Przejdź do głównej zawartości

Alibaba Cloud OSS

Casdoor supports Alibaba Cloud OSS (Object Storage Service) for file storage, offering two authentication methods: static credentials and RRSA (RAM Roles for Service Accounts).

Authentication Methods

Using Static Credentials

The traditional approach uses an AccessKey to authenticate with Alibaba Cloud API. This requires full account permissions and is suitable for most deployment scenarios.

To create an AccessKey, follow the instructions in the Alibaba Cloud workbench.

Create the OSS service:

Create OSS

Fill in the necessary information in Casdoor and save:

OSS

Using RRSA (RAM Roles for Service Accounts)

RRSA enables zero-credential authentication by exchanging OIDC tokens for temporary STS credentials. This is particularly useful in Kubernetes environments where managing static credentials becomes cumbersome.

When running Casdoor in an environment that provides OIDC tokens (like Alibaba Cloud ACK with RRSA enabled), you can authenticate without storing long-term credentials. Configure these environment variables with values from your Alibaba Cloud RAM console:

ALIBABA_CLOUD_ROLE_ARN=acs:ram::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
ALIBABA_CLOUD_OIDC_PROVIDER_ARN=acs:ram::YOUR_ACCOUNT_ID:oidc-provider/YOUR_PROVIDER_NAME
ALIBABA_CLOUD_OIDC_TOKEN_FILE=/var/run/secrets/tokens/oidc-token

Replace YOUR_ACCOUNT_ID, YOUR_ROLE_NAME, and YOUR_PROVIDER_NAME with your actual values from the RAM console. The token file path is typically mounted automatically by the Kubernetes service account system.

In the Casdoor storage provider configuration, leave the Client ID and Client Secret fields empty. Casdoor will automatically detect the RRSA environment and handle authentication using the OIDC token.

If RRSA credentials cannot be obtained, Casdoor gracefully falls back to static credentials, ensuring your application continues to work even during configuration changes.

wskazówka

For production deployments in Alibaba Cloud ACK, RRSA is the recommended approach as it eliminates credential management overhead and enhances security through short-lived tokens.

You can now use Alibaba Cloud storage services in your application with improved security and flexibility.