---
Title: Secure access
URL Source: https://company-skill.com/p/idaas/idaas-secure-access
Language: en
Description: You want to enable one service (like ECS, ACK, or an AI model endpoint) to securely call another Alibaba Cloud service without embedding long-lived AccessKeys (AKs). Instead, you’ll use short-lived…
---

# Secure access

Part of **IDaaS (Identity as a Service)**. Route queries via `POST https://company-skill.com/api/route`.

## What You Want to Do

You want to enable one service (like ECS, ACK, or an AI model endpoint) to securely call another Alibaba Cloud service without embedding long-lived AccessKeys (AKs). Instead, you’ll use short-lived tokens like STS tokens or JWTs issued by IDaaS.

**Typical User Questions**:
- How to use IDaaS M2M for keyless access to Model Studio?
- Can I authenticate API Gateway calls using IDaaS tokens?

## Decision Tree

Pick the best path for your situation:

- **If** your goal is to let **ECS or ACK services access other Alibaba Cloud resources** (e.g., OSS, RDS) → Use AK-free (go to *idaas/idaas-access*)
- **If** you need **secure, keyless access specifically to Model Studio AI services via AI Gateway** → Use AIM2M (go to *idaas/idaas-model*)
- **If** you need to **programmatically fetch or manage M2M tokens in code or CI/CD pipelines** → Use APIM2M (go to *idaas/idaas-access*)
- **Otherwise (default)** → Start with **AK-free** if you’re working with general Alibaba Cloud infrastructure and want console-based, no-code setup with temporary credentials via RAM roles.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| AK-free | ECSACKOIDCAK | medium | No | No | Uses OIDC identity provider in RAM to exchange tokens for STS credentials | `idaas/guide/idaas-access` |
| AIM2M | Model StudioAI Gateway | medium | No | No | Requires syncing JWKS endpoint and setting Scope Value for JWT validation | `idaas/guide/idaas-model` |
| APIM2M | M2M | high | Yes | Yes | Uses Bearer Token auth with DASHSCOPE_API_KEY; billed per API request | `idaas/api/idaas-access` |

## Path Details

### Path 1: AK-free

**Best For**: ECSACKOIDCAK

**Brief Description**: This path configures an **OIDC identity provider** in RAM that trusts your **M2M application**, allowing compute services like ECS or ACK to obtain an **STS token** by presenting an OIDC token. The STS token is then used to assume a **RAM role** with least-privilege permissions. Setup uses the **Console > RAM > Identity Providers > OIDC** workflow, requiring correct **Issuer URL** and **Client ID** values.

**Key technical facts**:
- Billing: Access control features are included at no additional cost with IDaaS service plans. STS credentials used with OIDC are temporary and billed based on usage, but OIDC setup itself has no direct cost.

**When to Use**:
- User needs to enable ECS or ACK services to access other Alibaba Cloud resources without embedding AccessKeys
- Organization requires strict adherence to principle of least privilege with temporary credentials
- Integration with existing RAM role-based permission policies is needed

**When NOT to Use**:
- Application requires programmatic token management rather than console configuration
- Need to integrate with AI/ML services like Model Studio specifically
- Automation or CI/CD pipeline integration is required (this path is not automation-friendly)

**Known Limitations**:
- Requires creating an OIDC identity provider in RAM console with specific parameters matching the M2M application
- Network Zones Type set to 'All' allows access from any IP address, posing security risks in production
- Limited to 50 client IDs per OIDC identity provider

### Path 2: AIM2M

**Best For**: Model StudioAI Gateway

**Brief Description**: This path enables **keyless access** to **Model Studio** by configuring **M2M authentication** in IDaaS and integrating with **AI Gateway**. You must sync the **JWKS endpoint** from IDaaS into AI Gateway and define a **Resource Server Identifier** and **Scope Value**. The resulting **JWT token** is validated by AI Gateway using the public keys from the **JWKS endpoint**.

**Key technical facts**:
- Billing: Per-request pricing based on Model Studio usage. The integration itself does not incur additional costs beyond standard Model Studio API usage. AI Gateway instance pricing depends on the selected specification and region.

**When to Use**:
- User needs secure, keyless access specifically to Alibaba Cloud Model Studio AI services
- Integration with AI Gateway for JWT-based authentication is preferred
- Testing environment setup with default AI Gateway domain is sufficient for initial validation

**When NOT to Use**:
- Need to access general Alibaba Cloud services beyond Model Studio
- Programmatic token management via API is required
- Production deployment requiring custom domains and higher call limits

**Known Limitations**:
- Default AI Gateway domain has a daily call limit of 1,000 and is intended for testing only
- Scope Value is required when creating permissions; leaving it empty prevents successful token validation
- Requires administrative access to both IDaaS console and AI Gateway console

### Path 3: APIM2M

**Best For**: M2M

**Brief Description**: This path uses the IDaaS Access Control API to programmatically manage **M2M Client Tokens** via the **client_credentials** flow. Authentication requires a **Bearer Token** derived from **DASHSCOPE_API_KEY**, and each call must include **InstanceId** and **ApplicationId**. Proper **eiam:* permissions** must be granted to the calling RAM user or role.

**Key technical facts**:
- Billing: Per-request billing model where each API call counts as one request regardless of success or failure. Monthly free quotas ranging from 1,000 to 10,000 free calls depending on the specific API operation.
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing

**When to Use**:
- User needs to programmatically manage M2M tokens in automation scripts or CI/CD pipelines
- Integration with custom applications requiring dynamic token management
- Bulk operations on multiple applications or tokens are needed

**When NOT to Use**:
- User prefers console-based configuration without coding
- Simple one-time setup for AK-free access to Alibaba Cloud services is sufficient
- Specific integration with Model Studio AI services is required (use idaas-model path instead)

**Known Limitations**:
- Requires Bearer Token authentication with proper RAM permissions for each API operation
- Common rate limits include 100 QPS per account, with some APIs having lower limits of 10 QPS
- Each API operation requires specific parameters like InstanceId and ApplicationId that must be correctly formatted
- Failed requests may still be counted toward quotas and billing depending on the specific API

## FAQ

Q: Which path should I start with?
A: If you're running workloads on ECS or ACK and need to call other Alibaba Cloud APIs securely, start with **AK-free**—it’s the standard for infrastructure-level AK-free access using RAM roles and STS tokens.

Q: What if I need to call Model Studio but chose the OIDC/STS path?
A: You’ll hit a dead end—Model Studio doesn’t accept STS tokens from RAM roles. It requires **JWT tokens** validated through **AI Gateway** with a properly configured **JWKS endpoint** and **Scope Value**, which only the idaas-model path provides.

Q: What if I try to automate M2M token issuance using the console-based paths?
A: You’ll fail—the **AK-free** and **AIM2M** paths require manual console steps and aren’t automation-friendly. Only the **APIM2M** path supports programmatic control via **DASHSCOPE_API_KEY** and **eiam:* permissions**.

Q: Can I use the API path to access Model Studio?
A: Not directly—the API path issues generic **M2M Client Tokens**, but Model Studio requires integration with **AI Gateway** and JWT validation using a **Resource Server Identifier**. Use the idaas-model path instead.

Q: What happens if I leave Scope Value empty in the AI Gateway setup?
A: Token validation will fail—even if the JWT is otherwise valid, **Scope Value is required** when creating permissions in IDaaS for Model Studio access.

Q: Is there a cost difference between these paths?
A: The OIDC path has no direct cost (only indirect STS usage fees). The AI path incurs **Model Studio per-request charges** and **AI Gateway instance fees**. The API path uses **per-request billing** with monthly free tiers.

## Related queries

secure m2m access, machine to machine auth, m2m authentication, keyless access, ak free access, oidc for ecs, oidc for ack, jwt for model studio, api gateway auth with idaas, m2m token for microservices, configure oidc identity provider, get sts token from oidc, ram role for m2m, client id issuer ur

---
Part of [IDaaS (Identity as a Service)](https://company-skill.com/p/idaas.md) · https://company-skill.com/llms.txt