in config/profile.go [294:566]
func (cp *Profile) GetCredential(ctx *cli.Context, proxyHost *string) (cred credentialsv2.Credential, err error) {
config := new(credentialsv2.Config)
// The AK, StsToken are direct credential
// Others are indirect credential
cp.Validate()
switch cp.Mode {
case AK:
if cp.AccessKeyId == "" || cp.AccessKeySecret == "" {
err = fmt.Errorf("AccessKeyId/AccessKeySecret is empty! run `aliyun configure` first")
return
}
if cp.RegionId == "" {
err = fmt.Errorf("default RegionId is empty! run `aliyun configure` first")
return
}
config.SetType("access_key").
SetAccessKeyId(cp.AccessKeyId).
SetAccessKeySecret(cp.AccessKeySecret)
case StsToken:
config.SetType("sts").
SetAccessKeyId(cp.AccessKeyId).
SetAccessKeySecret(cp.AccessKeySecret).
SetSecurityToken(cp.StsToken)
case RamRoleArn:
config.SetType("ram_role_arn").
SetAccessKeyId(cp.AccessKeyId).
SetAccessKeySecret(cp.AccessKeySecret).
SetRoleArn(cp.RamRoleArn).
SetRoleSessionName(cp.RoleSessionName).
SetRoleSessionExpiration(cp.ExpiredSeconds).
SetExternalId(cp.ExternalId).
SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
if cp.StsToken != "" {
config.SetSecurityToken(cp.StsToken)
}
case EcsRamRole:
config.SetType("ecs_ram_role").
SetRoleName(cp.RamRoleName)
case RsaKeyPair:
config.SetType("rsa_key_pair").
SetPrivateKeyFile(cp.PrivateKey).
SetPublicKeyId(cp.KeyPairName).
SetSessionExpiration(cp.ExpiredSeconds).
SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
case RamRoleArnWithEcs:
config.SetType("ecs_ram_role").
SetRoleName(cp.RamRoleName)
client, err := credentialsv2.NewCredential(config)
if err != nil {
return nil, err
}
// 从 ECS RAM Role 获取中间 STS
model, err := client.GetCredential()
if err != nil {
return nil, err
}
// 扮演最终角色
config.SetType("ram_role_arn").
SetAccessKeyId(*model.AccessKeyId).
SetAccessKeySecret(*model.AccessKeySecret).
SetSecurityToken(*model.SecurityToken).
SetRoleArn(cp.RamRoleArn).
SetRoleSessionName(cp.RoleSessionName).
SetRoleSessionExpiration(cp.ExpiredSeconds).
SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
case ChainableRamRoleArn:
profileName := cp.SourceProfile
// 从 configuration 中重新获取 source profile
source, loaded := cp.parent.GetProfile(profileName)
if !loaded {
err = fmt.Errorf("can not load the source profile: " + profileName)
return
}
source.parent = cp.parent
source.parent.CurrentProfile = profileName
middle, err2 := source.GetCredential(ctx, proxyHost)
if err2 != nil {
err = err2
return
}
// 从上游处获得中间 AK/STS
model, err3 := middle.GetCredential()
if err3 != nil {
err = err3
return
}
// 扮演最终角色
config.SetType("ram_role_arn").
SetAccessKeyId(*model.AccessKeyId).
SetAccessKeySecret(*model.AccessKeySecret).
SetRoleArn(cp.RamRoleArn).
SetRoleSessionName(cp.RoleSessionName).
SetRoleSessionExpiration(cp.ExpiredSeconds).
SetExternalId(cp.ExternalId).
SetSTSEndpoint(getSTSEndpoint(cp.StsRegion))
if model.SecurityToken != nil {
config.SetSecurityToken(*model.SecurityToken)
}
case External:
args := strings.Fields(cp.ProcessCommand)
cmd := exec.Command(args[0], args[1:]...)
// 创建一个buffer来捕获标准输出
var stdoutBuf bytes.Buffer
cmd.Stdout = &stdoutBuf
// 将标准错误输出直接传递到终端
cmd.Stderr = os.Stderr
cmd.Stdin = os.Stdin
// 执行命令
err = cmd.Run()
if err != nil {
return nil, err
}
// 只解析标准输出
buf := stdoutBuf.Bytes()
// 解析得到新的 profile 配置
err = json.Unmarshal(buf, cp)
if err != nil {
fmt.Println(cp.ProcessCommand)
fmt.Println(string(buf))
return nil, err
}
return cp.GetCredential(ctx, proxyHost)
case CredentialsURI:
uri := cp.CredentialsURI
if uri == "" {
uri = os.Getenv("ALIBABA_CLOUD_CREDENTIALS_URI")
}
if uri == "" {
return nil, fmt.Errorf("invalid credentials uri")
}
res, err := http.Get(uri)
if err != nil {
return nil, err
}
if res.StatusCode != 200 {
return nil, fmt.Errorf("get credentials from %s failed, status code %d", uri, res.StatusCode)
}
body, err := io.ReadAll(res.Body)
res.Body.Close()
if err != nil {
return nil, err
}
type Response struct {
Code string
AccessKeyId string
AccessKeySecret string
SecurityToken string
Expiration string
}
var response Response
err = json.Unmarshal(body, &response)
if err != nil {
return nil, fmt.Errorf("unmarshal credentials failed, the body %s", string(body))
}
if response.Code != "Success" {
return nil, fmt.Errorf("get sts token err, Code is not Success")
}
config.SetType("sts").
SetAccessKeyId(response.AccessKeyId).
SetAccessKeySecret(response.AccessKeySecret).
SetSecurityToken(response.SecurityToken)
case OIDC:
config.SetType("oidc_role_arn").
SetOIDCProviderArn(cp.OIDCProviderARN).
SetOIDCTokenFilePath(cp.OIDCTokenFile).
SetRoleArn(cp.RamRoleArn).
SetRoleSessionName(cp.RoleSessionName).
SetSTSEndpoint(getSTSEndpoint(cp.StsRegion)).
SetSessionExpiration(3600)
case CloudSSO:
// check sts expiration
stsExpiration := cp.StsExpiration
currentUnixTime := util.GetCurrentUnixTime()
httpClient := util.NewHttpClient()
// check access token expiration
if cp.CloudSSOSignInUrl == "" || cp.CloudSSOAccountId == "" || cp.CloudSSOAccessConfig == "" {
reLoginCommand := fmt.Sprintf("aliyun configure --profile %s --mode CloudSSO", cp.Name)
return nil, fmt.Errorf(i18n.T(
"CloudSSO sign in url or account id or access config is empty, please configure with command: %s",
"CloudSSO登录链接或账号ID或访问配置无效,请通过命令:%s 重新完成配置").GetMessage(), reLoginCommand)
}
if cp.CloudSSOAccessTokenExpire == 0 || cp.CloudSSOAccessTokenExpire <= currentUnixTime {
// not support refresh access token yet, need to re-login
var reLoginCommand string
reLoginCommand = fmt.Sprintf("aliyun configure --profile %s", cp.Name)
return nil, fmt.Errorf(i18n.T(
"CloudSSO access token is expired, please re-login with command: %s",
"CloudSSO访问令牌已过期,请通过命令:%s 重新登录").GetMessage(), reLoginCommand)
}
if stsExpiration == 0 || stsExpiration <= currentUnixTime ||
cp.AccessKeyId == "" || cp.AccessKeySecret == "" || cp.StsToken == "" {
token, err := tryRefreshStsTokenFunc(&cp.CloudSSOSignInUrl,
&cp.AccessToken, &cp.CloudSSOAccessConfig, &cp.CloudSSOAccountId, httpClient)
if err != nil {
println(i18n.T("Create STS from CloudSSO failed", "从 CloudSSO 接口创建STS凭证失败,请重试或检查配置是否错误").GetMessage())
return nil, err
}
// update
cp.AccessKeyId = token.AccessKeyId
cp.AccessKeySecret = token.AccessKeySecret
cp.StsToken = token.SecurityToken
// update expiration
cp.StsExpiration = token.ExpirationInt64 - 5
// flush back
conf, err := loadConfiguration()
if err != nil {
return nil, err
}
for i, profile := range conf.Profiles {
if profile.Name == cp.Name {
conf.Profiles[i] = *cp
break
}
}
err = saveConfigurationFunc(conf)
if err != nil {
return nil, err
}
}
config.SetType("sts").
SetAccessKeyId(cp.AccessKeyId).
SetAccessKeySecret(cp.AccessKeySecret).
SetSecurityToken(cp.StsToken)
default:
return nil, fmt.Errorf("unexcepted certificate mode: %s", cp.Mode)
}
if proxyHost != nil {
config.SetProxy(*proxyHost)
} else {
proxy := util.GetFromEnv("HTTPS_PROXY", "https_proxy")
if proxy != "" {
config.SetProxy(proxy)
}
}
return credentialsv2.NewCredential(config)
}