diff --git a/examples/rrsa/README.md b/examples/rrsa/README.md
index 480235dd..6e0e8e18 100644
--- a/examples/rrsa/README.md
+++ b/examples/rrsa/README.md
@@ -3,39 +3,17 @@
Examples for RRSA Usage.
-| | |
-|-------------------|---------------------------------------------------------------------------------------------------------------------|
-| go-sdk | Using Alibaba Could Go SDK with RRSA Auth |
-| java-sdk | Using Alibaba Could Java SDK with RRSA Auth |
-| python3-sdk | Using Alibaba Could Python 3 SDK with RRSA Auth |
-| nodejs-sdk | Using Alibaba Could Node.js/TypeScript SDK with RRSA Auth |
-| kaniko-in-ack | Building docker image with [Kaniko](https://github.com/GoogleContainerTools/kaniko) then push to ACR with RRSA Auth |
-| aliyuncli-demo | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth |
-| aliyunlogcli-demo | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth |
-| ossutil-demo | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth |
-| cpp-demo | Using C++ SDK with RRSA Auth (experimental) |
+| sub-directory | description |
+|-------------------|---------------------------------------------------------------------------------------------------------------------------|
+| go-sdk | Using [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) with RRSA Auth |
+| oss-go-sdk | Using [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) with RRSA Auth |
+| java-sdk | Using [Alibaba Could Java SDK](https://github.com/aliyun/alibabacloud-java-sdk) with RRSA Auth |
+| oss-java-sdk | Using [aliyun-oss-java-sdk](https://github.com/aliyun/aliyun-oss-java-sdk) with RRSA Auth |
+| python3-sdk | Using [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) with RRSA Auth |
+| nodejs-sdk | Using [Alibaba Could Node.js/TypeScript SDK](https://github.com/aliyun/alibabacloud-typescript-sdk) with RRSA Auth |
+| kaniko-in-ack | Building docker image with [Kaniko](https://github.com/GoogleContainerTools/kaniko) then push image to ACR with RRSA Auth |
+| aliyuncli-demo | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth |
+| aliyunlogcli-demo | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth |
+
+[//]: # (| ossutil-demo | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth |)
-
-## go-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Go SDK.
-
-
-## java-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Java SDK.
-
-
-## python3-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Python 3 SDK.
-
-
-## nodejs-sdk
-
-An example for how to use OIDC token to assume RAM Role via Alibaba Could Node.js/TypeScript SDK.
-
-
-## e2e-test
-
-Run e2e test.
diff --git a/examples/rrsa/aliyuncli-demo/test.sh b/examples/rrsa/aliyuncli-demo/test.sh
index 4c3d6a22..046c333f 100644
--- a/examples/rrsa/aliyuncli-demo/test.sh
+++ b/examples/rrsa/aliyuncli-demo/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-aliyun-cli"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="AliyunCSReadOnlyAccess"
trap cleanup EXIT
@@ -30,15 +32,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-system-policy AliyunCSReadOnlyAccess
+ --attach-system-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -54,6 +57,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType System || true
set -e
}
diff --git a/examples/rrsa/aliyunlogcli-demo/test.sh b/examples/rrsa/aliyunlogcli-demo/test.sh
index dea166a7..dd11aa83 100644
--- a/examples/rrsa/aliyunlogcli-demo/test.sh
+++ b/examples/rrsa/aliyunlogcli-demo/test.sh
@@ -5,6 +5,7 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-aliyunlog-cli"
+ROLE_NAME="test-rrsa-demo"
POLICY_NAME="AliyunLogReadOnlyAccess"
trap cleanup EXIT
@@ -31,7 +32,7 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
--attach-system-policy ${POLICY_NAME}
}
@@ -40,6 +41,7 @@ function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -55,6 +57,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType System || true
set -e
}
diff --git a/examples/rrsa/go-sdk/deploy.yaml b/examples/rrsa/go-sdk/deploy.yaml
index a055697d..1ef87a99 100644
--- a/examples/rrsa/go-sdk/deploy.yaml
+++ b/examples/rrsa/go-sdk/deploy.yaml
@@ -27,6 +27,6 @@ spec:
serviceAccountName: demo-sa
restartPolicy: Never
containers:
- - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-golang
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-golang
imagePullPolicy: "Always"
name: test
diff --git a/examples/rrsa/go-sdk/go.mod b/examples/rrsa/go-sdk/go.mod
index 86df9832..26025c99 100644
--- a/examples/rrsa/go-sdk/go.mod
+++ b/examples/rrsa/go-sdk/go.mod
@@ -7,11 +7,9 @@ require (
github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.4
github.com/alibabacloud-go/tea v1.1.20
github.com/alibabacloud-go/tea-utils v1.3.9 // indirect
- github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible
github.com/aliyun/credentials-go v1.2.6
github.com/json-iterator/go v1.1.12 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
golang.org/x/net v0.7.0 // indirect
- golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
gopkg.in/ini.v1 v1.66.6 // indirect
)
diff --git a/examples/rrsa/go-sdk/go.sum b/examples/rrsa/go-sdk/go.sum
index 719069c4..22447ae0 100644
--- a/examples/rrsa/go-sdk/go.sum
+++ b/examples/rrsa/go-sdk/go.sum
@@ -27,8 +27,6 @@ github.com/alibabacloud-go/tea-utils/v2 v2.0.1 h1:K6kwgo+UiYx+/kr6CO0PN5ACZDzE3n
github.com/alibabacloud-go/tea-utils/v2 v2.0.1/go.mod h1:U5MTY10WwlquGPS34DOeomUGBB0gXbLueiq5Trwu0C4=
github.com/alibabacloud-go/tea-xml v1.1.2 h1:oLxa7JUXm2EDFzMg+7oRsYc+kutgCVwm+bZlhhmvW5M=
github.com/alibabacloud-go/tea-xml v1.1.2/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
-github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible h1:KXeJoM1wo9I/6xPTyt6qCxoSZnmASiAjlrr0dyTUKt8=
-github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
github.com/aliyun/credentials-go v1.2.6 h1:dSMxpj4uXZj0MYOsEyljlssHzfdHw/M84iQ5QKF0Uxg=
github.com/aliyun/credentials-go v1.2.6/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw=
@@ -45,7 +43,6 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
@@ -54,7 +51,6 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -108,8 +104,6 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs=
-golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -119,7 +113,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI=
diff --git a/examples/rrsa/go-sdk/main.go b/examples/rrsa/go-sdk/main.go
index dafde47c..53209793 100644
--- a/examples/rrsa/go-sdk/main.go
+++ b/examples/rrsa/go-sdk/main.go
@@ -8,7 +8,6 @@ import (
cs20151215 "github.com/alibabacloud-go/cs-20151215/v3/client"
openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
"github.com/alibabacloud-go/tea/tea"
- "github.com/aliyun/aliyun-oss-go-sdk/oss"
// github.com/aliyun/credentials-go >= v1.2.6
"github.com/aliyun/credentials-go/credentials"
)
@@ -42,28 +41,6 @@ func testOpenAPISDK() {
}
}
-func testOSSSDK() {
- // 两种方法都可以
- cred := newCredential()
- // or
- // cred := newOidcCredential()
-
- provider := &ossCredentialsProvider{cred: cred}
- client, err := oss.New("https://oss-cn-hangzhou.aliyuncs.com", "", "",
- oss.SetCredentialsProvider(provider))
- if err != nil {
- panic(err)
- }
- ret, err := client.ListBuckets()
- if err != nil {
- panic(err)
- }
- fmt.Println("call oss.listBuckets via oidc token success:")
- for _, item := range ret.Buckets {
- fmt.Printf("-%s\n", item.Name)
- }
-}
-
func newCredential() credentials.Credential {
// https://www.alibabacloud.com/help/doc-detail/378661.html
cred, err := credentials.NewCredential(nil)
@@ -89,53 +66,8 @@ func newOidcCredential() credentials.Credential {
return oidcCredential
}
-type ossCredentials struct {
- teaCred credentials.Credential
-}
-
-func (cred *ossCredentials) GetAccessKeyID() string {
- value, err := cred.teaCred.GetAccessKeyId()
- if err != nil {
- log.Printf("get access key id failed: %+v", err)
- return ""
- }
- return tea.StringValue(value)
-}
-
-func (cred *ossCredentials) GetAccessKeySecret() string {
- value, err := cred.teaCred.GetAccessKeySecret()
- if err != nil {
- log.Printf("get access key secret failed: %+v", err)
- return ""
- }
- return tea.StringValue(value)
-}
-
-func (cred *ossCredentials) GetSecurityToken() string {
- value, err := cred.teaCred.GetSecurityToken()
- if err != nil {
- log.Printf("get access security token failed: %+v", err)
- return ""
- }
- return tea.StringValue(value)
-}
-
-type ossCredentialsProvider struct {
- cred credentials.Credential
-}
-
-func (p *ossCredentialsProvider) GetCredentials() oss.Credentials {
- return &ossCredentials{teaCred: p.cred}
-}
-
func main() {
- // test open api sdk (https://github.com/aliyun/alibabacloud-go-sdk) use rrsa oidc token
+ // test open api sdk (https://github.com/aliyun/alibabacloud-go-sdk) using rrsa oidc token
log.Printf("test open api sdk use rrsa oidc token")
testOpenAPISDK()
-
- // test oss sdk (https://github.com/aliyun/aliyun-oss-go-sdk) use rrsa oidc token
- if os.Getenv("TEST_OSS_SDK") == "true" {
- log.Printf("test oss sdk use rrsa oidc token")
- testOSSSDK()
- }
}
diff --git a/examples/rrsa/go-sdk/test.sh b/examples/rrsa/go-sdk/test.sh
index f1c7a64a..1df2a4af 100644
--- a/examples/rrsa/go-sdk/test.sh
+++ b/examples/rrsa/go-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-golang-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
trap cleanup EXIT
@@ -27,13 +29,15 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
- aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
- "cs:DescribeClusters"
+ "cs:DescribeClusters",
+ "cs:GetClusters"
],
"Resource": [
"*"
@@ -46,15 +50,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-custom-policy cs-describe-clusters
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -70,6 +75,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/examples/rrsa/java-sdk/deploy.yaml b/examples/rrsa/java-sdk/deploy.yaml
index ccd1aba9..8ed622e9 100644
--- a/examples/rrsa/java-sdk/deploy.yaml
+++ b/examples/rrsa/java-sdk/deploy.yaml
@@ -27,6 +27,6 @@ spec:
serviceAccountName: demo-sa
restartPolicy: Never
containers:
- - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-java
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-java
imagePullPolicy: "Always"
name: test
diff --git a/examples/rrsa/java-sdk/pom.xml b/examples/rrsa/java-sdk/pom.xml
index 032d99ca..f7a682bb 100644
--- a/examples/rrsa/java-sdk/pom.xml
+++ b/examples/rrsa/java-sdk/pom.xml
@@ -21,12 +21,6 @@
0.2.10
-
- com.aliyun.oss
- aliyun-sdk-oss
- 3.16.1
-
-
diff --git a/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java b/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
index b39a63dc..28b66f99 100644
--- a/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
+++ b/examples/rrsa/java-sdk/src/main/java/com/alibabacloud/Demo.java
@@ -5,13 +5,6 @@
import com.aliyun.cs20151215.models.DescribeClustersRequest;
import com.aliyun.cs20151215.models.DescribeClustersResponse;
-// only for oss sdk
-import com.aliyun.oss.ClientBuilderConfiguration;
-import com.aliyun.oss.OSS;
-import com.aliyun.oss.common.auth.*;
-import com.aliyun.oss.OSSClientBuilder;
-import com.aliyun.oss.model.Bucket;
-
import java.util.List;
class TestOpenAPISDK {
@@ -35,57 +28,11 @@ public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
}
}
-class OSSCredentialProvider implements CredentialsProvider {
-
- private final com.aliyun.credentials.Client cred;
-
- public OSSCredentialProvider(com.aliyun.credentials.Client cred) {
- this.cred = cred;
- }
-
- public void setCredentials(Credentials creds) {
- }
-
- @Override
- public Credentials getCredentials() {
- String ak = cred.getAccessKeyId();
- String sk = cred.getAccessKeySecret();
- String token = cred.getSecurityToken();
- return new DefaultCredentials(ak, sk, token);
- }
-}
-
-class TestOSSSDK {
-
- public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
- // new provider
- OSSCredentialProvider provider = new OSSCredentialProvider(cred);
- String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
- // new client config
- ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
-
- // init client
- OSS ossClient = new OSSClientBuilder().build(endpoint, provider, conf);
-
- // call api
- List buckets = ossClient.listBuckets();
- System.out.println("call oss.listBuckets via oidc token success:\n");
- for (Bucket bucket : buckets) {
- System.out.println(" - " + bucket.getName());
- }
- System.out.println();
-
- ossClient.shutdown();
- }
-
-}
-
-
public class Demo {
public static void main(String[] args) throws Exception {
// 两种方式都可以
- com.aliyun.credentials.Client cred = new Client();
+ com.aliyun.credentials.Client cred = new com.aliyun.credentials.Client();
// or
// com.aliyun.credentials.Client cred = newOidcCred();
@@ -96,13 +43,6 @@ public static void main(String[] args) throws Exception {
TestOpenAPISDK openapiSdk = new TestOpenAPISDK();
openapiSdk.CallAPI(cred);
- // test oss sdk (https://github.com/aliyun/aliyun-oss-java-sdk) use rrsa oidc token
- if (System.getenv("TEST_OSS_SDK") != null && System.getenv("TEST_OSS_SDK").equals("true")) {
- System.out.println("\n");
- System.out.println("test oss sdk use rrsa oidc token");
- TestOSSSDK osssdk = new TestOSSSDK();
- osssdk.CallAPI(cred);
- }
}
static com.aliyun.credentials.Client newOidcCred() throws Exception {
@@ -113,6 +53,6 @@ static com.aliyun.credentials.Client newOidcCred() throws Exception {
credConf.oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
credConf.oidcTokenFilePath = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
credConf.roleSessionName = "test-rrsa-oidc-token";
- return new Client(credConf);
+ return new com.aliyun.credentials.Client(credConf);
}
}
diff --git a/examples/rrsa/java-sdk/test.sh b/examples/rrsa/java-sdk/test.sh
index 6beda6c1..19ac3f39 100644
--- a/examples/rrsa/java-sdk/test.sh
+++ b/examples/rrsa/java-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-java-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
trap cleanup EXIT
@@ -27,13 +29,15 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
- aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
- "cs:DescribeClusters"
+ "cs:DescribeClusters",
+ "cs:GetClusters"
],
"Resource": [
"*"
@@ -46,15 +50,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-custom-policy cs-describe-clusters
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -70,6 +75,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/examples/rrsa/nodejs-sdk/test.sh b/examples/rrsa/nodejs-sdk/test.sh
index cfd1b249..e158435b 100644
--- a/examples/rrsa/nodejs-sdk/test.sh
+++ b/examples/rrsa/nodejs-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-nodejs-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
trap cleanup EXIT
@@ -27,13 +29,15 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
- aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
- "cs:DescribeClusters"
+ "cs:DescribeClusters",
+ "cs:GetClusters"
],
"Resource": [
"*"
@@ -46,15 +50,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-custom-policy cs-describe-clusters
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -70,6 +75,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/examples/rrsa/oss-go-sdk/Dockerfile b/examples/rrsa/oss-go-sdk/Dockerfile
new file mode 100644
index 00000000..82b8ba00
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/Dockerfile
@@ -0,0 +1,20 @@
+FROM golang:1.20.1-buster as builder
+# TARGETPLATFORM
+
+WORKDIR /workspace
+
+ENV CGO_ENABLED=0
+ENV GOPROXY=https://goproxy.cn
+COPY go.mod ./
+COPY go.sum ./
+COPY main.go ./
+RUN go build
+
+
+FROM alpine:3.17.2
+
+WORKDIR /usr/bin/
+
+COPY --from=builder /workspace/oss-go-sdk ./rrsa-example-oss-golang
+
+CMD /usr/bin/rrsa-example-oss-golang
diff --git a/examples/rrsa/oss-go-sdk/README.md b/examples/rrsa/oss-go-sdk/README.md
new file mode 100644
index 00000000..0cffd4be
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/README.md
@@ -0,0 +1,71 @@
+# golang-sdk
+
+## Usage
+
+1. Enable RRSA:
+
+```
+export CLUSTER_ID=
+ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+```
+
+2. Install ack-pod-identity-webhook:
+
+```
+ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+```
+
+3. Create an RAM Policy:
+
+```
+aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}'
+```
+
+4. Associate an RAM Role to the service account and attach the policy to the role:
+
+```
+ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+ --namespace rrsa-demo-oss-golang-sdk \
+ --service-account demo-sa \
+ --role-name test-rrsa-demo \
+ --create-role-if-not-exist \
+ --attach-custom-policy oss-list-buckets
+```
+
+5. Deploy demo job:
+
+```
+ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
+kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
+```
+
+6. Get logs:
+
+```
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-golang-sdk wait --for=condition=complete job/demo --timeout=240s
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-golang-sdk logs job/demo
+```
+
+Outputs:
+
+```
+2023/05/19 10:58:55 test oss sdk using rrsa oidc token
+call oss.listBuckets via oidc token success:
+- test-***
+- cri-***
+
+```
diff --git a/examples/rrsa/ossutil-demo/deploy.yaml b/examples/rrsa/oss-go-sdk/deploy.yaml
similarity index 55%
rename from examples/rrsa/ossutil-demo/deploy.yaml
rename to examples/rrsa/oss-go-sdk/deploy.yaml
index 5948005a..f5f9afd6 100644
--- a/examples/rrsa/ossutil-demo/deploy.yaml
+++ b/examples/rrsa/oss-go-sdk/deploy.yaml
@@ -2,7 +2,7 @@
apiVersion: v1
kind: Namespace
metadata:
- name: rrsa-demo-ossutil
+ name: rrsa-demo-oss-golang-sdk
labels:
pod-identity.alibabacloud.com/injection: 'on'
@@ -11,7 +11,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: demo-sa
- namespace: rrsa-demo-ossutil
+ namespace: rrsa-demo-oss-golang-sdk
annotations:
pod-identity.alibabacloud.com/role-name: test-rrsa-demo
@@ -20,20 +20,13 @@ apiVersion: batch/v1
kind: Job
metadata:
name: demo
- namespace: rrsa-demo-ossutil
+ namespace: rrsa-demo-oss-golang-sdk
spec:
template:
spec:
serviceAccountName: demo-sa
restartPolicy: Never
containers:
- - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-dev
- imagePullPolicy: "Always"
- name: server
- command:
- - sh
- - -c
- - 'timeout 200 ack-ram-tool export-credentials --format=ecs-metadata-json --serve=0.0.0.0:8088; echo done'
- - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-dev-rrsa-example-ossutil
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-oss-golang
imagePullPolicy: "Always"
name: test
diff --git a/examples/rrsa/oss-go-sdk/go.mod b/examples/rrsa/oss-go-sdk/go.mod
new file mode 100644
index 00000000..64a4f31b
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/go.mod
@@ -0,0 +1,14 @@
+module github.com/AliyunContainerService/ack-ram-tool/examples/rrsa/oss-go-sdk
+
+go 1.16
+
+require (
+ github.com/alibabacloud-go/tea v1.1.20
+ github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible
+ github.com/aliyun/credentials-go v1.2.6
+ github.com/json-iterator/go v1.1.12 // indirect
+ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+ golang.org/x/net v0.7.0 // indirect
+ golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
+ gopkg.in/ini.v1 v1.66.6 // indirect
+)
diff --git a/examples/rrsa/oss-go-sdk/go.sum b/examples/rrsa/oss-go-sdk/go.sum
new file mode 100644
index 00000000..5c6498a9
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/go.sum
@@ -0,0 +1,84 @@
+github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 h1:NqugFkGxx1TXSh/pBcU00Y6bljgDPaFdh5MUSeJ7e50=
+github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY=
+github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
+github.com/alibabacloud-go/tea v1.1.20 h1:wFK4xEbvGYMtzTyHhIju9D7ecWxvSUdoLO6y4vDLFik=
+github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
+github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible h1:KXeJoM1wo9I/6xPTyt6qCxoSZnmASiAjlrr0dyTUKt8=
+github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
+github.com/aliyun/credentials-go v1.2.6 h1:dSMxpj4uXZj0MYOsEyljlssHzfdHw/M84iQ5QKF0Uxg=
+github.com/aliyun/credentials-go v1.2.6/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs=
+golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI=
+gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/examples/rrsa/oss-go-sdk/main.go b/examples/rrsa/oss-go-sdk/main.go
new file mode 100644
index 00000000..8bdc890c
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/main.go
@@ -0,0 +1,111 @@
+package main
+
+import (
+ "fmt"
+ "log"
+ "os"
+
+ "github.com/alibabacloud-go/tea/tea"
+ "github.com/aliyun/aliyun-oss-go-sdk/oss"
+ // github.com/aliyun/credentials-go >= v1.2.6
+ "github.com/aliyun/credentials-go/credentials"
+)
+
+const (
+ EnvRoleArn = "ALIBABA_CLOUD_ROLE_ARN"
+ EnvOidcProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN"
+ EnvOidcTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE"
+)
+
+func testOSSSDK() {
+ // 两种方法都可以
+ cred := newCredential()
+ // or
+ // cred := newOidcCredential()
+
+ provider := &OSSCredentialsProvider{cred: cred}
+ client, err := oss.New("https://oss-cn-hangzhou.aliyuncs.com", "", "",
+ oss.SetCredentialsProvider(provider))
+ if err != nil {
+ panic(err)
+ }
+ ret, err := client.ListBuckets()
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Println("call oss.listBuckets via oidc token success:")
+ for _, item := range ret.Buckets {
+ fmt.Printf("- %s\n", item.Name)
+ }
+}
+
+func newCredential() credentials.Credential {
+ // https://www.alibabacloud.com/help/doc-detail/378661.html
+ cred, err := credentials.NewCredential(nil)
+ if err != nil {
+ panic(err)
+ }
+ return cred
+}
+
+func newOidcCredential() credentials.Credential {
+ // https://www.alibabacloud.com/help/doc-detail/378661.html
+ config := new(credentials.Config).
+ SetType("oidc_role_arn").
+ SetRoleArn(os.Getenv(EnvRoleArn)).
+ SetOIDCProviderArn(os.Getenv(EnvOidcProviderArn)).
+ SetOIDCTokenFilePath(os.Getenv(EnvOidcTokenFile)).
+ SetRoleSessionName("test-rrsa-oidc-token")
+
+ oidcCredential, err := credentials.NewCredential(config)
+ if err != nil {
+ panic(err)
+ }
+ return oidcCredential
+}
+
+type OSSCredentials struct {
+ teaCred credentials.Credential
+}
+
+func (cred *OSSCredentials) GetAccessKeyID() string {
+ value, err := cred.teaCred.GetAccessKeyId()
+ if err != nil {
+ log.Printf("get access key id failed: %+v", err)
+ return ""
+ }
+ return tea.StringValue(value)
+}
+
+func (cred *OSSCredentials) GetAccessKeySecret() string {
+ value, err := cred.teaCred.GetAccessKeySecret()
+ if err != nil {
+ log.Printf("get access key secret failed: %+v", err)
+ return ""
+ }
+ return tea.StringValue(value)
+}
+
+func (cred *OSSCredentials) GetSecurityToken() string {
+ value, err := cred.teaCred.GetSecurityToken()
+ if err != nil {
+ log.Printf("get access security token failed: %+v", err)
+ return ""
+ }
+ return tea.StringValue(value)
+}
+
+type OSSCredentialsProvider struct {
+ cred credentials.Credential
+}
+
+func (p *OSSCredentialsProvider) GetCredentials() oss.Credentials {
+ return &OSSCredentials{teaCred: p.cred}
+}
+
+func main() {
+ // test oss sdk (https://github.com/aliyun/aliyun-oss-go-sdk) use rrsa oidc token
+ log.Printf("test oss sdk using rrsa oidc token")
+ testOSSSDK()
+}
diff --git a/examples/rrsa/oss-go-sdk/test.sh b/examples/rrsa/oss-go-sdk/test.sh
new file mode 100644
index 00000000..d77244e9
--- /dev/null
+++ b/examples/rrsa/oss-go-sdk/test.sh
@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
+CLUSTER_ID="$1"
+KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
+NAMESPACE="rrsa-demo-oss-golang-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-oss-list-buckets"
+
+trap cleanup EXIT
+
+function bar_tip() {
+ echo -e "\n=== $1 ===\n"
+}
+
+function enable_rrsa() {
+ bar_tip "enable RRSA"
+
+ ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+}
+
+function install_helper() {
+ bar_tip "install ack-pod-identity-webhook"
+
+ ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+}
+
+function setup_role() {
+ bar_tip "setup ram role"
+
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}' || true
+
+ ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+ --namespace "${NAMESPACE}" \
+ --service-account demo-sa \
+ --role-name ${ROLE_NAME} \
+ --create-role-if-not-exist \
+ --attach-custom-policy ${POLICY_NAME}
+}
+
+function deploy_demo() {
+ bar_tip "deploy demo"
+
+ ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
+ kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
+}
+
+function get_logs() {
+ bar_tip "wait demo and get logs"
+
+ kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" wait --for=condition=complete job/demo --timeout=240s
+ kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo
+}
+
+function cleanup() {
+ set +e
+ bar_tip "cleanup"
+
+ rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
+
+ set -e
+}
+
+function main() {
+ if [[ "${CLUSTER_ID}none" == "none" ]]; then
+ echo "clusterId is missing. Usage: bash test.sh CLUSTER_ID"
+ exit 1
+ fi
+ if [[ "${SCRIPT_DIR}none" == "none" ]]; then
+ echo "get script dir failed"
+ exit 1
+ fi
+
+ enable_rrsa
+ install_helper
+ setup_role
+ sleep 60
+ deploy_demo
+ get_logs
+}
+
+main
diff --git a/examples/rrsa/oss-java-sdk/.gitignore b/examples/rrsa/oss-java-sdk/.gitignore
new file mode 100644
index 00000000..bdee5e9b
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/.gitignore
@@ -0,0 +1,4 @@
+.idea/
+out/
+/target/
+*.iml
diff --git a/examples/rrsa/oss-java-sdk/Dockerfile b/examples/rrsa/oss-java-sdk/Dockerfile
new file mode 100644
index 00000000..2052ea24
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/Dockerfile
@@ -0,0 +1,16 @@
+FROM maven:3.8.7-openjdk-18-slim as builder
+# TARGETPLATFORM
+
+WORKDIR /app
+COPY src/main/java/com/alibabacloud/Demo.java ./src/main/java/com/alibabacloud/
+COPY pom.xml ./
+RUN mvn package
+
+
+FROM openjdk:18-slim-buster
+
+WORKDIR /app
+
+COPY --from=builder /app/target/demo-1.0-SNAPSHOT-jar-with-dependencies.jar ./
+
+CMD java -jar ./demo-1.0-SNAPSHOT-jar-with-dependencies.jar
diff --git a/examples/rrsa/oss-java-sdk/README.md b/examples/rrsa/oss-java-sdk/README.md
new file mode 100644
index 00000000..3699472d
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/README.md
@@ -0,0 +1,72 @@
+# java-sdk
+
+## Usage
+
+1. Enable RRSA:
+
+```
+export CLUSTER_ID=
+ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+```
+
+2. Install ack-pod-identity-webhook:
+
+```
+ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+```
+
+
+3. Create an RAM Policy:
+
+```
+aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}'
+```
+
+4. Associate an RAM Role to the service account and attach the policy to the role:
+
+```
+ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+ --namespace rrsa-demo-oss-java-sdk \
+ --service-account demo-sa \
+ --role-name test-rrsa-demo \
+ --create-role-if-not-exist \
+ --attach-custom-policy oss-list-buckets
+```
+
+5. Deploy demo job:
+
+```
+ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
+kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
+```
+
+6. Get logs:
+
+```
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-java-sdk wait --for=condition=complete job/demo --timeout=240s
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-java-sdk logs job/demo
+```
+
+Outputs:
+
+```
+2023/05/19 10:58:55 test oss sdk using rrsa oidc token
+call oss.listBuckets via oidc token success:
+- test-***
+- cri-***
+
+```
diff --git a/examples/rrsa/oss-java-sdk/deploy.yaml b/examples/rrsa/oss-java-sdk/deploy.yaml
new file mode 100644
index 00000000..a7664498
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/deploy.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: rrsa-demo-oss-java-sdk
+ labels:
+ pod-identity.alibabacloud.com/injection: 'on'
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: demo-sa
+ namespace: rrsa-demo-oss-java-sdk
+ annotations:
+ pod-identity.alibabacloud.com/role-name: test-rrsa-demo
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: demo
+ namespace: rrsa-demo-oss-java-sdk
+spec:
+ template:
+ spec:
+ serviceAccountName: demo-sa
+ restartPolicy: Never
+ containers:
+ - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-oss-java
+ imagePullPolicy: "Always"
+ name: test
diff --git a/examples/rrsa/oss-java-sdk/pom.xml b/examples/rrsa/oss-java-sdk/pom.xml
new file mode 100644
index 00000000..f3a619a3
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/pom.xml
@@ -0,0 +1,75 @@
+
+
+ 4.0.0
+
+ com.alibabacloud
+ demo
+ 1.0-SNAPSHOT
+
+
+
+
+ com.aliyun
+ credentials-java
+ 0.2.10
+
+
+
+ com.aliyun.oss
+ aliyun-sdk-oss
+ 3.16.1
+
+
+
+
+
+ 3.8.0
+ 18
+ 18
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+ 3.3.0
+
+
+
+ true
+ com.alibabacloud.Demo
+
+
+
+
+
+
+ maven-assembly-plugin
+ 3.4.2
+
+
+
+ com.alibabacloud.Demo
+
+
+
+ jar-with-dependencies
+
+
+
+
+ make-assembly
+ package
+
+ single
+
+
+
+
+
+
+
+
diff --git a/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java b/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java
new file mode 100644
index 00000000..ec7cbfde
--- /dev/null
+++ b/examples/rrsa/oss-java-sdk/src/main/java/com/alibabacloud/Demo.java
@@ -0,0 +1,84 @@
+package com.alibabacloud;
+
+// com.aliyun:credentials-java >= 0.2.10
+import com.aliyun.credentials.Client;
+
+import com.aliyun.oss.ClientBuilderConfiguration;
+import com.aliyun.oss.OSS;
+import com.aliyun.oss.common.auth.*;
+import com.aliyun.oss.OSSClientBuilder;
+import com.aliyun.oss.model.Bucket;
+
+import java.util.List;
+
+class OSSCredentialProvider implements CredentialsProvider {
+
+ private final com.aliyun.credentials.Client cred;
+
+ public OSSCredentialProvider(com.aliyun.credentials.Client cred) {
+ this.cred = cred;
+ }
+
+ public void setCredentials(Credentials creds) {
+ }
+
+ @Override
+ public Credentials getCredentials() {
+ String ak = cred.getAccessKeyId();
+ String sk = cred.getAccessKeySecret();
+ String token = cred.getSecurityToken();
+ return new DefaultCredentials(ak, sk, token);
+ }
+}
+
+class TestOSSSDK {
+
+ public void CallAPI(com.aliyun.credentials.Client cred) throws Exception {
+ // new provider
+ OSSCredentialProvider provider = new OSSCredentialProvider(cred);
+ String endpoint = "https://oss-cn-hangzhou.aliyuncs.com";
+ // new client config
+ ClientBuilderConfiguration conf = new ClientBuilderConfiguration();
+
+ // init client
+ OSS ossClient = new OSSClientBuilder().build(endpoint, provider, conf);
+
+ // call api
+ List buckets = ossClient.listBuckets();
+ System.out.println("call oss.listBuckets via oidc token success:\n");
+ for (Bucket bucket : buckets) {
+ System.out.println(" - " + bucket.getName());
+ }
+ System.out.println();
+
+ ossClient.shutdown();
+ }
+
+}
+
+
+public class Demo {
+
+ public static void main(String[] args) throws Exception {
+ // 两种方式都可以
+ com.aliyun.credentials.Client cred = new com.aliyun.credentials.Client();
+ // or
+ // com.aliyun.credentials.Client cred = newOidcCred();
+
+ // test oss sdk (https://github.com/aliyun/aliyun-oss-java-sdk) use rrsa oidc token
+ System.out.println("test oss sdk use rrsa oidc token");
+ TestOSSSDK osssdk = new TestOSSSDK();
+ osssdk.CallAPI(cred);
+ }
+
+ static com.aliyun.credentials.Client newOidcCred() throws Exception {
+ // new credential which use rrsa oidc token
+ com.aliyun.credentials.models.Config credConf = new com.aliyun.credentials.models.Config();
+ credConf.type = "oidc_role_arn";
+ credConf.roleArn = System.getenv("ALIBABA_CLOUD_ROLE_ARN");
+ credConf.oidcProviderArn = System.getenv("ALIBABA_CLOUD_OIDC_PROVIDER_ARN");
+ credConf.oidcTokenFilePath = System.getenv("ALIBABA_CLOUD_OIDC_TOKEN_FILE");
+ credConf.roleSessionName = "test-rrsa-oidc-token";
+ return new com.aliyun.credentials.Client(credConf);
+ }
+}
diff --git a/examples/rrsa/ossutil-demo/test.sh b/examples/rrsa/oss-java-sdk/test.sh
similarity index 68%
rename from examples/rrsa/ossutil-demo/test.sh
rename to examples/rrsa/oss-java-sdk/test.sh
index def5f750..62225acc 100644
--- a/examples/rrsa/ossutil-demo/test.sh
+++ b/examples/rrsa/oss-java-sdk/test.sh
@@ -4,8 +4,9 @@ set -e
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
-NAMESPACE="rrsa-demo-ossutil"
-POLICY_NAME="AliyunOSSReadOnlyAccess"
+NAMESPACE="rrsa-demo-oss-java-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-oss-list-buckets"
trap cleanup EXIT
@@ -28,18 +29,36 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
+ "Version": "1",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "oss:ListBuckets"
+ ],
+ "Resource": [
+ "*"
+ ],
+ "Condition": {}
+ }
+ ]
+}' || true
+
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-system-policy ${POLICY_NAME}
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -47,7 +66,7 @@ function get_logs() {
bar_tip "wait demo and get logs"
kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" wait --for=condition=complete job/demo --timeout=240s
- kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo -c test
+ kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo
}
function cleanup() {
@@ -55,6 +74,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/examples/rrsa/ossutil-demo/Dockerfile b/examples/rrsa/ossutil-demo/Dockerfile
deleted file mode 100644
index f1b8bae6..00000000
--- a/examples/rrsa/ossutil-demo/Dockerfile
+++ /dev/null
@@ -1,16 +0,0 @@
-FROM registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-dev as cli
-# TARGETPLATFORM
-
-WORKDIR /tmp/
-RUN wget https://gosspublic.alicdn.com/ossutil/1.7.15/ossutil-v1.7.15-linux-amd64.zip && \
- unzip ossutil-v1.7.15-linux-amd64.zip && chmod +x ossutil-v1.7.15-linux-amd64/ossutil
-
-FROM alpine:3.17.2
-
-WORKDIR /usr/bin/
-COPY --from=cli /usr/bin/ack-ram-tool ./ack-ram-tool
-COPY --from=cli /tmp/ossutil-v1.7.15-linux-amd64/ossutil ./ossutil
-
-WORKDIR /app
-COPY ossutilconfig ./
-CMD ossutil -c ./ossutilconfig -e oss-cn-hangzhou.aliyuncs.com ls -s
diff --git a/examples/rrsa/ossutil-demo/README.md b/examples/rrsa/ossutil-demo/README.md
deleted file mode 100644
index 2783faa9..00000000
--- a/examples/rrsa/ossutil-demo/README.md
+++ /dev/null
@@ -1,51 +0,0 @@
-# ossutil demo
-
-## Usage
-
-1. Enable RRSA:
-
-```
-export CLUSTER_ID=
-ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
-```
-
-2. Install ack-pod-identity-webhook:
-
-```
-ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
-```
-
-3. Create a RAM Role and attach a system policy to the role:
-
-```
-ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
- --namespace rrsa-demo-ossutil \
- --service-account demo-sa \
- --role-name test-rrsa-demo \
- --create-role-if-not-exist \
- --attach-system-policy AliyunOSSReadOnlyAccess
-```
-
-4. Deploy demo job:
-
-```
-ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
-kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
-```
-
-5. Get logs:
-
-```
-kubectl --kubeconfig ./kubeconfig -n rrsa-demo-ossutil wait --for=condition=complete job/demo --timeout=240s
-kubectl --kubeconfig ./kubeconfig -n rrsa-demo-ossutil logs job/demo -c test
-```
-
-Outputs:
-
-```
-oss://foo-***
-oss://bar-**
-Bucket Number is: 2
-
-0.634557(s) elapsed
-```
diff --git a/examples/rrsa/ossutil-demo/ossutilconfig b/examples/rrsa/ossutil-demo/ossutilconfig
deleted file mode 100644
index ebc66d4b..00000000
--- a/examples/rrsa/ossutil-demo/ossutilconfig
+++ /dev/null
@@ -1,5 +0,0 @@
-[Credentials]
-language=CH
-
-[AkService]
-ecsAk=http://127.0.0.1:8088/
diff --git a/examples/rrsa/python3-sdk/test.sh b/examples/rrsa/python3-sdk/test.sh
index 503330c7..920624d8 100644
--- a/examples/rrsa/python3-sdk/test.sh
+++ b/examples/rrsa/python3-sdk/test.sh
@@ -5,6 +5,8 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
CLUSTER_ID="$1"
KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
NAMESPACE="rrsa-demo-python3-sdk"
+ROLE_NAME="test-rrsa-demo"
+POLICY_NAME="test-cs-describe-clusters"
trap cleanup EXIT
@@ -27,13 +29,15 @@ function install_helper() {
function setup_role() {
bar_tip "setup ram role"
- aliyun ram CreatePolicy --PolicyName cs-describe-clusters --PolicyDocument '{
+ aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+ aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
- "cs:DescribeClusters"
+ "cs:DescribeClusters",
+ "cs:GetClusters"
],
"Resource": [
"*"
@@ -46,15 +50,16 @@ function setup_role() {
ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
--namespace "${NAMESPACE}" \
--service-account demo-sa \
- --role-name test-rrsa-demo \
+ --role-name ${ROLE_NAME} \
--create-role-if-not-exist \
- --attach-custom-policy cs-describe-clusters
+ --attach-custom-policy ${POLICY_NAME}
}
function deploy_demo() {
bar_tip "deploy demo"
ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+ kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
}
@@ -70,6 +75,7 @@ function cleanup() {
bar_tip "cleanup"
rm ${KUBECONFIG_PATH}
+ aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
set -e
}
diff --git a/website/docs/rrsa/examples.md b/website/docs/rrsa/examples.md
new file mode 100644
index 00000000..a39086f2
--- /dev/null
+++ b/website/docs/rrsa/examples.md
@@ -0,0 +1,24 @@
+---
+slug: examples
+sidebar_position: 5
+---
+
+# examples
+
+Examples for RRSA Usage.
+
+
+| example | description |
+|-----------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| [go-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/go-sdk) | Using [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) with RRSA Auth |
+| [oss-go-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/oss-go-sdk) | Using [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) with RRSA Auth |
+| [java-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/java-sdk) | Using [Alibaba Could Java SDK](https://github.com/aliyun/alibabacloud-java-sdk) with RRSA Auth |
+| [oss-java-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/oss-java-sdk) | Using [aliyun-oss-java-sdk](https://github.com/aliyun/aliyun-oss-java-sdk) with RRSA Auth |
+| [python3-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/python3-sdk) | Using [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) with RRSA Auth |
+| [nodejs-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/nodejs-sdk) | Using [Alibaba Could Node.js/TypeScript SDK](https://github.com/aliyun/alibabacloud-typescript-sdk) with RRSA Auth |
+| [kaniko-in-ack](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/kaniko-in-ack) | Building docker image with [Kaniko](https://github.com/GoogleContainerTools/kaniko) then push image to ACR with RRSA Auth |
+| [aliyuncli-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/aliyuncli-demo) | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth |
+| [aliyunlogcli-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/aliyunlogcli-demo) | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth |
+
+[//]: # (| [ossutil-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/ossutil-demo) | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth |)
+
diff --git a/website/docs/rrsa/examples.zh-CN.md b/website/docs/rrsa/examples.zh-CN.md
new file mode 100644
index 00000000..a0ca53b2
--- /dev/null
+++ b/website/docs/rrsa/examples.zh-CN.md
@@ -0,0 +1,25 @@
+---
+slug: /zh-CN/rrsa/examples
+title: 使用示例
+sidebar_position: 5
+---
+
+# 使用示例
+
+RRSA 使用示例。
+
+
+| 示例 | 说明 |
+|-----------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| [go-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/go-sdk) | 在 [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) 中使用 RRSA 认证 |
+| [oss-go-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/oss-go-sdk) | 在 [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) 中使用 RRSA 认证 |
+| [java-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/java-sdk) | 在 [Alibaba Could Java SDK](https://github.com/aliyun/alibabacloud-java-sdk) 中使用 RRSA 认证 |
+| [oss-java-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/oss-java-sdk) | 在 [aliyun-oss-java-sdk](https://github.com/aliyun/aliyun-oss-java-sdk) 中使用 RRSA 认证 |
+| [python3-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/python3-sdk) | 在 [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) 中使用 RRSA 认证 |
+| [nodejs-sdk](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/nodejs-sdk) | 在 [Alibaba Could Node.js/TypeScript SDK](https://github.com/aliyun/alibabacloud-typescript-sdk) 中使用 RRSA 认证 |
+| [kaniko-in-ack](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/kaniko-in-ack) | 在 ACK 中使用 [Kaniko](https://github.com/GoogleContainerTools/kaniko) 构建镜像,然后使用 RRSA 认证方式将镜像推送到 ACR |
+| [aliyuncli-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/aliyuncli-demo) | [aliyun-cli](https://github.com/aliyun/aliyun-cli) 使用 RRSA 认证 |
+| [aliyunlogcli-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/aliyunlogcli-demo) | [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) 使用 RRSA 认证 |
+
+[//]: # (| [ossutil-demo](https://github.com/AliyunContainerService/ack-ram-tool/tree/main/examples/rrsa/ossutil-demo) | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth |)
+