Skip to main content
Prowler supports multiple Alibaba Cloud authentication flows. If more than one is configured at the same time, the provider resolves them in this order:
  1. Credentials URI
  2. OIDC Role Authentication
  3. ECS RAM Role
  4. RAM Role Assumption
  5. STS Temporary Credentials
  6. Permanent Access Keys
  7. Default Credential Chain
Do not use the AccessKey pair of the main Alibaba Cloud account for Prowler. Use a RAM user, a RAM role, or another temporary credential flow instead.

Choose The Right Method

RAM User And AccessKey

This is the simplest setup for a workstation or a basic CI runner.

Create The RAM User

  1. Open the RAM console.
  2. Go to Identities > Users.
  3. Click Create User.
  4. Enter a logon name and display name.
  5. In Access Configuration, select Permanent AccessKey.
Create a RAM user and enable Permanent AccessKey
  1. Save the generated AccessKey ID and AccessKey Secret immediately. Alibaba Cloud only shows the secret once.
  2. Grant the user the read permissions required for the Alibaba Cloud services you want Prowler to scan.
Grant permissions to the RAM user Alibaba Cloud walkthroughs with current console screenshots:

Use The AccessKey With Prowler

Prowler also accepts ALIYUN_ACCESS_KEY_ID and ALIYUN_ACCESS_KEY_SECRET for compatibility, but ALIBABA_CLOUD_* is the preferred naming.

Use The Default Credential Chain

If you prefer not to export credentials in every shell, you can store them with the Alibaba Cloud CLI and let Prowler reuse the default credential chain from ~/.aliyun/config.json.
For profile management details, see Alibaba Cloud’s CLI credential management guide. Use this when:
  • you want short-lived credentials instead of long-lived AccessKeys in Prowler,
  • you are scanning another Alibaba Cloud account, or
  • you are configuring Alibaba Cloud in Prowler Cloud and want to provide a Role ARN.
This flow has two parts:
  1. A source identity that can call sts:AssumeRole.
  2. A target RAM role that has the scan permissions.

Create The Source Identity

Create a RAM user with an AccessKey pair by following the steps in RAM User And AccessKey, or reuse an existing automation identity.

Create The Target Role

  1. Open the RAM console.
  2. Go to Identities > Roles.
  3. Click Create Role.
  4. Set Principal Type to Cloud Account.
  5. Choose:
    • Current Account if the RAM user and the role are in the same account.
    • Other Account if the RAM user belongs to a different Alibaba Cloud account.
  6. Give the role a name such as ProwlerAuditRole.
  7. Attach the scan permissions to the role.
  8. Copy the role ARN in the format acs:ram::<account-id>:role/<role-name>.
If you want to restrict the role so that only one RAM user or one RAM role can assume it, edit the trust policy accordingly. Helpful references:

Allow The Source Identity To Assume The Role

The source RAM user must be able to call sts:AssumeRole. The easiest starting point is to attach Alibaba Cloud’s AliyunSTSAssumeRoleAccess policy to that RAM user. If you want tighter scope, attach a custom policy limited to the target role ARN.

Run Prowler

You can also set the role ARN with ALIBABA_CLOUD_ROLE_ARN, but the source AccessKey pair is still required for this flow.

STS Temporary Credentials

Use this if another tool already gives you a temporary AccessKey ID, AccessKey Secret, and SecurityToken. This is common when:
  • a CI platform brokers Alibaba credentials for the job,
  • your internal tooling already calls AssumeRole, or
  • you want to test with a short-lived session before switching to a RAM role flow.
You can also store the session in the Alibaba CLI configuration:
Prowler does not mint standalone STS sessions for you. If you use this method, you must provide all three STS values from your external workflow.

ECS RAM Role

Use this when Prowler runs on an ECS instance and you do not want to store any AccessKeys on disk.

Create And Attach The Role

  1. Open the RAM console.
  2. Go to Identities > Roles.
  3. Click Create Role.
  4. Set the trusted entity to Alibaba Cloud Service.
  5. Select ECS as the trusted service.
  6. Attach the read permissions required for the scan.
  7. Attach that RAM role to the ECS instance that runs Prowler.
Alibaba Cloud guide:

Run Prowler

Or:

OIDC Role Authentication

Use this when Prowler runs in ACK or another Kubernetes environment that provides an OIDC token file.

Create The OIDC Identity Provider

  1. Open the RAM console.
  2. Go to Integrations > SSO.
  3. Select Role-based SSO, then the OIDC tab.
  4. Click Create IdP.
  5. Fill in:
    • IdP Name
    • Issuer URL
    • Fingerprint
    • Client ID
  6. Create the IdP and note its ARN.
Alibaba Cloud guides:

Create The RAM Role Trusted By That IdP

Create a RAM role whose trusted entity is the OIDC IdP, then attach the scan permissions to that role. If you are running in ACK with RRSA, this is typically the role bound to the service account that runs Prowler.

Provide The OIDC Variables To Prowler

Prowler currently expects:
  • --oidc-role-arn for the RAM role ARN,
  • ALIBABA_CLOUD_OIDC_PROVIDER_ARN for the OIDC provider ARN,
  • ALIBABA_CLOUD_OIDC_TOKEN_FILE for the token file path.
Example:
If you use ACK RRSA, Alibaba’s ack-pod-identity-webhook can inject the three required environment variables and mount the token file into the pod automatically:
Even if your pod already exposes ALIBABA_CLOUD_ROLE_ARN, use --oidc-role-arn with Prowler. The provider currently reads the role ARN for OIDC from the CLI argument.

Credentials URI

Use this only if you already operate an internal credential broker that returns temporary Alibaba Cloud credentials over HTTP. The endpoint must return a JSON body with this structure:
Run Prowler with:
Or:
For the expected response format, see Alibaba Cloud’s SDK guide for URI credentials.

Permissions Guidance

The exact minimum policy depends on the checks and services you enable. If you are using the RAM console’s Grant Permission screen, search for the system policy names below. Alibaba Cloud often uses product policy names that differ from the service name shown in Prowler.

System Policies In The RAM Console

For a broad Alibaba Cloud scan, the identity used by Prowler usually needs read access to the services Prowler currently audits, including:
  • RAM
  • ECS
  • VPC
  • OSS
  • ActionTrail
  • Simple Log Service (SLS)
  • RDS
  • Container Service / ACK
  • Security Center
Use the following setup as a practical starting point:
  • If you use static AccessKeys, attach the read-only policies above directly to the RAM user used by Prowler.
  • If you use RAM role assumption, attach AliyunSTSAssumeRoleAccess to the source RAM user and attach the read-only policies above to the target scan role.
  • If you use ECS RAM role or OIDC/RRSA, attach the read-only policies above to the role assumed by Prowler.
If you prefer a tighter custom policy instead of system policies, the current provider relies on read APIs such as:
  • ram:Get*, ram:List*
  • ecs:Describe*
  • vpc:Describe*
  • oss:Get*, oss:List*
  • actiontrail:Describe*
  • log:Get*, log:List*, log:Query*
  • rds:Describe*
  • cs:Get*, cs:List*, cs:Describe*
  • yundun-sas:Get*, yundun-sas:Describe*, yundun-sas:List*
If a service is denied, Prowler can still start, but checks for that service may fail or return incomplete results.