feat: expose internal providers && support init client with provider

credentials/credential.go

@@ -12,8 +12,8 @@ import (
 
 	"github.com/alibabacloud-go/debug/debug"
 	"github.com/alibabacloud-go/tea/tea"
-	"github.com/aliyun/credentials-go/credentials/internal/providers"
 	"github.com/aliyun/credentials-go/credentials/internal/utils"
+	"github.com/aliyun/credentials-go/credentials/providers"
 	"github.com/aliyun/credentials-go/credentials/request"
 	"github.com/aliyun/credentials-go/credentials/response"
 )
@@ -209,7 +209,7 @@ func (s *Config) SetExternalId(v string) *Config {
 func NewCredential(config *Config) (credential Credential, err error) {
 	if config == nil {
 		provider := providers.NewDefaultCredentialsProvider()
-		credential = fromCredentialsProvider("default", provider)
+		credential = FromCredentialsProvider("default", provider)
 		return
 	}
 	switch tea.StringValue(config.Type) {
@@ -234,7 +234,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 		if err != nil {
 			return nil, err
 		}
-		credential = fromCredentialsProvider("oidc_role_arn", provider)
+		credential = FromCredentialsProvider("oidc_role_arn", provider)
 	case "access_key":
 		provider, err := providers.NewStaticAKCredentialsProviderBuilder().
 			WithAccessKeyId(tea.StringValue(config.AccessKeyId)).
@@ -244,7 +244,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			return nil, err
 		}
 
-		credential = fromCredentialsProvider("access_key", provider)
+		credential = FromCredentialsProvider("access_key", provider)
 	case "sts":
 		provider, err := providers.NewStaticSTSCredentialsProviderBuilder().
 			WithAccessKeyId(tea.StringValue(config.AccessKeyId)).
@@ -255,7 +255,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			return nil, err
 		}
 
-		credential = fromCredentialsProvider("sts", provider)
+		credential = FromCredentialsProvider("sts", provider)
 	case "ecs_ram_role":
 		provider, err := providers.NewECSRAMRoleCredentialsProviderBuilder().
 			WithRoleName(tea.StringValue(config.RoleName)).
@@ -266,7 +266,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			return nil, err
 		}
 
-		credential = fromCredentialsProvider("ecs_ram_role", provider)
+		credential = FromCredentialsProvider("ecs_ram_role", provider)
 	case "ram_role_arn":
 		var credentialsProvider providers.CredentialsProvider
 		if config.SecurityToken != nil && *config.SecurityToken != "" {
@@ -304,7 +304,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 			return nil, err
 		}
 
-		credential = fromCredentialsProvider("ram_role_arn", provider)
+		credential = FromCredentialsProvider("ram_role_arn", provider)
 	case "rsa_key_pair":
 		err = checkRSAKeyPair(config)
 		if err != nil {
@@ -479,7 +479,7 @@ func (cp *credentialsProviderWrap) GetType() *string {
 	return &cp.typeName
 }
 
-func fromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential {
+func FromCredentialsProvider(typeName string, cp providers.CredentialsProvider) Credential {
 	return &credentialsProviderWrap{
 		typeName: typeName,
 		provider: cp,

credentials/internal/providers/cli_profile.go → credentials/providers/cli_profile.go

@@ -59,10 +59,13 @@ type profile struct {
 	RoleSessionName string `json:"ram_session_name"`
 	DurationSeconds int    `json:"expired_seconds"`
 	StsRegion       string `json:"sts_region"`
+	EnableVpc       bool   `json:"enable_vpc"`
 	SourceProfile   string `json:"source_profile"`
 	RoleName        string `json:"ram_role_name"`
 	OIDCTokenFile   string `json:"oidc_token_file"`
 	OIDCProviderARN string `json:"oidc_provider_arn"`
+	Policy          string `json:"policy"`
+	ExternalId      string `json:"external_id"`
 }
 
 type configuration struct {
@@ -132,6 +135,9 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf
 			WithRoleSessionName(p.RoleSessionName).
 			WithDurationSeconds(p.DurationSeconds).
 			WithStsRegionId(p.StsRegion).
+			WithEnableVpc(p.EnableVpc).
+			WithPolicy(p.Policy).
+			WithExternalId(p.ExternalId).
 			Build()
 	case "EcsRamRole":
 		credentialsProvider, err = NewECSRAMRoleCredentialsProviderBuilder().WithRoleName(p.RoleName).Build()
@@ -141,8 +147,10 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf
 			WithOIDCProviderARN(p.OIDCProviderARN).
 			WithRoleArn(p.RoleArn).
 			WithStsRegionId(p.StsRegion).
+			WithEnableVpc(p.EnableVpc).
 			WithDurationSeconds(p.DurationSeconds).
 			WithRoleSessionName(p.RoleSessionName).
+			WithPolicy(p.Policy).
 			Build()
 	case "ChainableRamRoleArn":
 		previousProvider, err1 := provider.getCredentialsProvider(conf, p.SourceProfile)
@@ -156,6 +164,9 @@ func (provider *CLIProfileCredentialsProvider) getCredentialsProvider(conf *conf
 			WithRoleSessionName(p.RoleSessionName).
 			WithDurationSeconds(p.DurationSeconds).
 			WithStsRegionId(p.StsRegion).
+			WithEnableVpc(p.EnableVpc).
+			WithPolicy(p.Policy).
+			WithExternalId(p.ExternalId).
 			Build()
 	default:
 		err = fmt.Errorf("unsupported profile mode '%s'", p.Mode)

credentials/internal/providers/cli_profile_test.go → credentials/providers/cli_profile_test.go

@@ -91,6 +91,10 @@ func TestCLIProfileCredentialsProvider_getCredentialsProvider(t *testing.T) {
 				AccessKeyID:     "akid",
 				AccessKeySecret: "secret",
 				RoleArn:         "arn",
+				StsRegion:       "cn-hangzhou",
+				EnableVpc:       true,
+				Policy:          "policy",
+				ExternalId:      "externalId",
 			},
 			{
 				Mode: "RamRoleArn",
@@ -107,6 +111,9 @@ func TestCLIProfileCredentialsProvider_getCredentialsProvider(t *testing.T) {
 				RoleArn:         "role_arn",
 				OIDCTokenFile:   "path/to/oidc/file",
 				OIDCProviderARN: "provider_arn",
+				StsRegion:       "cn-hangzhou",
+				EnableVpc:       true,
+				Policy:          "policy",
 			},
 			{
 				Mode:          "ChainableRamRoleArn",

credentials/internal/providers/ecs_ram_role.go → credentials/providers/ecs_ram_role.go

@@ -49,7 +49,7 @@ func (builder *ECSRAMRoleCredentialsProviderBuilder) Build() (provider *ECSRAMRo
 	}
 
 	if !builder.provider.disableIMDSv1 {
-		builder.provider.disableIMDSv1 = os.Getenv("ALIBABA_CLOUD_IMDSV1_DISABLED") == "true"
+		builder.provider.disableIMDSv1 = strings.ToLower(os.Getenv("ALIBABA_CLOUD_IMDSV1_DISABLED")) == "true"
 	}
 
 	provider = builder.provider

credentials/internal/providers/fixtures/.aliyun/config.json → credentials/providers/fixtures/.aliyun/config.json

@@ -12,7 +12,11 @@
             "mode": "RamRoleArn",
             "access_key_id": "akid",
             "access_key_secret": "secret",
-            "ram_role_arn": "arn"
+            "ram_role_arn": "arn",
+            "sts_region": "cn-hangzhou",
+            "enable_vpc": true,
+            "policy": "policy",
+            "external_id": "id"
         },
         {
             "name": "EcsRamRole",
@@ -24,12 +28,15 @@
             "mode": "OIDC",
             "ram_role_arn": "role_arn",
             "oidc_token_file": "path/to/oidc/file",
-            "oidc_provider_arn": "provider_arn"
+            "oidc_provider_arn": "provider_arn",
+            "sts_region": "cn-hangzhou",
+            "enable_vpc": true,
+            "policy": "policy"
         },
         {
             "name": "ChainableRamRoleArn",
             "mode": "ChainableRamRoleArn",
-            "source_profile": "AK"
+            "source_profile": "ChainableRamRoleArn"
         },
         {
             "name": "ChainableRamRoleArn2",

credentials/internal/providers/oidc.go → credentials/providers/oidc.go

@@ -8,21 +8,25 @@ import (
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	httputil "github.com/aliyun/credentials-go/credentials/internal/http"
 	"github.com/aliyun/credentials-go/credentials/internal/utils"
 )
 
 type OIDCCredentialsProvider struct {
-	oidcProviderARN     string
-	oidcTokenFilePath   string
-	roleArn             string
-	roleSessionName     string
-	durationSeconds     int
-	policy              string
-	stsRegionId         string
-	stsEndpoint         string
+	oidcProviderARN   string
+	oidcTokenFilePath string
+	roleArn           string
+	roleSessionName   string
+	durationSeconds   int
+	policy            string
+	// for sts endpoint
+	stsRegionId string
+	enableVpc   bool
+	stsEndpoint string
+
 	lastUpdateTimestamp int64
 	expirationTimestamp int64
 	sessionCredentials  *sessionCredentials
@@ -70,6 +74,11 @@ func (b *OIDCCredentialsProviderBuilder) WithStsRegionId(regionId string) *OIDCC
 	return b
 }
 
+func (b *OIDCCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *OIDCCredentialsProviderBuilder {
+	b.provider.enableVpc = enableVpc
+	return b
+}
+
 func (b *OIDCCredentialsProviderBuilder) WithPolicy(policy string) *OIDCCredentialsProviderBuilder {
 	b.provider.policy = policy
 	return b
@@ -126,10 +135,17 @@ func (b *OIDCCredentialsProviderBuilder) Build() (provider *OIDCCredentialsProvi
 	}
 
 	if b.provider.stsEndpoint == "" {
+		if !b.provider.enableVpc {
+			b.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true"
+		}
+		prefix := "sts"
+		if b.provider.enableVpc {
+			prefix = "sts-vpc"
+		}
 		if b.provider.stsRegionId != "" {
-			b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", b.provider.stsRegionId)
+			b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, b.provider.stsRegionId)
 		} else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" {
-			b.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", region)
+			b.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region)
 		} else {
 			b.provider.stsEndpoint = "sts.aliyuncs.com"
 		}

credentials/internal/providers/profile.go → credentials/providers/profile.go

@@ -100,11 +100,17 @@ func (provider *ProfileCredentialsProvider) getCredentialsProvider(ini *ini.File
 			err = errors.New("get previous credentials provider failed")
 			return
 		}
+		rawPolicy, _ := section.GetKey("policy")
+		policy := ""
+		if rawPolicy != nil {
+			policy = rawPolicy.String()
+		}
 
 		credentialsProvider, err = NewRAMRoleARNCredentialsProviderBuilder().
 			WithCredentialsProvider(previous).
 			WithRoleArn(value3.String()).
 			WithRoleSessionName(value4.String()).
+			WithPolicy(policy).
 			WithDurationSeconds(3600).
 			Build()
 	default:

credentials/internal/providers/profile_test.go → credentials/providers/profile_test.go

@@ -47,6 +47,7 @@ access_key_id = foo
 access_key_secret = bar
 role_arn = role_arn
 role_session_name = session_name
+policy = {"Statement": [{"Action": ["*"],"Effect": "Allow","Resource": ["*"]}],"Version":"1"}
 
 [noram]
 type = ram_role_arn

credentials/internal/providers/ram_role_arn.go → credentials/providers/ram_role_arn.go

@@ -45,14 +45,20 @@ type HttpOptions struct {
 }
 
 type RAMRoleARNCredentialsProvider struct {
+	// for previous credentials
+	accessKeyId         string
+	accessKeySecret     string
+	securityToken       string
 	credentialsProvider CredentialsProvider
-	roleArn             string
-	roleSessionName     string
-	durationSeconds     int
-	policy              string
-	externalId          string
+
+	roleArn         string
+	roleSessionName string
+	durationSeconds int
+	policy          string
+	externalId      string
 	// for sts endpoint
 	stsRegionId string
+	enableVpc   bool
 	stsEndpoint string
 	// for http options
 	httpOptions *HttpOptions
@@ -72,6 +78,21 @@ func NewRAMRoleARNCredentialsProviderBuilder() *RAMRoleARNCredentialsProviderBui
 	}
 }
 
+func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeyId(accessKeyId string) *RAMRoleARNCredentialsProviderBuilder {
+	builder.provider.accessKeyId = accessKeyId
+	return builder
+}
+
+func (builder *RAMRoleARNCredentialsProviderBuilder) WithAccessKeySecret(accessKeySecret string) *RAMRoleARNCredentialsProviderBuilder {
+	builder.provider.accessKeySecret = accessKeySecret
+	return builder
+}
+
+func (builder *RAMRoleARNCredentialsProviderBuilder) WithSecurityToken(securityToken string) *RAMRoleARNCredentialsProviderBuilder {
+	builder.provider.securityToken = securityToken
+	return builder
+}
+
 func (builder *RAMRoleARNCredentialsProviderBuilder) WithCredentialsProvider(credentialsProvider CredentialsProvider) *RAMRoleARNCredentialsProviderBuilder {
 	builder.provider.credentialsProvider = credentialsProvider
 	return builder
@@ -87,6 +108,11 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsRegionId(regionId st
 	return builder
 }
 
+func (builder *RAMRoleARNCredentialsProviderBuilder) WithEnableVpc(enableVpc bool) *RAMRoleARNCredentialsProviderBuilder {
+	builder.provider.enableVpc = enableVpc
+	return builder
+}
+
 func (builder *RAMRoleARNCredentialsProviderBuilder) WithStsEndpoint(endpoint string) *RAMRoleARNCredentialsProviderBuilder {
 	builder.provider.stsEndpoint = endpoint
 	return builder
@@ -119,17 +145,44 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) WithHttpOptions(httpOptions
 
 func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleARNCredentialsProvider, err error) {
 	if builder.provider.credentialsProvider == nil {
-		err = errors.New("must specify a previous credentials provider to asssume role")
+		if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" && builder.provider.securityToken != "" {
+			builder.provider.credentialsProvider, err = NewStaticSTSCredentialsProviderBuilder().
+				WithAccessKeyId(builder.provider.accessKeyId).
+				WithAccessKeySecret(builder.provider.accessKeySecret).
+				WithSecurityToken(builder.provider.securityToken).
+				Build()
+			if err != nil {
+				return
+			}
+		} else if builder.provider.accessKeyId != "" && builder.provider.accessKeySecret != "" {
+			builder.provider.credentialsProvider, err = NewStaticAKCredentialsProviderBuilder().
+				WithAccessKeyId(builder.provider.accessKeyId).
+				WithAccessKeySecret(builder.provider.accessKeySecret).
+				Build()
+			if err != nil {
+				return
+			}
+		} else {
+			err = errors.New("must specify a previous credentials provider to assume role")
+		}
 		return
 	}
 
 	if builder.provider.roleArn == "" {
-		err = errors.New("the RoleArn is empty")
-		return
+		if roleArn := os.Getenv("ALIBABA_CLOUD_ROLE_ARN"); roleArn != "" {
+			builder.provider.roleArn = roleArn
+		} else {
+			err = errors.New("the RoleArn is empty")
+			return
+		}
 	}
 
 	if builder.provider.roleSessionName == "" {
-		builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10)
+		if roleSessionName := os.Getenv("ALIBABA_CLOUD_ROLE_SESSION_NAME"); roleSessionName != "" {
+			builder.provider.roleSessionName = roleSessionName
+		} else {
+			builder.provider.roleSessionName = "credentials-go-" + strconv.FormatInt(time.Now().UnixNano()/1000, 10)
+		}
 	}
 
 	// duration seconds
@@ -145,10 +198,17 @@ func (builder *RAMRoleARNCredentialsProviderBuilder) Build() (provider *RAMRoleA
 
 	// sts endpoint
 	if builder.provider.stsEndpoint == "" {
+		if !builder.provider.enableVpc {
+			builder.provider.enableVpc = strings.ToLower(os.Getenv("ALIBABA_CLOUD_VPC_ENDPOINT_ENABLED")) == "true"
+		}
+		prefix := "sts"
+		if builder.provider.enableVpc {
+			prefix = "sts-vpc"
+		}
 		if builder.provider.stsRegionId != "" {
-			builder.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", builder.provider.stsRegionId)
+			builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, builder.provider.stsRegionId)
 		} else if region := os.Getenv("ALIBABA_CLOUD_STS_REGION"); region != "" {
-			builder.provider.stsEndpoint = fmt.Sprintf("sts.%s.aliyuncs.com", region)
+			builder.provider.stsEndpoint = fmt.Sprintf("%s.%s.aliyuncs.com", prefix, region)
 		} else {
 			builder.provider.stsEndpoint = "sts.aliyuncs.com"
 		}