Alicloud Provider: Installation & Configuration
Installation
The alicloud provider is available as a package in all Pulumi languages:
- JavaScript/TypeScript:
@pulumi/alicloud
- Python:
pulumi-alicloud
- Go:
github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud
- .NET:
Pulumi.Alicloud
- Java:
com.pulumi/alicloud
The Alibaba Cloud provider is used to interact with the many resources supported by Alibaba Cloud. The provider needs to be configured with the proper credentials before it can be used.
Use the navigation on the left to read about the available resources.
Example Usage
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
import * as pulumi from "@pulumi/pulumi";
import * as alicloud from "@pulumi/alicloud";
const config = new pulumi.Config();
const name = config.get("name") || "pulumi-example";
const default = alicloud.getZones({
availableDiskCategory: "cloud_efficiency",
availableResourceCreation: "VSwitch",
});
// Create a new ECS instance for VPC
const vpc = new alicloud.vpc.Network("vpc", {
vpcName: name,
cidrBlock: "172.16.0.0/16",
});
const vswitch = new alicloud.vpc.Switch("vswitch", {
vpcId: vpc.id,
cidrBlock: "172.16.0.0/24",
zoneId: _default.then(_default => _default.zones?.[0]?.id),
vswitchName: name,
});
// Create a new Security in a VPC
const group = new alicloud.ecs.SecurityGroup("group", {
name: name,
description: "foo",
vpcId: vpc.id,
});
// Create a kms to encrypt the disk
const key = new alicloud.kms.Key("key", {
description: "Hello KMS",
pendingWindowInDays: 7,
status: "Enabled",
});
const instance = new alicloud.ecs.Instance("instance", {
availabilityZone: _default.then(_default => _default.zones?.[0]?.id),
securityGroups: [group].map(__item => __item.id),
instanceType: "ecs.n4.large",
systemDiskCategory: "cloud_efficiency",
systemDiskName: name,
systemDiskDescription: "system_disk_description",
imageId: "ubuntu_18_04_64_20G_alibase_20190624.vhd",
instanceName: name,
vswitchId: vswitch.id,
internetMaxBandwidthOut: 10,
dataDisks: [{
name: "data-disk",
size: 20,
category: "cloud_efficiency",
description: "disk-description",
encrypted: true,
kmsKeyId: key.id,
}],
});
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
import pulumi
import pulumi_alicloud as alicloud
config = pulumi.Config()
name = config.get("name")
if name is None:
name = "pulumi-example"
default = alicloud.get_zones(available_disk_category="cloud_efficiency",
available_resource_creation="VSwitch")
# Create a new ECS instance for VPC
vpc = alicloud.vpc.Network("vpc",
vpc_name=name,
cidr_block="172.16.0.0/16")
vswitch = alicloud.vpc.Switch("vswitch",
vpc_id=vpc.id,
cidr_block="172.16.0.0/24",
zone_id=default.zones[0].id,
vswitch_name=name)
# Create a new Security in a VPC
group = alicloud.ecs.SecurityGroup("group",
name=name,
description="foo",
vpc_id=vpc.id)
# Create a kms to encrypt the disk
key = alicloud.kms.Key("key",
description="Hello KMS",
pending_window_in_days=7,
status="Enabled")
instance = alicloud.ecs.Instance("instance",
availability_zone=default.zones[0].id,
security_groups=[__item.id for __item in [group]],
instance_type="ecs.n4.large",
system_disk_category="cloud_efficiency",
system_disk_name=name,
system_disk_description="system_disk_description",
image_id="ubuntu_18_04_64_20G_alibase_20190624.vhd",
instance_name=name,
vswitch_id=vswitch.id,
internet_max_bandwidth_out=10,
data_disks=[{
"name": "data-disk",
"size": 20,
"category": "cloud_efficiency",
"description": "disk-description",
"encrypted": True,
"kms_key_id": key.id,
}])
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AliCloud = Pulumi.AliCloud;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var name = config.Get("name") ?? "pulumi-example";
var @default = AliCloud.GetZones.Invoke(new()
{
AvailableDiskCategory = "cloud_efficiency",
AvailableResourceCreation = "VSwitch",
});
// Create a new ECS instance for VPC
var vpc = new AliCloud.Vpc.Network("vpc", new()
{
VpcName = name,
CidrBlock = "172.16.0.0/16",
});
var vswitch = new AliCloud.Vpc.Switch("vswitch", new()
{
VpcId = vpc.Id,
CidrBlock = "172.16.0.0/24",
ZoneId = @default.Apply(@default => @default.Apply(getZonesResult => getZonesResult.Zones[0]?.Id)),
VswitchName = name,
});
// Create a new Security in a VPC
var @group = new AliCloud.Ecs.SecurityGroup("group", new()
{
Name = name,
Description = "foo",
VpcId = vpc.Id,
});
// Create a kms to encrypt the disk
var key = new AliCloud.Kms.Key("key", new()
{
Description = "Hello KMS",
PendingWindowInDays = 7,
Status = "Enabled",
});
var instance = new AliCloud.Ecs.Instance("instance", new()
{
AvailabilityZone = @default.Apply(@default => @default.Apply(getZonesResult => getZonesResult.Zones[0]?.Id)),
SecurityGroups = new[]
{
@group,
}.Select(__item => __item.Id).ToList(),
InstanceType = "ecs.n4.large",
SystemDiskCategory = "cloud_efficiency",
SystemDiskName = name,
SystemDiskDescription = "system_disk_description",
ImageId = "ubuntu_18_04_64_20G_alibase_20190624.vhd",
InstanceName = name,
VswitchId = vswitch.Id,
InternetMaxBandwidthOut = 10,
DataDisks = new[]
{
new AliCloud.Ecs.Inputs.InstanceDataDiskArgs
{
Name = "data-disk",
Size = 20,
Category = "cloud_efficiency",
Description = "disk-description",
Encrypted = true,
KmsKeyId = key.Id,
},
},
});
});
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
package main
import (
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud"
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/ecs"
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/kms"
"github.com/pulumi/pulumi-alicloud/sdk/v3/go/alicloud/vpc"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
name := "pulumi-example";
if param := cfg.Get("name"); param != ""{
name = param
}
_default, err := alicloud.GetZones(ctx, &alicloud.GetZonesArgs{
AvailableDiskCategory: pulumi.StringRef("cloud_efficiency"),
AvailableResourceCreation: pulumi.StringRef("VSwitch"),
}, nil);
if err != nil {
return err
}
// Create a new ECS instance for VPC
vpc, err := vpc.NewNetwork(ctx, "vpc", &vpc.NetworkArgs{
VpcName: pulumi.String(name),
CidrBlock: pulumi.String("172.16.0.0/16"),
})
if err != nil {
return err
}
vswitch, err := vpc.NewSwitch(ctx, "vswitch", &vpc.SwitchArgs{
VpcId: vpc.ID(),
CidrBlock: pulumi.String("172.16.0.0/24"),
ZoneId: pulumi.String(_default.Zones[0].Id),
VswitchName: pulumi.String(name),
})
if err != nil {
return err
}
// Create a new Security in a VPC
group, err := ecs.NewSecurityGroup(ctx, "group", &ecs.SecurityGroupArgs{
Name: pulumi.String(name),
Description: pulumi.String("foo"),
VpcId: vpc.ID(),
})
if err != nil {
return err
}
// Create a kms to encrypt the disk
key, err := kms.NewKey(ctx, "key", &kms.KeyArgs{
Description: pulumi.String("Hello KMS"),
PendingWindowInDays: pulumi.Int(7),
Status: pulumi.String("Enabled"),
})
if err != nil {
return err
}
var splat0 pulumi.StringArray
for _, val0 := range %!v(PANIC=Format method: fatal: An assertion has failed: tok: ) {
splat0 = append(splat0, val0.ID())
}
_, err = ecs.NewInstance(ctx, "instance", &ecs.InstanceArgs{
AvailabilityZone: pulumi.String(_default.Zones[0].Id),
SecurityGroups: splat0,
InstanceType: pulumi.String("ecs.n4.large"),
SystemDiskCategory: pulumi.String("cloud_efficiency"),
SystemDiskName: pulumi.String(name),
SystemDiskDescription: pulumi.String("system_disk_description"),
ImageId: pulumi.String("ubuntu_18_04_64_20G_alibase_20190624.vhd"),
InstanceName: pulumi.String(name),
VswitchId: vswitch.ID(),
InternetMaxBandwidthOut: pulumi.Int(10),
DataDisks: ecs.InstanceDataDiskArray{
&ecs.InstanceDataDiskArgs{
Name: pulumi.String("data-disk"),
Size: pulumi.Int(20),
Category: pulumi.String("cloud_efficiency"),
Description: pulumi.String("disk-description"),
Encrypted: pulumi.Bool(true),
KmsKeyId: key.ID(),
},
},
})
if err != nil {
return err
}
return nil
})
}
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
Example unavailable in this language
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.alicloud.AlicloudFunctions;
import com.pulumi.alicloud.inputs.GetZonesArgs;
import com.pulumi.alicloud.vpc.Network;
import com.pulumi.alicloud.vpc.NetworkArgs;
import com.pulumi.alicloud.vpc.Switch;
import com.pulumi.alicloud.vpc.SwitchArgs;
import com.pulumi.alicloud.ecs.SecurityGroup;
import com.pulumi.alicloud.ecs.SecurityGroupArgs;
import com.pulumi.alicloud.kms.Key;
import com.pulumi.alicloud.kms.KeyArgs;
import com.pulumi.alicloud.ecs.Instance;
import com.pulumi.alicloud.ecs.InstanceArgs;
import com.pulumi.alicloud.ecs.inputs.InstanceDataDiskArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var name = config.get("name").orElse("pulumi-example");
final var default = AlicloudFunctions.getZones(GetZonesArgs.builder()
.availableDiskCategory("cloud_efficiency")
.availableResourceCreation("VSwitch")
.build());
// Create a new ECS instance for VPC
var vpc = new Network("vpc", NetworkArgs.builder()
.vpcName(name)
.cidrBlock("172.16.0.0/16")
.build());
var vswitch = new Switch("vswitch", SwitchArgs.builder()
.vpcId(vpc.id())
.cidrBlock("172.16.0.0/24")
.zoneId(default_.zones()[0].id())
.vswitchName(name)
.build());
// Create a new Security in a VPC
var group = new SecurityGroup("group", SecurityGroupArgs.builder()
.name(name)
.description("foo")
.vpcId(vpc.id())
.build());
// Create a kms to encrypt the disk
var key = new Key("key", KeyArgs.builder()
.description("Hello KMS")
.pendingWindowInDays("7")
.status("Enabled")
.build());
var instance = new Instance("instance", InstanceArgs.builder()
.availabilityZone(default_.zones()[0].id())
.securityGroups(group.stream().map(element -> element.id()).collect(toList()))
.instanceType("ecs.n4.large")
.systemDiskCategory("cloud_efficiency")
.systemDiskName(name)
.systemDiskDescription("system_disk_description")
.imageId("ubuntu_18_04_64_20G_alibase_20190624.vhd")
.instanceName(name)
.vswitchId(vswitch.id())
.internetMaxBandwidthOut(10)
.dataDisks(InstanceDataDiskArgs.builder()
.name("data-disk")
.size(20)
.category("cloud_efficiency")
.description("disk-description")
.encrypted(true)
.kmsKeyId(key.id())
.build())
.build());
}
}
Authentication
The Alicloud provider accepts several ways to enter credentials for authentication. The following methods are supported, in this order, and explained below:
- Static credentials
- Environment variables
- Shared credentials/configuration file
- ECS Instance Role
- Assuming A RAM Role
- Assuming A RAM Role With OIDC
- Sidecar Credentials
Static credentials
Static credentials can be provided by adding accessKey
, secretKey
and region
in-line in the
alicloud provider block:
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:accessKey:
value: 'TODO: var.access_key'
alicloud:region:
value: 'TODO: var.region'
alicloud:secretKey:
value: 'TODO: var.secret_key'
Environment variables
You can provide your credentials via ALIBABA_CLOUD_ACCESS_KEY_ID
, ALIBABA_CLOUD_ACCESS_KEY_SECRET
and optionally
ALIBABA_CLOUD_SECURITY_TOKEN
environment variables. The Region can be set using the ALIBABA_CLOUD_REGION
environment variables.
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
$ export ALIBABA_CLOUD_ACCESS_KEY_ID="<Your-Access-Key-ID>"
$ export ALIBABA_CLOUD_ACCESS_KEY_SECRET="<Your-Access-Key-Secret>"
$ export ALIBABA_CLOUD_REGION="cn-beijing"
$ pulumi preview
Shared Credentials File
You can use an Alibaba Cloud credentials or configuration file to specify your credentials.
The default location is $HOME/.aliyun/config.json
on Linux and macOS, or "%USERPROFILE%\.aliyun/config.json"
on Windows.
You can optionally specify a different location in the Pulumi configuration by providing the sharedCredentialsFile
argument
or using the ALIBABA_CLOUD_CREDENTIALS_FILE
environment variable.
This method also supports a profile
configuration and matching ALIBABA_CLOUD_PROFILE
environment variable:
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:profile:
value: customprofile
alicloud:region:
value: cn-hangzhou
alicloud:sharedCredentialsFile:
value: /Users/tf_user/.aliyun/creds
ECS Instance Role
If you’re running Pulumi from an ECS instance with RAM Instance using RAM Role,
Pulumi will just access
the metadata URL: http://100.100.100.200/latest/meta-data/ram/security-credentials/<ecs_role_name>
to obtain the STS credential.
Refer to details Access other Cloud Product APIs by the Instance RAM Role.
This is a preferred approach over any other when running in ECS as you can avoid hard coding credentials. Instead, these are leased on-the-fly by Pulumi which reduces the chance of leakage.
The ECS Instance Role can be set using the ALIBABA_CLOUD_ECS_METADATA
environment variables.
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:ecsRoleName:
value: pulumi-provider-alicloud
alicloud:region:
value: 'TODO: var.region'
Assuming A RAM Role
If provided with a role ARN, Pulumi will attempt to assume this role using the supplied credentials.
The role arn can be set using the ALIBABA_CLOUD_ROLE_ARN
environment variables,
and the role session name using the ALIBABA_CLOUD_ROLE_SESSION_NAME
environment variables.
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:accessKey:
value: <One-AccessKeyId-With-AssumeRole-Policy>
alicloud:secretKey:
value: <One-AccessKeySecret-With-AssumeRole-Policy>
Assuming A RAM Role With OIDC
If provided with a role ARN and a token from a service account OpenID Connect (OIDC), the Alibaba CLoud Provider will attempt to assume this role using the supplied credentials.
NOTE: Assuming-Role-With-OIDC is a no-AK auth type, and there is no need setting accessKey and secretKey while using it.
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
Sidecar Credentials
You can deploy a sidecar to storage alibaba cloud credentials.
Then, you can optionally specify a credentials URI in the Pulumi configuration by providing the credentialsUri
argument
or using the ALIBABA_CLOUD_CREDENTIALS_URI
environment variable to get the credentials automatically.
The Sidecar Credentials is available since v1.141.0.
Usage:
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: nodejs
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: python
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: dotnet
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: go
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: yaml
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
# Pulumi.yaml provider configuration file
name: configuration-example
runtime: java
config:
alicloud:credentialsUri:
value: <Your-Credential-URI>
alicloud:region:
value: cn-hangzhou
Configuration Reference
In addition to generic provider
arguments
(e.g. alias
and version
), the following arguments are supported in the Alibaba Cloud
provider
block:
accessKey
- Alibaba Cloud access key. It is required for the provider. Can also be set with theALIBABA_CLOUD_ACCESS_KEY_ID
environment variable since v1.228.0, or via a shared credentials file if profile is specified. See alsosecretKey
. Environment variableALICLOUD_ACCESS_KEY
andALIBABACLOUD_ACCESS_KEY_ID
have been deprecated since v1.228.0.secretKey
- Alibaba Cloud secret key. It is required for the provider. Can also be set with theALIBABA_CLOUD_ACCESS_KEY_SECRET
environment variable since v1.228.0, or via a shared credentials file if profile is specified. See alsoaccessKey
. Environment variableALICLOUD_SECRET_KEY
andALIBABACLOUD_ACCESS_KEY_SECRET
have been deprecated since v1.228.0.securityToken
- Alibaba Cloud Security Token Service. Can also be set with theALIBABA_CLOUD_SECURITY_TOKEN
environment variable since v1.228.0, or via a shared credentials file if profile is specified. See alsoaccessKey
. Environment variableALICLOUD_SECURITY_TOKEN
andALIBABACLOUD_SECURITY_TOKEN
have been deprecated since v1.228.0.ecsRoleName
- The RAM Role Name attached on a ECS instance for API operations. Can also be set with theALIBABA_CLOUD_ECS_METADATA
environment variable since v1.228.0. Environment variableALICLOUD_ECS_ROLE_NAME
has been deprecated since v1.228.0.region
- Alibaba Cloud region. Default tocn-beijing
. Can also be set with theALIBABA_CLOUD_REGION
environment variable since v1.228.0. Environment variableALICLOUD_REGION
has been deprecated since v1.228.0.accountId
- (Optional) Alibaba Cloud Account ID. It is used by the Function Compute service and to connect router interfaces. If not provided, the provider will attempt to retrieve it automatically with STS GetCallerIdentity. Can also be set with theALIBABA_CLOUD_ACCOUNT_ID
environment variable since v1.228.0. Environment variableALICLOUD_ACCOUNT_ID
has been deprecated since v1.228.0.sharedCredentialsFile
- (Optional, Available since 1.49.0) This is the path to the shared credentials file. Can also be set with theALIBABA_CLOUD_CREDENTIALS_FILE
environment variable since v1.228.0. Environment variableALICLOUD_SHARED_CREDENTIALS_FILE
has been deprecated since v1.228.0. If this is not set andprofile
is specified, “~/.aliyun/config.json” will be used.profile
- (Optional, Available since 1.49.0) This is the Alibaba Cloud profile name as set in the shared credentials file. Can also be set with theALIBABA_CLOUD_PROFILE
environment variable since v1.228.0. Environment variableALICLOUD_PROFILE
has been deprecated since v1.228.0.assumeRole
- (Optional) AnassumeRole
Configuration Block block. Only oneassumeRole
block may be in the configuration.assumeRoleWithOidc
- (Optional, Available since v1.220.0) Configuration block for assuming an RAM role using an OIDC. See theassumeRoleWithOidc
Configuration Block section below. Only oneassumeRoleWithOidc
block may be in the configuration.credentialsUri
- (Optional, Available since 1.141.0) The URI of sidecar credentials service. Can also be set with theALIBABA_CLOUD_CREDENTIALS_URI
environment variable since v1.228.0. Environment variableALICLOUD_CREDENTIALS_URI
has been deprecated since v1.228.0.endpoints
- (Optional) Anendpoints
block to support custom endpoints.skipRegionValidation
- (Optional, Available since 1.52.0) Skip static validation of region ID. Used by users of alternative AlibabaCloud-like APIs or users w/ access to regions that are not public (yet).protocol
- (Optional, Available since 1.72.0) The Protocol of used by API request. Valid values:HTTP
andHTTPS
. Default toHTTPS
.clientReadTimeout
- (Optional, Available since 1.125.0) The maximum timeout in millisecond second of the client read request. Default to 60000.clientConnectTimeout
- (Optional, Available since 1.125.0) The maximum timeout in millisecond second of the client connection server. Default to 60000.maxRetryTimeout
- (Optional, Available since 1.183.0) The maximum retry timeout in second of the request. Default to0
.
assumeRole
Configuration Block
roleArn
- (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. Can also be set with theALIBABA_CLOUD_ROLE_ARN
environment variable since v1.228.0. Environment variableALICLOUD_ASSUME_ROLE_ARN
has been deprecated since v1.228.0. Pulumi executes configuration on account with provided credentials.policy
- (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed.sessionName
- (Optional) The session name to use when assuming the role. If omitted, ‘pulumi’ is passed to the AssumeRole call as session name. Can also be set with theALIBABA_CLOUD_ROLE_SESSION_NAME
environment variable since v1.228.0. Environment variableALICLOUD_ASSUME_ROLE_SESSION_NAME
has been deprecated since v1.228.0.sessionExpiration
- (Optional) The time after which the established session for assuming role expires. Valid value range: [900-43200] seconds. Default to 3600 (in this case Alicloud use own default value). It supports environment variableALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION
.externalId
- (Optional, Available since 1.207.1) The external ID of the RAM role. This parameter is provided by an external party and is used to prevent the confused deputy problem. The value must be 2 to 1,224 characters in length and can contain letters, digits, and the following special characters:= , . @ : / - _
.
assumeRoleWithOidc Configuration Block
The assumeRoleWithOidc
configuration block supports the following arguments:
oidcProviderArn
- (Required) ARN of the OIDC IdP. Can also be set with theALIBABA_CLOUD_OIDC_PROVIDER_ARN
environment variable.roleArn
- (Required) ARN of the RAM Role to assume. Can also be set with theALIBABA_CLOUD_ROLE_ARN
environment variable.oidcToken
- (Optional) Value of a RRSA security token from an OIDC Idp. One ofoidcToken
oroidcTokenFile
is required.oidcTokenFile
- (Optional) File containing a RRSA security token from an OIDC. One ofoidcTokenFile
oroidcToken
is required. Can also be set with theALIBABA_CLOUD_OIDC_TOKEN_FILE
environment variable.roleSessionName
- (Optional) The session name to use when assuming the role. If omitted, ‘pulumi’ is passed to the AssumeRoleWithOIDC call as session name. Can also be set with theALIBABA_CLOUD_ROLE_SESSION_NAME
environment variable.sessionExpiration
- (Optional) The validity period of the STS token. Unit: seconds. Default value: 3600. Minimum value: 900. Maximum value: the value of the MaxSessionDuration parameter when creating a ram role.policy
- (Optional) The policy that specifies the permissions of the returned STS token. You can use this parameter to grant the STS token fewer permissions than the permissions granted to the RAM role.
endpoints
NOTE: Due to certain API restrictions, the endpoints pointing to the area should be consistent with the regionId
.
ecs
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom ECS endpoints.rds
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom RDS endpoints.slb
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom SLB endpoints.vpc
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom VPC and VPN endpoints.cbn
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom CEN endpoints.ess
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Autoscaling endpoints.oss
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom OSS endpoints.dns
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom DNS endpoints.ram
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom RAM endpoints.cs
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Container Service endpoints.cr
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Container Registry endpoints.cdn
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom CDN endpoints.kms
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom KMS endpoints.ots
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Table Store endpoints.cms
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Cloud Monitor endpoints.pvtz
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Private Zone endpoints.sts
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom STS endpoints.log
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Log Service endpoints.drds
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom DRDS endpoints.dds
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom MongoDB endpoints.gpdb
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom GPDB endpoints.kvstore
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom R-KVStore endpoints.fc
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Function Computing endpoints.apigateway
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Api Gateway endpoints.datahub
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Datahub endpoints.mns
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom MNS endpoints.location
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Location Service endpoints.",nas
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom nas Service endpoints.",actiontrail
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom actiontrail Service endpoints.",cas
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom CAS endpoints.bssopenapi
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom BSSOPENAPI endpoints.ddoscoo
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom BGP-Line Anti-DDoS Pro endpoints.market
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Market endpoints.cddc
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom ApsaraDB for MyBase endpoints.ehpc
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Elastic High Performance Computing endpoints.mscsub
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Message Center endpoints.hitsdb
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Lindorm endpoints.sddp
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Data Security Center endpoints.sas
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Security Center endpoints.dts
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Data Transmission endpoints.ens
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom ens endpoints.alidfs
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Apsara File Storage for HDFS endpoints.arms
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Application Real-Time Monitoring Service endpoints.bastionhost
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Bastion Host endpoints.waf
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Web Application Firewall endpoints.alb
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Application Load Balancer endpoints.hbr
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Hybrid Backup Recovery endpoints.dataworkspublic
- - (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Data Works endpoints.cloudfw
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Cloud Firewall endpoints.dm
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Direct Mail endpoints.eais
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Elastic Accelerated Computing Instances endpoints.dg
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Database Gateway endpoints.imm
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Intelligent Media Management endpoints.iot
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Internet of Things endpoints.vod
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom VOD endpoints.gds
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Graph Database endpoints.swas
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Simple Application Server endpoints.opensearch
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Open Search endpoints.clickhouse
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Click House endpoints.vs
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Video Surveillance System endpoints.quickbi
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Quick BI endpoints.cloudsso
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom Cloud SSO endpoints.edas
- (Optional) Use this to override the default endpoint URL constructed from theregion
. It’s typically used to connect to custom EDAS endpoints.