search

aliyun / alibabacloud-python-sdk-v2

Alibaba Cloud Python SDK 2.0
Apache License 2.0
18 stars 9 forks source link

STS Support in Python SDK #20

Open rachari opened 5 years ago

rachari commented 5 years ago

I was checking for cross account / STS usage with Alibaba cloud, but couldn't find a relevant module / method in the Python SDK to use this.

I noticed that there are STS implementation in Go / NodeJS

Is there an implementation in Python too ? If there is an implementation, which module is it and can the authors please share the documentation for the same.

suvieyan commented 5 years ago

Yes ,This version supports STS Token Credentials. But it is a developing version. Maybe you can reference https://github.com/aliyun/alibabacloud-python-sdk-v2/blob/master/alibabacloud/credentials/provider.py

rachari commented 5 years ago

Are you referring to the methods that are present in https://github.com/aliyun/alibabacloud-python-sdk-v2/blob/master/alibabacloud/credentials/assume_role_caller.py

The Linux instance from where we plan on making this call is a role based instance and we don't have access to access key / secret key

Are there any examples of this present in the repo ? If not, can you please provide with one

suvieyan commented 5 years ago

I'd like to confirm that you want to use this way:https://www.alibabacloud.com/help/doc-detail/67120.htm?

rachari commented 5 years ago

It's more for cross account access / resource creation, as mentioned here - https://www.alibabacloud.com/help/doc-detail/93745.htm

Idea is to have the roles generated as mentioned in the above docs so that an instance present in account A can assume the role for account B and create / access a resource in account B

suvieyan commented 5 years ago

Can you post the relevant code about Go ? So that I can give you the Python related code

rachari commented 5 years ago

I'm assuming that this is the STS implementation in Go - https://github.com/aliyun/aliyun-sts-go-sdk

Not sure if it supports cross account access though

suvieyan commented 5 years ago

hi, it supported in every language of the SDK. And in python https://github.com/aliyun/alibabacloud-python-sdk-v2/blob/906760f2f735971277c2355e3f73a82f9565d097/alibabacloud/credentials/provider.py#L163

rachari commented 5 years ago

I was checking the docs, and based on what you've mentioned so far, this STS example should work for an instance with a RAM role for cross account access :

https://www.alibabacloud.com/help/doc-detail/28798.htm?spm=a2c63.p38356.b99.170.5af86ff8Thsqlz

Can you please confirm if this is correct or if there are other examples related to this

suvieyan commented 5 years ago

There are only three kinds of Alibaba Cloud Credentials .But Credentials Provider are more than 6. As your title,I think you are talking about STS Token ; and as you mentioned 'cross account',I think you are talking about RamRoleArn. I can't understand what you need. Can you handle the work order?

rachari commented 5 years ago

This is what I'm trying to do :-

  1. account A is given access to account B via a RAM role.
  2. Instance in account A assumes the role for account B to create resources in account B

The credentials required for the Acs client in account A need to come from STS after the role has been assumed.

Once the client has the correct credentials, it should be able to access / create resources in account B, based on the permissions assigned for the role.

Please let me know which components / modules from the SDK would be required for this.

suvieyan commented 5 years ago

After discussion, We think you are talking about something about assumerole, which can get STS Token.

alibabacloud-python-sdk-v2 is a developing/big changes/instability version, and it is not recommended to use directly.

In alibabacloud-python-sdk-v2, Assuemrole has a layer of encapsulation.

But no matter which version, we all use https://www.alibabacloud.com/help/doc-detail/28763.html

Hope to help you.