or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

client-foundation.mdconfiguration-profiles.mdcredential-management.mdhttp-infrastructure.mdindex.mdresilience-reliability.mdsecurity-authentication.md

credential-management.mddocs/

0
# Credential Management
1


2
Multiple credential providers supporting various authentication methods including static credentials, environment variables, configuration files, instance roles, STS temporary credentials, and OIDC tokens. The credential chain automatically tries different providers in order for flexible deployment scenarios.
3


4
## Capabilities
5


6
### Basic Credentials
7


8
Static credential management with secret ID and secret key, optionally including temporary session tokens for enhanced security.
9


10
```python { .api }
11
class Credential:
12
    def __init__(self, secret_id: str, secret_key: str, token: str = None):
13
        """
14
        Create basic credentials.
15
        
16
        Args:
17
            secret_id (str): The secret ID of your credential
18
            secret_key (str): The secret key of your credential  
19
            token (str, optional): Federation token for temporary credentials
20
            
21
        Raises:
22
            TencentCloudSDKException: If secret_id or secret_key is empty or contains spaces
23
        """
24
        
25
    @property
26
    def secretId(self) -> str: ...
27
    
28
    @property
29
    def secretKey(self) -> str: ...
30
    
31
    @property
32
    def secret_id(self) -> str: ...
33
    
34
    @property
35
    def secret_key(self) -> str: ...
36
    
37
    def get_credential_info(self) -> tuple[str, str, str]:
38
        """
39
        Get credential information.
40
        
41
        Returns:
42
            tuple: (secret_id, secret_key, token)
43
        """
44
```
45


46
### CVM Instance Role Credentials
47


48
Automatic credential management via CVM instance roles, retrieving temporary credentials from the instance metadata service.
49


50
```python { .api }
51
class CVMRoleCredential:
52
    def __init__(self, role_name: str = None):
53
        """
54
        Create CVM role credentials.
55
        
56
        Args:
57
            role_name (str, optional): Role name, auto-discovered if not provided
58
        """
59
        
60
    @property
61
    def secretId(self) -> str: ...
62
    
63
    @property
64
    def secretKey(self) -> str: ...
65
    
66
    @property
67
    def secret_id(self) -> str: ...
68
    
69
    @property
70
    def secret_key(self) -> str: ...
71
    
72
    @property
73
    def token(self) -> str: ...
74
    
75
    def get_role_name(self) -> str:
76
        """
77
        Get the role name, auto-discovering if not set.
78
        
79
        Returns:
80
            str: The role name
81
            
82
        Raises:
83
            TencentCloudSDKException: If role discovery fails
84
        """
85
        
86
    def update_credential(self) -> None:
87
        """Update credentials from metadata service."""
88
        
89
    def get_credential(self):
90
        """
91
        Get credential object if valid.
92
        
93
        Returns:
94
            CVMRoleCredential or None: Self if credentials are valid, None otherwise
95
        """
96
        
97
    def get_credential_info(self) -> tuple[str, str, str]:
98
        """
99
        Get credential information with automatic refresh.
100
        
101
        Returns:
102
            tuple: (secret_id, secret_key, token)
103
        """
104
```
105


106
### STS Assume Role Credentials
107


108
STS temporary credential management for role assumption with configurable duration and automatic renewal.
109


110
```python { .api }
111
class STSAssumeRoleCredential:
112
    def __init__(self, secret_id: str, secret_key: str, role_arn: str, 
113
                 role_session_name: str, duration_seconds: int = 7200, 
114
                 endpoint: str = None):
115
        """
116
        Create STS assume role credentials.
117
        
118
        Args:
119
            secret_id (str): Long-term secret ID
120
            secret_key (str): Long-term secret key
121
            role_arn (str): Role ARN to assume
122
            role_session_name (str): Session name for the role
123
            duration_seconds (int): Credential validity period (default: 7200, max: 43200)
124
            endpoint (str, optional): Custom STS endpoint
125
        """
126
        
127
    @property
128
    def secretId(self) -> str: ...
129
    
130
    @property
131
    def secretKey(self) -> str: ...
132
    
133
    @property
134
    def secret_id(self) -> str: ...
135
    
136
    @property
137
    def secret_key(self) -> str: ...
138
    
139
    @property
140
    def token(self) -> str: ...
141
    
142
    def get_credential_info(self) -> tuple[str, str, str]:
143
        """
144
        Get credential information with automatic refresh.
145
        
146
        Returns:
147
            tuple: (secret_id, secret_key, token)
148
        """
149
        
150
    def get_sts_tmp_role_arn(self) -> None:
151
        """Request new temporary credentials from STS."""
152
```
153


154
### Environment Variable Credentials
155


156
Credential provider that reads from environment variables `TENCENTCLOUD_SECRET_ID` and `TENCENTCLOUD_SECRET_KEY`.
157


158
```python { .api }
159
class EnvironmentVariableCredential:
160
    def get_credential(self):
161
        """
162
        Get credentials from environment variables.
163
        
164
        Returns:
165
            Credential or None: Credential object if environment variables are set, None otherwise
166
        """
167
```
168


169
### Profile Credentials
170


171
Credential provider that reads from configuration files at `~/.tencentcloud/credentials` or `/etc/tencentcloud/credentials`.
172


173
```python { .api }
174
class ProfileCredential:
175
    def get_credential(self):
176
        """
177
        Get credentials from configuration file.
178
        
179
        Returns:
180
            Credential or None: Credential object if config file exists and is valid, None otherwise
181
        """
182
```
183


184
### Default Credential Provider
185


186
Chain credential provider that tries multiple credential sources in order: environment variables, configuration files, CVM roles, and TKE OIDC roles.
187


188
```python { .api }
189
class DefaultCredentialProvider:
190
    def __init__(self):
191
        """Create default credential provider chain."""
192
        
193
    def get_credential(self):
194
        """
195
        Get credentials using provider chain.
196
        
197
        Returns:
198
            Credential: First valid credential found
199
            
200
        Raises:
201
            TencentCloudSDKException: If no valid credentials found
202
        """
203
        
204
    def get_credentials(self):
205
        """Alias for get_credential()."""
206
```
207


208
### OIDC Role ARN Credentials
209


210
OIDC role-based credential management for identity provider integration with automatic token refresh.
211


212
```python { .api }
213
class OIDCRoleArnCredential:
214
    def __init__(self, region: str, provider_id: str, web_identity_token: str,
215
                 role_arn: str, role_session_name: str, duration_seconds: int = 7200,
216
                 endpoint: str = None):
217
        """
218
        Create OIDC role credentials.
219
        
220
        Args:
221
            region (str): Region for AssumeRoleWithWebIdentity call
222
            provider_id (str): Identity provider name
223
            web_identity_token (str): OIDC token from IdP
224
            role_arn (str): Role ARN to assume
225
            role_session_name (str): Session name
226
            duration_seconds (int): Credential validity period (default: 7200, max: 43200)
227
            endpoint (str, optional): Custom STS endpoint
228
        """
229
        
230
    @property
231
    def secretId(self) -> str: ...
232
    
233
    @property
234
    def secretKey(self) -> str: ...
235
    
236
    @property
237
    def secret_id(self) -> str: ...
238
    
239
    @property
240
    def secret_key(self) -> str: ...
241
    
242
    @property
243
    def token(self) -> str: ...
244
    
245
    @property
246
    def endpoint(self) -> str: ...
247
    
248
    @endpoint.setter
249
    def endpoint(self, endpoint: str) -> None: ...
250
    
251
    def get_credential_info(self) -> tuple[str, str, str]:
252
        """
253
        Get credential information with automatic refresh.
254
        
255
        Returns:
256
            tuple: (secret_id, secret_key, token)
257
        """
258
        
259
    def refresh(self) -> None:
260
        """Refresh credentials from OIDC provider."""
261
```
262


263
### TKE OIDC Provider
264


265
Specialized OIDC provider for Tencent Kubernetes Engine (TKE) environments that automatically configures from environment variables.
266


267
```python { .api }
268
class DefaultTkeOIDCRoleArnProvider:
269
    def get_credential(self):
270
        """
271
        Get TKE OIDC credentials from environment.
272
        
273
        Returns:
274
            OIDCRoleArnCredential: Configured OIDC credential
275
            
276
        Raises:
277
            EnvironmentError: If required TKE environment variables are missing
278
        """
279
        
280
    def get_credentials(self):
281
        """Alias for get_credential()."""
282
```
283


284
## Usage Examples
285


286
### Basic Credentials
287


288
```python
289
from tencentcloud.common.credential import Credential
290


291
# Create basic credentials
292
cred = Credential("your-secret-id", "your-secret-key")
293


294
# With temporary token
295
cred_with_token = Credential("secret-id", "secret-key", "session-token")
296
```
297


298
### Automatic Credential Chain
299


300
```python
301
from tencentcloud.common.credential import DefaultCredentialProvider
302


303
# Use automatic credential discovery
304
provider = DefaultCredentialProvider()
305
try:
306
    cred = provider.get_credentials()
307
    print("Found credentials")
308
except Exception as e:
309
    print(f"No credentials found: {e}")
310
```
311


312
### CVM Instance Roles
313


314
```python
315
from tencentcloud.common.credential import CVMRoleCredential
316


317
# Use CVM instance role (auto-discover role name)
318
cred = CVMRoleCredential()
319


320
# Use specific role name
321
cred = CVMRoleCredential("MyInstanceRole")
322
```
323


324
### STS Temporary Credentials
325


326
```python
327
from tencentcloud.common.credential import STSAssumeRoleCredential
328


329
# Create STS credentials
330
cred = STSAssumeRoleCredential(
331
    secret_id="long-term-secret-id",
332
    secret_key="long-term-secret-key", 
333
    role_arn="qcs::cam::uin/123456789:role/MyRole",
334
    role_session_name="MySession",
335
    duration_seconds=3600  # 1 hour
336
)
337
```