Hanzo
PlatformHanzo IAMProvidersStorage

Alibaba Cloud OSS

Use Alibaba Cloud OSS as a Hanzo IAM storage provider (static credentials or RRSA).

Hanzo IAM supports Alibaba Cloud OSS with two auth options: static credentials (AccessKey) or RRSA (RAM Roles for Service Accounts) for environments that provide OIDC tokens (e.g. Alibaba Cloud ACK).

Static credentials

  1. Create an AccessKey in the Alibaba Cloud console.
  2. In Hanzo IAM, create a Storage provider, set Type to Alibaba Cloud OSS, and fill Client ID (AccessKey ID), Client secret (AccessKey Secret), Endpoint, Bucket, and Region as needed.

Create OSS OSS

RRSA (no long-term credentials)

In environments that provide OIDC tokens (e.g. ACK with RRSA), set these environment variables from your RAM console:

ALIBABA_CLOUD_ROLE_ARN=acs:ram::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME
ALIBABA_CLOUD_OIDC_PROVIDER_ARN=acs:ram::YOUR_ACCOUNT_ID:oidc-provider/YOUR_PROVIDER_NAME
ALIBABA_CLOUD_OIDC_TOKEN_FILE=/var/run/secrets/tokens/oidc-token

In the Hanzo IAM storage provider, leave **Client ID** and **Client secret** empty. Hanzo IAM will use the OIDC token to obtain temporary credentials. If RRSA is unavailable, it falls back to static credentials.

:::tip
For production on Alibaba Cloud ACK, RRSA is recommended: no stored secrets and short-lived tokens.
:::

How is this guide?

Last updated on

Azure Blob storage

Use Azure Blob Storage as a storage provider.

Tencent Cloud COS

Use Tencent Cloud COS as a Hanzo IAM storage provider.

On this page

Static credentials
RRSA (no long-term credentials)