Closed maros7 closed 1 month ago
The credentials profile is static, but the STS token is dynamic. It need to refresh before expiration time automatic. So I think support a dynamic sts token in static configuration file is not a good idea.
Actually, If we don't consider the temporary token refresh problem, we can pass the STS with environment variables. It's more lightweight.
So, our use-case is that we use role-based OIDC SSO when doing local development. We use a bespoke tool for that, similar to https://github.com/aliyun/saml2alibabacloud. The tool persists the sts
credentials to the ini
file. This is less awkward compared to env variables. You do support his in https://github.com/aliyun/credentials-go/blob/master/credentials/profile_provider.go. But that lib is not possible to use with Github Actions since the env provider doesn't support any other type but access_key
: https://github.com/aliyun/credentials-go/blob/master/credentials/env_provider.go.
Some more background:
So, our use-case is that we use role-based OIDC SSO when doing local development. We use a bespoke tool for that, similar to https://github.com/aliyun/saml2alibabacloud. The tool persists the
sts
credentials to theini
file. This is less awkward compared to env variables. You do support his in https://github.com/aliyun/credentials-go/blob/master/credentials/profile_provider.go. But that lib is not possible to use with Github Actions since the env provider doesn't support any other type butaccess_key
: https://github.com/aliyun/credentials-go/blob/master/credentials/env_provider.go.Some more background:
- We don't want to use static AK credentials from a security perspective.
- We want to be able to use the SDK out-of-the-box w/o any need for our own code. Right now we need to do quite a bit of work to support local development (requires our tool to get STS credentials), Github Actions using https://github.com/aliyun/configure-aliyun-credentials-action and when actually running in AliCloud.
I am supporting the OIDC credentials provider, see https://github.com/aliyun/alibaba-cloud-sdk-go/pull/634 . Could you wait a moment to use the new credentials provider?
Hi @maros7 ,
Two things:
// read oidc token from env ALIBABA_CLOUD_OIDC_TOKEN_FILE
// read oidc provider arn from env ALIBABA_CLOUD_OIDC_PROVIDER_ARN
// read role arn from env ALIBABA_CLOUD_ROLE_ARN
provider, err := credentials.NewOIDCCredentialsProviderBuilder().Build()
if err != nil {
panic(err)
}
client, err := sdk.NewClientWithOptions("cn-shanghai", config, provider)
if err != nil {
panic(err)
}
I recommend you to use the credentials-go.
Fixes https://github.com/aliyun/alibaba-cloud-sdk-go/issues/641.