search

aliyun / alibaba-cloud-sdk-go

Alibaba Cloud SDK for Go
Apache License 2.0
1.16k stars 273 forks source link

feat: support `sts` type in profile provider #642

Closed maros7 closed 1 month ago

maros7 commented 1 month ago

Fixes https://github.com/aliyun/alibaba-cloud-sdk-go/issues/641.

CLAassistant commented 1 month ago

CLA assistant check
All committers have signed the CLA.

JacksonTian commented 1 month ago

The credentials profile is static, but the STS token is dynamic. It need to refresh before expiration time automatic. So I think support a dynamic sts token in static configuration file is not a good idea.

JacksonTian commented 1 month ago

Actually, If we don't consider the temporary token refresh problem, we can pass the STS with environment variables. It's more lightweight.

maros7 commented 1 month ago

So, our use-case is that we use role-based OIDC SSO when doing local development. We use a bespoke tool for that, similar to https://github.com/aliyun/saml2alibabacloud. The tool persists the sts credentials to the ini file. This is less awkward compared to env variables. You do support his in https://github.com/aliyun/credentials-go/blob/master/credentials/profile_provider.go. But that lib is not possible to use with Github Actions since the env provider doesn't support any other type but access_key: https://github.com/aliyun/credentials-go/blob/master/credentials/env_provider.go.

Some more background:

  1. We don't want to use static AK credentials from a security perspective.
  2. We want to be able to use the SDK out-of-the-box w/o any need for our own code. Right now we need to do quite a bit of work to support local development (requires our tool to get STS credentials), Github Actions using https://github.com/aliyun/configure-aliyun-credentials-action and when actually running in AliCloud.
JacksonTian commented 1 month ago

So, our use-case is that we use role-based OIDC SSO when doing local development. We use a bespoke tool for that, similar to https://github.com/aliyun/saml2alibabacloud. The tool persists the sts credentials to the ini file. This is less awkward compared to env variables. You do support his in https://github.com/aliyun/credentials-go/blob/master/credentials/profile_provider.go. But that lib is not possible to use with Github Actions since the env provider doesn't support any other type but access_key: https://github.com/aliyun/credentials-go/blob/master/credentials/env_provider.go.

Some more background:

  1. We don't want to use static AK credentials from a security perspective.
  2. We want to be able to use the SDK out-of-the-box w/o any need for our own code. Right now we need to do quite a bit of work to support local development (requires our tool to get STS credentials), Github Actions using https://github.com/aliyun/configure-aliyun-credentials-action and when actually running in AliCloud.

I am supporting the OIDC credentials provider, see https://github.com/aliyun/alibaba-cloud-sdk-go/pull/634 . Could you wait a moment to use the new credentials provider?

JacksonTian commented 1 month ago

Hi @maros7 ,

Two things:

  1. You can use OIDC provider credentials like this:
    // read oidc token from env ALIBABA_CLOUD_OIDC_TOKEN_FILE
    // read oidc provider arn from env ALIBABA_CLOUD_OIDC_PROVIDER_ARN
    // read role arn from env ALIBABA_CLOUD_ROLE_ARN
    provider, err := credentials.NewOIDCCredentialsProviderBuilder().Build()
    if err != nil {
        panic(err)
    }
    client, err := sdk.NewClientWithOptions("cn-shanghai", config, provider)
    if err != nil {
        panic(err)
    }
  1. I supported the sts in credentials-go. see https://github.com/aliyun/credentials-go/pull/90 .

I recommend you to use the credentials-go.