docs: update README

README-zh-CN.md

@@ -132,7 +132,15 @@ $credential->getSecurityToken();
 
 #### EcsRamRole
 
-Credentials工具会自动获取ECS实例绑定的RAM角色，调用ECS的元数据服务（Meta Data Server）换取STS Token，完成凭据客户端初始化。ECI实例，容器服务 Kubernetes 版的Worker节点均支持绑定实例RAM角色。
+ECS和ECI实例均支持绑定实例RAM角色，当在实例中使用Credentials工具时，将自动获取实例绑定的RAM角色，并通过访问元数据服务获取RAM角色的STS Token，以完成凭据客户端的初始化。
+
+实例元数据服务器支持加固模式和普通模式两种访问方式，Credentials工具默认使用加固模式（IMDSv2）获取访问凭据。若使用加固模式时发生异常，您可以通过设置disableIMDSv1来执行不同的异常处理逻辑：
+
+- 当值为false（默认值）时，会使用普通模式继续获取访问凭据。
+
+- 当值为true时，表示只能使用加固模式获取访问凭据，会抛出异常。
+
+服务端是否支持IMDSv2，取决于您在服务器的配置。
 
 ```php
 <?php
@@ -141,9 +149,11 @@ use AlibabaCloud\Credentials\Credential;
 use AlibabaCloud\Credentials\Credential\Config;
 
 $config = new Config([
-    'type'         => 'ecs_ram_role',
+    'type'          => 'ecs_ram_role',
     // 选填，该ECS角色的角色名称，不填会自动获取，但是建议加上以减少请求次数，可以通过环境变量ALIBABA_CLOUD_ECS_METADATA设置role_name
-    'roleName'     => '<role_name>',
+    'roleName'      => '<role_name>',
+    // 选填，是否强制关闭IMDSv1，即必须使用IMDSv2加固模式，可以通过环境变量ALIBABA_CLOUD_IMDSV1_DISABLED设置
+    'disableIMDSv1' => true,
 ]);
 $client = new Credential($config);
 
@@ -204,7 +214,9 @@ $config = new Config([
 $client = new Credential($config);
 
 $credential = $client->getCredential();
-$credential->getBearerToken();
+$credential->getAccessKeyId();
+$credential->getAccessKeySecret();
+$credential->getSecurityToken();
 ```
 
 #### Bearer Token
@@ -349,7 +361,13 @@ role_session_name=session_name
 
 ### 5. 使用 ECS 实例RAM角色
 
-如果定义了环境变量 `ALIBABA_CLOUD_ECS_METADATA` 且不为空，程序会将该环境变量的值作为角色名称，请求 `http://100.100.100.200/latest/meta-data/ram/security-credentials/` 获取临时安全凭证作为默认凭证。
+若不存在优先级更高的凭据信息，Credentials工具将通过环境变量获取ALIBABA_CLOUD_ECS_METADATA（ECS实例RAM角色名称）的值。若该变量的值存在，程序将采用加固模式（IMDSv2）访问ECS的元数据服务（Meta Data Server），以获取ECS实例RAM角色的STS Token作为默认凭据信息。在使用加固模式时若发生异常，将使用普通模式兜底来获取访问凭据。您也可以通过设置环境变量ALIBABA_CLOUD_IMDSV1_DISABLED，执行不同的异常处理逻辑：
+
+- 当值为false时，会使用普通模式继续获取访问凭据。
+
+- 当值为true时，表示只能使用加固模式获取访问凭据，会抛出异常。
+
+服务端是否支持IMDSv2，取决于您在服务器的配置。
 
 ### 6. 使用外部服务 Credentials URI
 

README.md

@@ -134,7 +134,15 @@ $credential->getSecurityToken();
 
 #### EcsRamRole
 
-The Credentials tool automatically obtains the RAM role attached to an ECS instance and uses the metadata server of ECS to obtain an STS token. The STS token is then used to initialize a Credentials client. You can also attach a RAM role to an elastic container instance or a worker node in an Alibaba Cloud Container Service for Kubernetes (ACK) cluster.
+Both ECS and ECI instances support binding instance RAM roles. When the Credentials tool is used in an instance, the RAM role bound to the instance will be automatically obtained, and the STS Token of the RAM role will be obtained by accessing the metadata service to complete the initialization of the credential client.
+
+The instance metadata server supports two access modes: hardened mode and normal mode. The Credentials tool uses hardened mode (IMDSv2) by default to obtain access credentials. If an exception occurs when using hardened mode, you can set disableIMDSv1 to perform different exception handling logic:
+
+- When the value is false (default value), the normal mode will continue to be used to obtain access credentials.
+
+- When the value is true, it means that only hardened mode can be used to obtain access credentials, and an exception will be thrown.
+
+Whether the server supports IMDSv2 depends on your configuration on the server.
 
 ```php
 <?php
@@ -143,9 +151,11 @@ use AlibabaCloud\Credentials\Credential;
 use AlibabaCloud\Credentials\Credential\Config;
 
 $config = new Config([
-    'type'         => 'ecs_ram_role',
+    'type'          => 'ecs_ram_role',
     // Optional. Specify the name of the RAM role of the ECS instance. If you do not specify this parameter, its value is automatically obtained. To reduce the number of requests, we recommend that you specify this parameter.
-    'roleName'     => '<role_name>',
+    'roleName'      => '<role_name>',
+    //Optional, whether to forcibly disable IMDSv1, that is, to use IMDSv2 hardening mode, which can be set by the environment variable ALIBABA_CLOUD_IMDSV1_DISABLED
+    'disableIMDSv1' => true,
 ]);
 $client = new Credential($config);
 
@@ -206,7 +216,9 @@ $config = new Config([
 $client = new Credential($config);
 
 $credential = $client->getCredential();
-$credential->getBearerToken();
+$credential->getAccessKeyId();
+$credential->getAccessKeySecret();
+$credential->getSecurityToken();
 ```
 
 #### Bearer Token
@@ -348,7 +360,13 @@ role_session_name=session_name
 
 ### 5. Instance RAM role
 
-If the environment variable `ALIBABA_CLOUD_ECS_METADATA` is defined and not empty, the program will take the value of the environment variable as the role name and request `http://100.100.100.200/latest/meta-data/ram/security-credentials/` to get the temporary Security credentials are used as default credentials.
+If there is no credential information with a higher priority, the Credentials tool will obtain the value of ALIBABA_CLOUD_ECS_METADATA (ECS instance RAM role name) through the environment variable. If the value of this variable exists, the program will use the hardened mode (IMDSv2) to access the metadata service (Meta Data Server) of ECS to obtain the STS Token of the ECS instance RAM role as the default credential information. If an exception occurs when using the hardened mode, the normal mode will be used as a fallback to obtain access credentials. You can also set the environment variable ALIBABA_CLOUD_IMDSV1_DISABLED to perform different exception handling logic:
+
+- When the value is false, the normal mode will continue to obtain access credentials.
+
+- When the value is true, it means that only the hardened mode can be used to obtain access credentials, and an exception will be thrown.
+
+Whether the server supports IMDSv2 depends on your configuration on the server.
 
 ### 6. Using External Service Credentials URI