1[← Installation](1-Installation-EN.md) | Client[(中文)](2-Client-CN.md) | [SSL Verify →](3-Verify-EN.md) 2*** 3 4# Client 5You may create multiple different clients simultaneously. Each client can have its own configuration, and each request can be sent by specified client. Use the Default Client if it is not specified. The client can be created by auto-loading of the configuration files, or created and managed manually. Different types of clients require different `Credential`,and different `Signature` algorithms that are selected. You may also customize the client: that is, pass in custom credentials and signatures. 6 7## Client Type 8 9### AccessKey Client 10Setup AccessKey through [User Information Management][ak], they have full authority over the account, please keep them safe. Sometimes for security reasons, you cannot hand over a primary account AccessKey with full access to the developer of a project. You may create a sub-account [RAM Sub-account][ram] , grant its [authorization][permissions],and use the AccessKey of RAM Sub-account to make API calls. 11> Sample Code: Create a client with a certification type AccessKey. 12 13```go 14client, err := sdk.NewClientWithAccessKey("regionId", "accessKeyId", "accessKeySecret") 15 16``` 17 18 19### STS Client 20Create a temporary security client by applying Temporary Security Credentials (TSC) through the Security Token Service (STS). 21> Sample Code: Create a client with a certification type StsToken. 22 23```go 24client, err := sdk.NewClientWithStsToken("regionId", "subaccessKeyId", "subaccessKeySecret", "stsToken") 25``` 26 27 28### RamRoleArn Client 29By specifying [RAM Role][RAM Role], the client will be able to automatically request maintenance of STS Token before making a request, and be automatically converted to a time-limited STS client. You may also apply for Token maintenance by yourself before creating `STS Client`. 30> Sample Code: Create a client with a certification type RamRoleArn. 31 32```go 33client, err := sdk.NewClientWithRamRoleArn("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession") 34``` 35 36If you want to limit the policy([How to make a policy][policy]) of STS Token, you can create a client as following: 37```go 38client, err := sdk.NewClientWithRamRoleArnAndPolicy("regionId", "subaccessKeyId", "subaccessKeySecret", "roleArn", "roleSession", "policy") 39``` 40 41### EcsRamRole Client 42By specifying the role name, the client will be able to automatically request maintenance of STS Token before making a request, and be automatically converted to a time-limited STS client. You may also apply for Token maintenance by yourself before creating `STS Client`. 43> Sample Code: Create a client with a certification type EcsRamRole. 44 45```go 46client, err := NewClientWithEcsRamRole("regionid", "roleName") 47``` 48 49 50### Bearer Token Client 51If clients with this certification type are required by the Cloud Call Centre (CCC), please apply for Bearer Token maintenance by yourself. 52> Sample Code: Create a client with a certification type Bearer Token. 53 54```go 55client, err := NewClientWithBearerToken("regionId", "bearerToken") 56``` 57 58 59### RsaKeyPair Client 60By specifying the public key ID and the private key file, the client will be able to automatically request maintenance of the AccessKey before sending the request, and be automatically converted to a time-limited AccessKey client. Only Japan station is supported. 61> Sample Code: Create a client with a certification type RsaKeyPair. 62 63```go 64client, err := NewClientWithRsaKeyPair("regionid", "publicKey", "privateKey", 3600) 65``` 66 67## Create the client automatically 68If no client is created before the request is sent, the client will be created using the default credential provider chain, or the program chain can be customized. 69 70### Default Credential Provider Chain 71The default credential provider chain looks for available clients, looking in the following order: 72 73#### 1. Environment Credentials 74The program first looks for environment credentials in the environment variable. If the `ALIBABA_CLOUD_ACCESS_KEY_ID` and `ALIBABA_CLOUD_ACCESS_KEY_SECRET` environment variables are defined and are not empty, the program will use them to create the default client. If the client specified by the request is not the default client, the program loads and looks for the client in the configuration file. 75 76#### 2. Credentials File 77> If there is `~/.alibabacloud/credentials` default file (Windows shows `C:\Users\USER_NAME\.alibabacloud\credentials`), the program will automatically create clients with the specified type and name. The default file may not exist, but a parse error throws an exception. The client name is case-insensitive, and if the clients have the same name, the latter will override the former. The specified files can also be loaded indefinitely: `AlibabaCloud::load('/data/credentials', 'vfs://AlibabaCloud/credentials', ...);` This configuration file can be shared between different projects and between different tools. Because it is outside the project and will not be accidentally committed to the version control. Environment variables can be used on Windows to refer to the home directory %UserProfile%. Unix-like systems can use the environment variable $HOME or ~ (tilde). The path to the default file can be modified by defining the `ALIBABA_CLOUD_CREDENTIALS_FILE` environment variable. 78 79```ini 80[default] # Default client 81type = access_key # Certification type: access_key 82access_key_id = foo # Key 83access_key_secret = bar # Secret 84 85[client1] # Client that is named as `client1` 86type = ecs_ram_role # Certification type: ecs_ram_role 87role_name = EcsRamRoleTest # Role Name 88 89[client2] # Client that is named as `client2` 90type = ram_role_arn # Certification type: ram_role_arn 91access_key_id = foo 92access_key_secret = bar 93role_arn = role_arn 94role_session_name = session_name 95 96 97[client3] # Client that is named as `client3` 98type = rsa_key_pair # Certification type: rsa_key_pair 99public_key_id = publicKeyId # Public Key ID 100private_key_file = /your/pk.pem # Private Key file 101 102``` 103 104#### 3. Instance RAM Role 105If the environment variable `ALIBABA_CLOUD_ECS_METADATA` is defined and not empty, the program will take the value of the environment variable as the role name and request `http://100.100.100.200/latest/meta-data/ram/security-credentials/` to get the temporary Security credentials, then create a default client. 106 107### Custom Credential Provider Chain 108You can replace the default order of the program chain by customizing the program chain, or you can write the closure to the provider. 109```go 110client, err := sdk.NewClientWithProvider("regionId", ProviderInstance, ProviderProfile, ProviderEnv) 111``` 112 113*** 114[← Installation](1-Installation-EN.md) | Client[(中文)](2-Client-CN.md) | [SSL Verify →](3-Verify-EN.md) 115 116[ak]: https://usercenter.console.aliyun.com/#/manage/ak 117[ram]: https://ram.console.aliyun.com/users 118[policy]: https://www.alibabacloud.com/help/doc-detail/28664.htm?spm=a2c63.p38356.a3.3.27a63b01khWgdh 119[permissions]: https://ram.console.aliyun.com/permissions 120[RAM Role]: https://ram.console.aliyun.com/#/role/list