Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Identity/ Temporary Security Credentials/ Using Bearer Tokens
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Using Bearer Tokens

Some cloud services may ask you to have the permission to obtain STS bearer tokens before you can programmatically access their resources. These services support a protocol that requires STS bearer tokens instead of standard temporary security credentials. When you call a cloud service API to obtain an STS bearer token, the cloud service requests the STS service for a bearer token and returns it to you. An STS bearer token contains your identity and permission information, such as identity policies, tags, session tags, and session policies attached to the principal.

An STS bearer token is only available for the service that generates it. You cannot use it to access other services.

Currently, only SWR supports STS bearer tokens. When uploading an image using a client, you must use the POST /v2/manage/utils/authorizationToken API of SWR to obtain the temporary login instruction containing the bearer token. Then, you can log in to the machine where the container engine is installed.

To allow a cloud service to request for an STS bearer token, you must add the following permissions to the identity policy:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"sts::createServiceBearerToken"
		]
	}]
}