Alibaba Cloud Authentication in Prowler

Prowler requires Alibaba Cloud credentials to perform security checks. Authentication is supported via multiple methods, prioritized as follows:

Credentials URI
OIDC Role Authentication
ECS RAM Role
RAM Role Assumption
STS Temporary Credentials
Permanent Access Keys
Default Credential Chain

Authentication Methods

Credentials URI (Recommended for Centralized Services)

Prowler can retrieve credentials from an external URI endpoint. Provide the URI via the --credentials-uri flag or the ALIBABA_CLOUD_CREDENTIALS_URI environment variable. The URI must return credentials in the standard JSON format.

# Using CLI flag
prowler alibabacloud --credentials-uri http://localhost:8080/credentials

# Or using environment variable
export ALIBABA_CLOUD_CREDENTIALS_URI="http://localhost:8080/credentials"
prowler alibabacloud

OIDC Role Authentication (Recommended for ACK/Kubernetes)

OIDC authentication assumes the specified role using an OIDC token. This is the most secure method for containerized applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled. The role ARN can be provided via the --oidc-role-arn flag or the ALIBABA_CLOUD_ROLE_ARN environment variable. The OIDC provider ARN and token file must be set via environment variables:

ALIBABA_CLOUD_OIDC_PROVIDER_ARN
ALIBABA_CLOUD_OIDC_TOKEN_FILE

# Using CLI flag for role ARN
export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
prowler alibabacloud --oidc-role-arn acs:ram::123456789012:role/YourRole

# Or using all environment variables
export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/YourRole"
export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
prowler alibabacloud

ECS RAM Role (Recommended for ECS Instances)

When running on an ECS instance with an attached RAM role, Prowler can obtain credentials from the ECS instance metadata service.

# Using CLI argument
prowler alibabacloud --ecs-ram-role RoleName

# Or using environment variable
export ALIBABA_CLOUD_ECS_METADATA="RoleName"
prowler alibabacloud

RAM Role Assumption (Recommended for Cross-Account)

For cross-account access, use RAM role assumption. Provide the initial credentials (access keys) via environment variables and the target role ARN via the --role-arn flag or the ALIBABA_CLOUD_ROLE_ARN environment variable. The --role-session-name flag customizes the session identifier (defaults to ProwlerAssessmentSession).

# Using CLI flags
export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
prowler alibabacloud --role-arn acs:ram::123456789012:role/ProwlerAuditRole --role-session-name MyAuditSession

# Or using all environment variables
export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
prowler alibabacloud

STS Temporary Credentials

If you already have temporary STS credentials, you can provide them via environment variables.

export ALIBABA_CLOUD_ACCESS_KEY_ID="your-sts-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-sts-access-key-secret"
export ALIBABA_CLOUD_SECURITY_TOKEN="your-sts-security-token"
prowler alibabacloud

Permanent Access Keys

You can use standard permanent access keys via environment variables.

export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
prowler alibabacloud

Required Permissions

The credentials used by Prowler should have the minimum required permissions to audit the resources. At a minimum, the following permissions are recommended:

ram:GetUser
ram:ListUsers
ram:GetPasswordPolicy
ram:GetAccountSummary
ram:ListVirtualMFADevices
ram:ListGroups
ram:ListPolicies
ram:ListAccessKeys
ram:GetLoginProfile
ram:ListPoliciesForUser
ram:ListGroupsForUser
actiontrail:DescribeTrails
oss:GetBucketLogging
oss:GetBucketAcl
rds:DescribeDBInstances
rds:DescribeDBInstanceAttribute
ecs:DescribeInstances
vpc:DescribeVpcs
sls:ListProject
sls:ListAlerts
sls:ListLogStores
sls:GetLogStore

Prowler Cloud/App

CLI

Providers

Compliance

Alibaba Cloud Authentication in Prowler

Authentication Methods

Credentials URI (Recommended for Centralized Services)

OIDC Role Authentication (Recommended for ACK/Kubernetes)

ECS RAM Role (Recommended for ECS Instances)

RAM Role Assumption (Recommended for Cross-Account)

STS Temporary Credentials

Permanent Access Keys

Required Permissions

Prowler Cloud/App

CLI

Providers

Compliance

​Authentication Methods

​Credentials URI (Recommended for Centralized Services)

​OIDC Role Authentication (Recommended for ACK/Kubernetes)

​ECS RAM Role (Recommended for ECS Instances)

​RAM Role Assumption (Recommended for Cross-Account)

​STS Temporary Credentials

​Permanent Access Keys

​Required Permissions

Authentication Methods

Credentials URI (Recommended for Centralized Services)

OIDC Role Authentication (Recommended for ACK/Kubernetes)

ECS RAM Role (Recommended for ECS Instances)

RAM Role Assumption (Recommended for Cross-Account)

STS Temporary Credentials

Permanent Access Keys

Required Permissions