diff --git a/credentials/credential.go b/credentials/credential.go index f561ca9..a9563aa 100644 --- a/credentials/credential.go +++ b/credentials/credential.go @@ -12,8 +12,8 @@ import ( "github.com/alibabacloud-go/debug/debug" "github.com/alibabacloud-go/tea/tea" - "github.com/aliyun/credentials-go/credentials/internal/providers" "github.com/aliyun/credentials-go/credentials/internal/utils" + "github.com/aliyun/credentials-go/credentials/providers" "github.com/aliyun/credentials-go/credentials/request" "github.com/aliyun/credentials-go/credentials/response" ) @@ -209,7 +209,7 @@ func (s *Config) SetExternalId(v string) *Config { func NewCredential(config *Config) (credential Credential, err error) { if config == nil { provider := providers.NewDefaultCredentialsProvider() - credential = fromCredentialsProvider("default", provider) + credential = FromCredentialsProvider("default", provider) return } switch tea.StringValue(config.Type) { @@ -234,7 +234,7 @@ func NewCredential(config *Config) (credential Credential, err error) { if err != nil { return nil, err } - credential = fromCredentialsProvider("oidc_role_arn", provider) + credential = FromCredentialsProvider("oidc_role_arn", provider) case "access_key": provider, err := providers.NewStaticAKCredentialsProviderBuilder(). WithAccessKeyId(tea.StringValue(config.AccessKeyId)). @@ -244,7 +244,7 @@ func NewCredential(config *Config) (credential Credential, err error) { return nil, err } - credential = fromCredentialsProvider("access_key", provider) + credential = FromCredentialsProvider("access_key", provider) case "sts": provider, err := providers.NewStaticSTSCredentialsProviderBuilder(). WithAccessKeyId(tea.StringValue(config.AccessKeyId)). @@ -255,7 +255,7 @@ func NewCredential(config *Config) (credential Credential, err error) { return nil, err } - credential = fromCredentialsProvider("sts", provider) + credential = FromCredentialsProvider("sts", provider) case "ecs_ram_role": provider, err := providers.NewECSRAMRoleCredentialsProviderBuilder(). WithRoleName(tea.StringValue(config.RoleName)). @@ -266,7 +266,7 @@ func NewCredential(config *Config) (credential Credential, err error) { return nil, err } - credential = fromCredentialsProvider("ecs_ram_role", provider) + credential = FromCredentialsProvider("ecs_ram_role", provider) case "ram_role_arn": var credentialsProvider providers.CredentialsProvider if config.SecurityToken != nil && *config.SecurityToken != "" { @@ -304,7 +304,7 @@ func NewCredential(config *Config) (credential Credential, err error) { return nil, err } - credential = fromCredentialsProvider("ram_role_arn", provider) + credential = FromCredentialsProvider("ram_role_arn", provider) case "rsa_key_pair": err = checkRSAKeyPair(config) if err != nil { @@ -479,7 +479,7 @@ func (cp *credentialsProviderWrap) GetType() *string { return &cp.typeName } -func fromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential { +func FromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential { return &credentialsProviderWrap{ typeName: typeName, provider: cp, diff --git a/credentials/internal/providers/cli_profile.go b/credentials/providers/cli_profile.go similarity index 94% rename from credentials/internal/providers/cli_profile.go rename to credentials/providers/cli_profile.go index 0bef5b1..6a9463e 100644 --- a/credentials/internal/providers/cli_profile.go +++ b/credentials/providers/cli_profile.go @@ -59,10 +59,13 @@ type profile struct { RoleSessionName string `json:"ram_session_name"` DurationSeconds int `json:"expired_seconds"` StsRegion string `json:"sts_region"` + EnableVpc bool `json:"enable_vpc"` SourceProfile string `json:"source_profile"` RoleName string `json:"ram_role_name"` OIDCTokenFile string `json:"oidc_token_file"` OIDCProviderARN string `json:"oidc_provider_arn"` + Policy string `json:"policy"` + ExternalId string `json:"external_id"` } type configuration struct { @@ -132,6 +135,9 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf WithRoleSessionName(p.RoleSessionName). WithDurationSeconds(p.DurationSeconds). WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). + WithPolicy(p.Policy). + WithExternalId(p.ExternalId). Build() case "EcsRamRole": credentialsProvider, err = NewECSRAMRoleCredentialsProviderBuilder().WithRoleName(p.RoleName).Build() @@ -141,8 +147,10 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf WithOIDCProviderARN(p.OIDCProviderARN). WithRoleArn(p.RoleArn). WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). WithDurationSeconds(p.DurationSeconds). WithRoleSessionName(p.RoleSessionName). + WithPolicy(p.Policy). Build() case "ChainableRamRoleArn": previousProvider, err1 := provider.getCredentialsProvider(conf, p.SourceProfile) @@ -156,6 +164,9 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf WithRoleSessionName(p.RoleSessionName). WithDurationSeconds(p.DurationSeconds). WithStsRegionId(p.StsRegion). + WithEnableVpc(p.EnableVpc). + WithPolicy(p.Policy). + WithExternalId(p.ExternalId). Build() default: err = fmt.Errorf("unsupported profile mode '%s'", p.Mode) diff --git a/credentials/internal/providers/cli_profile_test.go b/credentials/providers/cli_profile_test.go similarity index 96% rename from credentials/internal/providers/cli_profile_test.go rename to credentials/providers/cli_profile_test.go index fd4d846..2f17b18 100644 --- a/credentials/internal/providers/cli_profile_test.go +++ b/credentials/providers/cli_profile_test.go @@ -91,6 +91,10 @@ func TestCLIProfileCredentialsProvider_getCredentialsProvider(t *testing.T) { AccessKeyID: "akid", AccessKeySecret: "secret", RoleArn: "arn", + StsRegion: "cn-hangzhou", + EnableVpc: true, + Policy: "policy", + ExternalId: "externalId", }, { Mode: "RamRoleArn", @@ -107,6 +111,9 @@ func TestCLIProfileCredentialsProvider_getCredentialsProvider(t *testing.T) { RoleArn: "role_arn", OIDCTokenFile: "path/to/oidc/file", OIDCProviderARN: "provider_arn", + StsRegion: "cn-hangzhou", + EnableVpc: true, + Policy: "policy", }, { Mode: "ChainableRamRoleArn", diff --git a/credentials/internal/providers/credentials.go b/credentials/providers/credentials.go similarity index 100% rename from credentials/internal/providers/credentials.go rename to credentials/providers/credentials.go diff --git a/credentials/internal/providers/default.go b/credentials/providers/default.go similarity index 100% rename from credentials/internal/providers/default.go rename to credentials/providers/default.go diff --git a/credentials/internal/providers/default_test.go b/credentials/providers/default_test.go similarity index 100% rename from credentials/internal/providers/default_test.go rename to credentials/providers/default_test.go diff --git a/credentials/internal/providers/ecs_ram_role.go b/credentials/providers/ecs_ram_role.go similarity index 98% rename from credentials/internal/providers/ecs_ram_role.go rename to credentials/providers/ecs_ram_role.go index 223666a..89be5eb 100644 --- a/credentials/internal/providers/ecs_ram_role.go +++ b/credentials/providers/ecs_ram_role.go @@ -49,7 +49,7 @@ func (builder *ECSRAMRoleCredentialsProviderBuilder) Build() (provider *ECSRAMRo } if !builder.provider.disableIMDSv1 { - builder.provider.disableIMDSv1 = os.Getenv("ALIBABA_CLOUD_IMDSV1_DISABLED") == "true" + builder.provider.disableIMDSv1 = strings.ToLower(os.Getenv("ALIBABA_CLOUD_IMDSV1_DISABLED")) == "true" } provider = builder.provider diff --git a/credentials/internal/providers/ecs_ram_role_test.go b/credentials/providers/ecs_ram_role_test.go similarity index 100% rename from credentials/internal/providers/ecs_ram_role_test.go rename to credentials/providers/ecs_ram_role_test.go diff --git a/credentials/internal/providers/env.go b/credentials/providers/env.go similarity index 100% rename from credentials/internal/providers/env.go rename to credentials/providers/env.go diff --git a/credentials/internal/providers/env_test.go b/credentials/providers/env_test.go similarity index 100% rename from credentials/internal/providers/env_test.go rename to credentials/providers/env_test.go diff --git a/credentials/internal/providers/fixtures/.alibabacloud/credentials b/credentials/providers/fixtures/.alibabacloud/credentials similarity index 100% rename from credentials/internal/providers/fixtures/.alibabacloud/credentials rename to credentials/providers/fixtures/.alibabacloud/credentials diff --git a/credentials/internal/providers/fixtures/.aliyun/config.json b/credentials/providers/fixtures/.aliyun/config.json similarity index 76% rename from credentials/internal/providers/fixtures/.aliyun/config.json rename to credentials/providers/fixtures/.aliyun/config.json index 94d17a5..e0ea4c8 100644 --- a/credentials/internal/providers/fixtures/.aliyun/config.json +++ b/credentials/providers/fixtures/.aliyun/config.json @@ -12,7 +12,11 @@ "mode": "RamRoleArn", "access_key_id": "akid", "access_key_secret": "secret", - "ram_role_arn": "arn" + "ram_role_arn": "arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy", + "external_id": "id" }, { "name": "EcsRamRole", @@ -24,12 +28,15 @@ "mode": "OIDC", "ram_role_arn": "role_arn", "oidc_token_file": "path/to/oidc/file", - "oidc_provider_arn": "provider_arn" + "oidc_provider_arn": "provider_arn", + "sts_region": "cn-hangzhou", + "enable_vpc": true, + "policy": "policy" }, { "name": "ChainableRamRoleArn", "mode": "ChainableRamRoleArn", - "source_profile": "AK" + "source_profile": "ChainableRamRoleArn" }, { "name": "ChainableRamRoleArn2", diff --git a/credentials/internal/providers/fixtures/invalid_cli_config.json b/credentials/providers/fixtures/invalid_cli_config.json similarity index 100% rename from credentials/internal/providers/fixtures/invalid_cli_config.json rename to credentials/providers/fixtures/invalid_cli_config.json diff --git a/credentials/internal/providers/fixtures/mock_cli_config.json b/credentials/providers/fixtures/mock_cli_config.json similarity index 100% rename from credentials/internal/providers/fixtures/mock_cli_config.json rename to credentials/providers/fixtures/mock_cli_config.json diff --git a/credentials/internal/providers/fixtures/mock_empty_cli_config.json b/credentials/providers/fixtures/mock_empty_cli_config.json similarity index 100% rename from credentials/internal/providers/fixtures/mock_empty_cli_config.json rename to credentials/providers/fixtures/mock_empty_cli_config.json diff --git a/credentials/internal/providers/fixtures/mock_oidctoken b/credentials/providers/fixtures/mock_oidctoken similarity index 100% rename from credentials/internal/providers/fixtures/mock_oidctoken rename to credentials/providers/fixtures/mock_oidctoken diff --git a/credentials/internal/providers/hook.go b/credentials/providers/hook.go similarity index 100% rename from credentials/internal/providers/hook.go rename to credentials/providers/hook.go diff --git a/credentials/internal/providers/oidc.go b/credentials/providers/oidc.go similarity index 89% rename from credentials/internal/providers/oidc.go rename to credentials/providers/oidc.go index f140c25..c7a3a48 100644 --- a/credentials/internal/providers/oidc.go +++ b/credentials/providers/oidc.go @@ -8,6 +8,7 @@ import ( "net/http" "os" "strconv" + "strings" "time" httputil "github.com/aliyun/credentials-go/credentials/internal/http" @@ -15,14 +16,17 @@ import ( ) type OIDCCredentialsProvider struct { - oidcProviderARN string - oidcTokenFilePath string - roleArn string - roleSessionName string - durationSeconds int - policy string - stsRegionId string - stsEndpoint string + oidcProviderARN string + oidcTokenFilePath string + roleArn string + roleSessionName string + durationSeconds int + policy string + // for sts endpoint + stsRegionId string + enableVpc bool + stsEndpoint string + lastUpdateTimestamp int64 expirationTimestamp int64 sessionCredentials *sessionCredentials @@ -70,6 +74,11 @@ func (b *OIDCCredentialsProviderBuilder) WithStsRegionId(regionId string) *OIDCC return b } +func (b *OIDCCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *OIDCCredentialsProviderBuilder { + b.provider.enableVpc = enableVpc + return b +} + func (b *OIDCCredentialsProviderBuilder) WithPolicy(policy string) *OIDCCredentialsProviderBuilder { b.provider.policy = policy return b @@ -126,10 +135,17 @@ func (b *OIDCCredentialsProviderBuilder) Build() (provider *OIDCCredentialsProvi } if b.provider.stsEndpoint == "" { + if !b.provider.enableVpc { + b.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true" + } + prefix := "sts" + if b.provider.enableVpc { + prefix = "sts-vpc" + } if b.provider.stsRegionId != "" { - b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", b.provider.stsRegionId) + b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, b.provider.stsRegionId) } else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" { - b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", region) + b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region) } else { b.provider.stsEndpoint = "sts.aliyuncs.com" } diff --git a/credentials/internal/providers/oidc_test.go b/credentials/providers/oidc_test.go similarity index 96% rename from credentials/internal/providers/oidc_test.go rename to credentials/providers/oidc_test.go index a247d04..204039f 100644 --- a/credentials/internal/providers/oidc_test.go +++ b/credentials/providers/oidc_test.go @@ -36,7 +36,7 @@ func TestOIDCCredentialsProviderGetCredentialsWithError(t *testing.T) { } func TestNewOIDCCredentialsProvider(t *testing.T) { - rollback := utils.Memory("ALIBABA_CLOUD_OIDC_TOKEN_FILE", "ALIBABA_CLOUD_OIDC_PROVIDER_ARN", "ALIBABA_CLOUD_ROLE_ARN", "ALIBABA_CLOUD_STS_REGION") + rollback := utils.Memory("ALIBABA_CLOUD_OIDC_TOKEN_FILE", "ALIBABA_CLOUD_OIDC_PROVIDER_ARN", "ALIBABA_CLOUD_ROLE_ARN", "ALIBABA_CLOUD_STS_REGION", "ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED") defer func() { rollback() }() @@ -92,10 +92,11 @@ func TestNewOIDCCredentialsProvider(t *testing.T) { // sts endpoint: with sts endpoint env os.Setenv("ALIBABA_CLOUD_STS_REGION", "cn-hangzhou") + os.Setenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED", "true") p, err = NewOIDCCredentialsProviderBuilder(). Build() assert.Nil(t, err) - assert.Equal(t, "sts.cn-hangzhou.aliyuncs.com", p.stsEndpoint) + assert.Equal(t, "sts-vpc.cn-hangzhou.aliyuncs.com", p.stsEndpoint) // sts endpoint: with sts endpoint p, err = NewOIDCCredentialsProviderBuilder(). @@ -107,10 +108,12 @@ func TestNewOIDCCredentialsProvider(t *testing.T) { // sts endpoint: with sts regionId p, err = NewOIDCCredentialsProviderBuilder(). WithStsRegionId("cn-beijing"). + WithEnableVpc(true). Build() assert.Nil(t, err) - assert.Equal(t, "sts.cn-beijing.aliyuncs.com", p.stsEndpoint) + assert.Equal(t, "sts-vpc.cn-beijing.aliyuncs.com", p.stsEndpoint) + os.Setenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED", "false") p, err = NewOIDCCredentialsProviderBuilder(). WithOIDCTokenFilePath("/path/to/invalid/oidc.token"). WithOIDCProviderARN("provider-arn"). diff --git a/credentials/internal/providers/profile.go b/credentials/providers/profile.go similarity index 96% rename from credentials/internal/providers/profile.go rename to credentials/providers/profile.go index ccc79db..36cef69 100644 --- a/credentials/internal/providers/profile.go +++ b/credentials/providers/profile.go @@ -100,11 +100,17 @@ func (provider *ProfileCredentialsProvider) getCredentialsProvider(ini *ini.File err = errors.New("get previous credentials provider failed") return } + rawPolicy, _ := section.GetKey("policy") + policy := "" + if rawPolicy != nil { + policy = rawPolicy.String() + } credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder(). WithCredentialsProvider(previous). WithRoleArn(value3.String()). WithRoleSessionName(value4.String()). + WithPolicy(policy). WithDurationSeconds(3600). Build() default: diff --git a/credentials/internal/providers/profile_test.go b/credentials/providers/profile_test.go similarity index 98% rename from credentials/internal/providers/profile_test.go rename to credentials/providers/profile_test.go index 154545d..66b5f21 100644 --- a/credentials/internal/providers/profile_test.go +++ b/credentials/providers/profile_test.go @@ -47,6 +47,7 @@ access_key_id = foo access_key_secret = bar role_arn = role_arn role_session_name = session_name +policy = {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"} [noram] type = ram_role_arn diff --git a/credentials/internal/providers/ram_role_arn.go b/credentials/providers/ram_role_arn.go similarity index 75% rename from credentials/internal/providers/ram_role_arn.go rename to credentials/providers/ram_role_arn.go index ada9910..da4ffb2 100644 --- a/credentials/internal/providers/ram_role_arn.go +++ b/credentials/providers/ram_role_arn.go @@ -45,14 +45,20 @@ type HttpOptions struct { } type RAMRoleARNCredentialsProvider struct { + // for previous credentials + accessKeyId string + accessKeySecret string + securityToken string credentialsProvider CredentialsProvider - roleArn string - roleSessionName string - durationSeconds int - policy string - externalId string + + roleArn string + roleSessionName string + durationSeconds int + policy string + externalId string // for sts endpoint stsRegionId string + enableVpc bool stsEndpoint string // for http options httpOptions *HttpOptions @@ -72,6 +78,21 @@ func NewRAMRoleARNCredentialsProviderBuilder() *RAMRoleARNCredentialsProviderBui } } +func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.accessKeyId = accessKeyId + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.accessKeySecret = accessKeySecret + return builder +} + +func (builder *RAMRoleARNCredentialsProviderBuilder) WithSecurityToken(securityToken string) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.securityToken = securityToken + return builder +} + func (builder *RAMRoleARNCredentialsProviderBuilder) WithCredentialsProvider(credentialsProvider CredentialsProvider) *RAMRoleARNCredentialsProviderBuilder { builder.provider.credentialsProvider = credentialsProvider return builder @@ -87,6 +108,11 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsRegionId(regionId st return builder } +func (builder *RAMRoleARNCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *RAMRoleARNCredentialsProviderBuilder { + builder.provider.enableVpc = enableVpc + return builder +} + func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsEndpoint(endpoint string) *RAMRoleARNCredentialsProviderBuilder { builder.provider.stsEndpoint = endpoint return builder @@ -119,17 +145,44 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) WithHttpOptions(httpOptions func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleARNCredentialsProvider, err error) { if builder.provider.credentialsProvider == nil { - err = errors.New("must specify a previous credentials provider to asssume role") + if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" && builder.provider.securityToken != "" { + builder.provider.credentialsProvider, err = NewStaticSTSCredentialsProviderBuilder(). + WithAccessKeyId(builder.provider.accessKeyId). + WithAccessKeySecret(builder.provider.accessKeySecret). + WithSecurityToken(builder.provider.securityToken). + Build() + if err != nil { + return + } + } else if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" { + builder.provider.credentialsProvider, err = NewStaticAKCredentialsProviderBuilder(). + WithAccessKeyId(builder.provider.accessKeyId). + WithAccessKeySecret(builder.provider.accessKeySecret). + Build() + if err != nil { + return + } + } else { + err = errors.New("must specify a previous credentials provider to assume role") + } return } if builder.provider.roleArn == "" { - err = errors.New("the RoleArn is empty") - return + if roleArn := os.Getenv("ALIBABA_CLOUD_ROLE_ARN"); roleArn != "" { + builder.provider.roleArn = roleArn + } else { + err = errors.New("the RoleArn is empty") + return + } } if builder.provider.roleSessionName == "" { - builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10) + if roleSessionName := os.Getenv("ALIBABA_CLOUD_ROLE_SESSION_NAME"); roleSessionName != "" { + builder.provider.roleSessionName = roleSessionName + } else { + builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10) + } } // duration seconds @@ -145,10 +198,17 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleA // sts endpoint if builder.provider.stsEndpoint == "" { + if !builder.provider.enableVpc { + builder.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true" + } + prefix := "sts" + if builder.provider.enableVpc { + prefix = "sts-vpc" + } if builder.provider.stsRegionId != "" { - builder.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", builder.provider.stsRegionId) + builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, builder.provider.stsRegionId) } else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" { - builder.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", region) + builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region) } else { builder.provider.stsEndpoint = "sts.aliyuncs.com" } diff --git a/credentials/internal/providers/ram_role_arn_test.go b/credentials/providers/ram_role_arn_test.go similarity index 96% rename from credentials/internal/providers/ram_role_arn_test.go rename to credentials/providers/ram_role_arn_test.go index bc87224..77886ca 100644 --- a/credentials/internal/providers/ram_role_arn_test.go +++ b/credentials/providers/ram_role_arn_test.go @@ -13,14 +13,14 @@ import ( ) func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { - rollback := utils.Memory("ALIBABA_CLOUD_STS_REGION") + rollback := utils.Memory("ALIBABA_CLOUD_STS_REGION", "ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED") defer func() { rollback() }() // case 1: no credentials provider _, err := NewRAMRoleARNCredentialsProviderBuilder(). Build() - assert.EqualError(t, err, "must specify a previous credentials provider to asssume role") + assert.EqualError(t, err, "must specify a previous credentials provider to assume role") // case 2: no role arn akProvider, err := NewStaticAKCredentialsProviderBuilder(). @@ -61,6 +61,7 @@ func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { WithCredentialsProvider(akProvider). WithRoleArn("roleArn"). WithStsRegionId("cn-hangzhou"). + WithEnableVpc(true). WithPolicy("policy"). WithExternalId("externalId"). WithRoleSessionName("rsn"). @@ -74,9 +75,10 @@ func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { assert.Equal(t, "cn-hangzhou", p.stsRegionId) assert.Equal(t, 1000, p.durationSeconds) // sts endpoint with sts region - assert.Equal(t, "sts.cn-hangzhou.aliyuncs.com", p.stsEndpoint) + assert.Equal(t, "sts-vpc.cn-hangzhou.aliyuncs.com", p.stsEndpoint) // default sts endpoint + os.Setenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED", "1") p, err = NewRAMRoleARNCredentialsProviderBuilder(). WithCredentialsProvider(akProvider). WithRoleArn("roleArn"). @@ -96,6 +98,7 @@ func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { // sts endpoint with env os.Setenv("ALIBABA_CLOUD_STS_REGION", "cn-hangzhou") + os.Setenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED", "True") p, err = NewRAMRoleARNCredentialsProviderBuilder(). WithCredentialsProvider(akProvider). WithRoleArn("roleArn"). @@ -105,7 +108,7 @@ func TestNewRAMRoleARNCredentialsProvider(t *testing.T) { WithDurationSeconds(1000). Build() assert.Nil(t, err) - assert.Equal(t, "sts.cn-hangzhou.aliyuncs.com", p.stsEndpoint) + assert.Equal(t, "sts-vpc.cn-hangzhou.aliyuncs.com", p.stsEndpoint) // sts endpoint with sts endpoint p, err = NewRAMRoleARNCredentialsProviderBuilder(). diff --git a/credentials/internal/providers/static_ak.go b/credentials/providers/static_ak.go similarity index 100% rename from credentials/internal/providers/static_ak.go rename to credentials/providers/static_ak.go diff --git a/credentials/internal/providers/static_ak_test.go b/credentials/providers/static_ak_test.go similarity index 100% rename from credentials/internal/providers/static_ak_test.go rename to credentials/providers/static_ak_test.go diff --git a/credentials/internal/providers/static_sts.go b/credentials/providers/static_sts.go similarity index 100% rename from credentials/internal/providers/static_sts.go rename to credentials/providers/static_sts.go diff --git a/credentials/internal/providers/static_sts_test.go b/credentials/providers/static_sts_test.go similarity index 100% rename from credentials/internal/providers/static_sts_test.go rename to credentials/providers/static_sts_test.go