1[← Installation](1-Installation-EN.md) | Client[(中文)](2-Client-CN.md) | [SSL Verify →](3-Verify-EN.md)
2***
3
4# Client
5You may create multiple different clients simultaneously. Each client can have its own configuration, and each request can be sent by specified client. Use the Default Client if it is not specified. The client can be created by auto-loading of the configuration files, or created and managed manually. Different types of clients require different `Credential`,and different `Signature` algorithms that are selected. You may also customize the client: that is, pass in custom credentials and signatures.
6
7## Client Type
8
9### AccessKey Client
10Setup AccessKey through [User Information Management][ak], they have full authority over the account, please keep them safe. Sometimes for security reasons, you cannot hand over a primary account AccessKey with full access to the developer of a project. You may create a sub-account [RAM Sub-account][ram] , grant its [authorization][permissions],and use the AccessKey of RAM Sub-account to make API calls.
11> Sample Code: Create a client with a certification type AccessKey.
12
13```go
14client, err := sdk.NewClientWithAccessKey("regionId", "accessKeyId", "accessKeySecret")
15
16```
17
18
19### STS Client
20Create a temporary security client by applying Temporary Security Credentials (TSC) through the Security Token Service (STS).
21> Sample Code: Create a client with a certification type StsToken.
22
23```go
24client, err := sdk.NewClientWithStsToken("regionId", "subaccessKeyId", "subaccessKeySecret", "stsToken")
25```
26
27
28### RamRoleArn Client
29By specifying [RAM Role][RAM Role], the client will be able to automatically request maintenance of STS Token before making a request, and be automatically converted to a time-limited STS client. You may also apply for Token maintenance by yourself before creating `STS Client`.
30> Sample Code: Create a client with a certification type RamRoleArn.
31
32```go
33client, err := sdk.NewClientWithRamRoleArn("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession")
34```
35
36If you want to limit the policy([How to make a policy][policy]) of STS Token, you can create a client as following:
37```go
38client, err := sdk.NewClientWithRamRoleArnAndPolicy("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession", "policy")
39```
40
41### EcsRamRole Client
42By specifying the role name, the client will be able to automatically request maintenance of STS Token before making a request, and be automatically converted to a time-limited STS client. You may also apply for Token maintenance by yourself before creating `STS Client`.
43> Sample Code: Create a client with a certification type EcsRamRole.
44
45```go
46client, err := NewClientWithEcsRamRole("regionid", "roleName")
47```
48
49
50### Bearer Token Client
51If clients with this certification type are required by the Cloud Call Centre (CCC), please apply for Bearer Token maintenance by yourself.
52> Sample Code: Create a client with a certification type Bearer Token.
53
54```go
55client, err := NewClientWithBearerToken("regionId", "bearerToken")
56```
57
58
59### RsaKeyPair Client
60By specifying the public key ID and the private key file, the client will be able to automatically request maintenance of the AccessKey before sending the request, and be automatically converted to a time-limited AccessKey client. Only Japan station is supported.
61> Sample Code: Create a client with a certification type RsaKeyPair.
62
63```go
64client, err := NewClientWithRsaKeyPair("regionid", "publicKey", "privateKey", 3600)
65```
66
67## Create the client automatically
68If no client is created before the request is sent, the client will be created using the default credential provider chain, or the program chain can be customized.
69
70### Default Credential Provider Chain
71The default credential provider chain looks for available clients, looking in the following order:
72
73#### 1. Environment Credentials
74The program first looks for environment credentials in the environment variable. If the `ALIBABA_CLOUD_ACCESS_KEY_ID` and `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variables are defined and are not empty, the program will use them to create the default client. If the client specified by the request is not the default client, the program loads and looks for the client in the configuration file.
75
76#### 2. Credentials File
77> If there is `~/.alibabacloud/credentials` default file (Windows shows `C:\Users\USER_NAME\.alibabacloud\credentials`), the program will automatically create clients with the specified type and name. The default file may not exist, but a parse error throws an exception. The client name is case-insensitive, and if the clients have the same name, the latter will override the former. The specified files can also be loaded indefinitely: `AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...);` This configuration file can be shared between different projects and between different tools.  Because it is outside the project and will not be accidentally committed to the version control. Environment variables can be used on Windows to refer to the home directory %UserProfile%. Unix-like systems can use the environment variable $HOME or ~ (tilde). The path to the default file can be modified by defining the `ALIBABA_CLOUD_CREDENTIALS_FILE` environment variable.
78
79```ini
80[default]                          # Default client
81type = access_key                  # Certification type: access_key
82access_key_id = foo                # Key
83access_key_secret = bar            # Secret
84
85[client1]                          # Client that is named as `client1`
86type = ecs_ram_role                # Certification type: ecs_ram_role
87role_name = EcsRamRoleTest         # Role Name
88
89[client2]                          # Client that is named as `client2`
90type = ram_role_arn                # Certification type: ram_role_arn
91access_key_id = foo
92access_key_secret = bar
93role_arn = role_arn
94role_session_name = session_name
95
96
97[client3]                          # Client that is named as `client3`
98type = rsa_key_pair                # Certification type: rsa_key_pair
99public_key_id = publicKeyId        # Public Key ID
100private_key_file = /your/pk.pem    # Private Key file
101
102```
103
104#### 3. Instance RAM Role
105If the environment variable `ALIBABA_CLOUD_ECS_METADATA` is defined and not empty, the program will take the value of the environment variable as the role name and request `http://100.100.100.200/latest/meta-data/ram/security-credentials/` to get the temporary Security credentials, then create a default client.
106
107### Custom Credential Provider Chain
108You can replace the default order of the program chain by customizing the program chain, or you can write the closure to the provider.
109```go
110client, err := sdk.NewClientWithProvider("regionId", ProviderInstance, ProviderProfile, ProviderEnv)
111```
112
113***
114[← Installation](1-Installation-EN.md) | Client[(中文)](2-Client-CN.md) | [SSL Verify →](3-Verify-EN.md)
115
116[ak]: https://usercenter.console.aliyun.com/#/manage/ak
117[ram]: https://ram.console.aliyun.com/users
118[policy]: https://www.alibabacloud.com/help/doc-detail/28664.htm?spm=a2c63.p38356.a3.3.27a63b01khWgdh
119[permissions]: https://ram.console.aliyun.com/permissions
120[RAM Role]: https://ram.console.aliyun.com/#/role/list