "https://signin-******.alibabacloudsso.com/device/login" \ --cloud-sso-access-config "ac-012345678910abcde****" \ --cloud-sso-account-id "012345678910****" \ --region "cn-hangzhou"
aliyun configure set ` --profile SSOProfile ` --mode CloudSSO ` --cloud-sso-sign-in-url "https://signin-******.alibabacloudsso.com/device/login" ` --cloud-sso-access-config "ac-012345678910abcde****" ` --cloud-sso-account-id "012345678910****" ` --region "cn-hangzhou"

OAuth

Description

Note

Alibaba Cloud CLI supports the OAuth credential type in versions v3.0.299 and later. We recommend that you install the latest version of the Alibaba Cloud CLI tool before you configure this credential type.

  • When you configure an OAuth credential for the first time, Cloud Assistant CLI creates a third-party OAuth application in Resource Access Management. After authorization, Cloud Assistant CLI can use this application to obtain a token that represents the user identity to access cloud resources.

  • OAuth credentials require a browser to complete the authorization flow. The browser used for interaction and Cloud Assistant CLI must run on the same device.

  • Credential parameters:

    Parameter

    Description

    Example

    OAuth Site Type

    The logon site. Default value: CN.

    • China site (aliyun.com): 0 or CN.

    • International site (alibabacloud.com): 1 or INTL.

    CN

    Region Id

    Default region.

    Some Alibaba Cloud services do not support cross-region access. Set the default region to the region where your purchased resources are located.

    cn-hangzhou

  • OAuth scopes:

    OAuth scope

    OAuth scope description

    openid

    Obtains the OpenID of a RAM user. An OpenID is a string that uniquely represents a user, but it does not contain information such as the Alibaba Cloud UID or username.

    /internal/ram/usersts

    Used to obtain an STS credential to call Alibaba Cloud service APIs.

Examples

The following examples show how to configure an OAuth credential named OAuthProfile.

Interactive configuration

  1. Run the following command to start configuring OAuth logon information.

    aliyun configure --profile OAuthProfile --mode OAuth

  2. Enter the logon site OAuth Site Type as prompted.

    aliyun configure --profile OAuthProfile --mode OAuth Configuring profile 'OAuthProfile' in 'OAuth' authenticate mode... OAuth Site Type (CN: 0 or INTL: 1, default: CN):

    • Enter 0 or CN to set the logon site to the Alibaba Cloud China site (aliyun.com).

    • Enter 1 or INTL to set the logon site to the Alibaba Cloud international site (alibabacloud.com).

    • Press Enter to select the China site (aliyun.com) (CN) by default.

  3. In the browser window that appears, perform the authorization.

    Note

    This authorization must be performed by an administrator with the AliyunRAMFullAccess permission. If you do not have the permission, contact an administrator.

    If the browser window does not appear, you can manually copy the SignIn Url to your browser to complete the logon and authorization.

    Sample prompt:

    If the browser does not open automatically, use the following URL to complete the login process: SignIn url: https://signin.aliyun.com/oauth2/v1/auth?response_type=code&client_id=403818195455774****&redirect_uri=http%3A%2F%2F127.0.0.1%3A12345%2Fcli%2Fcallback&state=EKumS4qOPm11yRx7&code_challenge=BxR9DHWIdKBypPb089N0ekP-C-SAYwLj_jbLU-N****&code_challenge_method=S256

    1. When you configure an OAuth credential for the first time, on the Third-party Application Authorization page, click Authorize. Cloud Assistant CLI creates a third-party OAuth application in Resource Access Management.

    2. After you complete the authorization, you must assign RAM users to this application. Click Go To Assign to go to the Resource Access Management Console > OAuth Applications page.

      image

    3. On the OAuth Applications > Third-party Applications tab, click the name of the official-cli application.

      image

    4. On the Assignments tab, click Create Assignment and select the RAM users that you want to log on. Click OK to complete the assignment.

      image

  4. After the assignment is complete, you must start the authorization process again. Access the SignIn URL again and click Authorize.

  5. After the authorization is successful, specify the default region for Cloud Assistant CLI.

    Default Region Id []: cn-hangzhou

  6. After the configuration is successful, `Configure Done` and a welcome message are displayed.

Non-interactive configuration

Note

  • After you configure an OAuth credential in non-interactive mode, you must run the aliyun configure --profile <PROFILE_NAME> command to perform the authorization operation when you use the credential for the first time.

  • When you configure a credential in non-interactive mode, only CN (China site (aliyun.com)) or INTL (international site (alibabacloud.com)) are valid values for the logon site type.

You can use the aliyun configure set command to perform non-interactive configuration. The following is the command:

aliyun configure set \ --profile OAuthProfile \ --mode OAuth \ --oauth-site-type "CN" \ --region "cn-hangzhou"
aliyun configure set ` --profile OAuthProfile ` --mode OAuth ` --oauth-site-type "CN" ` --region "cn-hangzhou"

Credential management

Cloud Assistant CLI lets you configure and manage multiple identity credentials. You can switch between or specify credential configurations as needed.

Set the current configuration

Run the following command to set a specified configuration as the current configuration:

aliyun configure switch --profile <PROFILE_NAME>

After the switch is successful, Cloud Assistant CLI uses the settings and credentials in this configuration by default until you make another change.

In addition, when the <a baseurl="t395345_v3_2_0.xdita" data-node="395350" data-root="39083" data-tag="xref" href="t395350.xdita#289ac5b8e2cvk" id="d7e8857d3e65g">aliyun configure set</a> command runs successfully, the modified configuration automatically becomes the current configuration.

Specify a configuration in the command line

When you run a command in the command-line interface (CLI), you can use the --profile option to explicitly specify the configuration to use. This option has the highest priority and overwrites any other default configuration.

Example: Use the specified configuration exampleProfile to call the Elastic Compute Service DescribeInstances operation and retrieve Elastic Compute Service instance information.

aliyun ecs DescribeInstances --profile exampleProfile

More credential management commands

The Cloud Assistant CLI provides the configure command and its subcommands to manage multiple identity credentials. You can use these commands to add, delete, modify, and view credentials. For more information, see Manage multiple credentials.

Credential configuration storage location

A credential profile, also known as a profile, is a named set of settings. All credential information and settings are stored in the config.json file in JSON format. This file is located in the .aliyun folder in your home directory. The location of the home directory depends on the operating system.

  • Windows: C:\Users\<USER_NAME>\.aliyun

  • Linux/macOS: /home/<USER_NAME>/.aliyun

References