diff --git a/examples/rrsa/README.md b/examples/rrsa/README.md index 480235dd..5a0ab29a 100644 --- a/examples/rrsa/README.md +++ b/examples/rrsa/README.md @@ -3,9 +3,10 @@ Examples for RRSA Usage. -| | | +| sub-directory | description | |-------------------|---------------------------------------------------------------------------------------------------------------------| -| go-sdk | Using Alibaba Could Go SDK with RRSA Auth | +| go-sdk | Using [Alibaba Could Go SDK](https://github.com/aliyun/alibabacloud-go-sdk) with RRSA Auth | +| oss-go-sdk | Using [aliyun-oss-go-sdk](https://github.com/aliyun/aliyun-oss-go-sdk) with RRSA Auth | | java-sdk | Using Alibaba Could Java SDK with RRSA Auth | | python3-sdk | Using Alibaba Could Python 3 SDK with RRSA Auth | | nodejs-sdk | Using Alibaba Could Node.js/TypeScript SDK with RRSA Auth | @@ -13,29 +14,5 @@ Examples for RRSA Usage. | aliyuncli-demo | Using [aliyun-cli](https://github.com/aliyun/aliyun-cli) with RRSA Auth | | aliyunlogcli-demo | Using [aliyun-log-cli](https://github.com/aliyun/aliyun-log-cli) with RRSA Auth | | ossutil-demo | Using [ossutil](https://github.com/aliyun/ossutil) with RRSA Auth | -| cpp-demo | Using C++ SDK with RRSA Auth (experimental) | +| cpp-demo | Using unofficial C++ SDK with RRSA Auth (experimental) | - -## go-sdk - -An example for how to use OIDC token to assume RAM Role via Alibaba Could Go SDK. - - -## java-sdk - -An example for how to use OIDC token to assume RAM Role via Alibaba Could Java SDK. - - -## python3-sdk - -An example for how to use OIDC token to assume RAM Role via Alibaba Could Python 3 SDK. - - -## nodejs-sdk - -An example for how to use OIDC token to assume RAM Role via Alibaba Could Node.js/TypeScript SDK. - - -## e2e-test - -Run e2e test. diff --git a/examples/rrsa/go-sdk/deploy.yaml b/examples/rrsa/go-sdk/deploy.yaml index a055697d..1ef87a99 100644 --- a/examples/rrsa/go-sdk/deploy.yaml +++ b/examples/rrsa/go-sdk/deploy.yaml @@ -27,6 +27,6 @@ spec: serviceAccountName: demo-sa restartPolicy: Never containers: - - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-golang + - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-golang imagePullPolicy: "Always" name: test diff --git a/examples/rrsa/go-sdk/main.go b/examples/rrsa/go-sdk/main.go index 5cd269e2..53209793 100644 --- a/examples/rrsa/go-sdk/main.go +++ b/examples/rrsa/go-sdk/main.go @@ -41,6 +41,15 @@ func testOpenAPISDK() { } } +func newCredential() credentials.Credential { + // https://www.alibabacloud.com/help/doc-detail/378661.html + cred, err := credentials.NewCredential(nil) + if err != nil { + panic(err) + } + return cred +} + func newOidcCredential() credentials.Credential { // https://www.alibabacloud.com/help/doc-detail/378661.html config := new(credentials.Config). diff --git a/examples/rrsa/oss-go-sdk/Dockerfile b/examples/rrsa/oss-go-sdk/Dockerfile new file mode 100644 index 00000000..82b8ba00 --- /dev/null +++ b/examples/rrsa/oss-go-sdk/Dockerfile @@ -0,0 +1,20 @@ +FROM golang:1.20.1-buster as builder +# TARGETPLATFORM + +WORKDIR /workspace + +ENV CGO_ENABLED=0 +ENV GOPROXY=https://goproxy.cn +COPY go.mod ./ +COPY go.sum ./ +COPY main.go ./ +RUN go build + + +FROM alpine:3.17.2 + +WORKDIR /usr/bin/ + +COPY --from=builder /workspace/oss-go-sdk ./rrsa-example-oss-golang + +CMD /usr/bin/rrsa-example-oss-golang diff --git a/examples/rrsa/oss-go-sdk/README.md b/examples/rrsa/oss-go-sdk/README.md new file mode 100644 index 00000000..5019ca39 --- /dev/null +++ b/examples/rrsa/oss-go-sdk/README.md @@ -0,0 +1,67 @@ +# golang-sdk + +## Usage + +1. Enable RRSA: + +``` +export CLUSTER_ID= +ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}" +``` + +2. Install ack-pod-identity-webhook: + +``` +ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}" +``` + +3. Create an RAM Policy: + +``` +aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "oss:ListBuckets" + ], + "Resource": [ + "*" + ], + "Condition": {} + } + ] +}' +``` + +4. Associate an RAM Role to the service account and attach the policy to the role: + +``` +ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \ + --namespace rrsa-demo-oss-golang-sdk \ + --service-account demo-sa \ + --role-name test-rrsa-demo \ + --create-role-if-not-exist \ + --attach-custom-policy oss-list-buckets +``` + +5. Deploy demo job: + +``` +ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig +kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml +``` + +6. Get logs: + +``` +kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-golang-sdk wait --for=condition=complete job/demo --timeout=240s +kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-golang-sdk logs job/demo +``` + +Outputs: + +``` + +``` diff --git a/examples/rrsa/oss-go-sdk/deploy.yaml b/examples/rrsa/oss-go-sdk/deploy.yaml new file mode 100644 index 00000000..f5f9afd6 --- /dev/null +++ b/examples/rrsa/oss-go-sdk/deploy.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: rrsa-demo-oss-golang-sdk + labels: + pod-identity.alibabacloud.com/injection: 'on' + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: demo-sa + namespace: rrsa-demo-oss-golang-sdk + annotations: + pod-identity.alibabacloud.com/role-name: test-rrsa-demo + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: demo + namespace: rrsa-demo-oss-golang-sdk +spec: + template: + spec: + serviceAccountName: demo-sa + restartPolicy: Never + containers: + - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:0.13.2-rrsa-example-oss-golang + imagePullPolicy: "Always" + name: test diff --git a/examples/rrsa/oss-go-sdk/go.mod b/examples/rrsa/oss-go-sdk/go.mod new file mode 100644 index 00000000..64a4f31b --- /dev/null +++ b/examples/rrsa/oss-go-sdk/go.mod @@ -0,0 +1,14 @@ +module github.com/AliyunContainerService/ack-ram-tool/examples/rrsa/oss-go-sdk + +go 1.16 + +require ( + github.com/alibabacloud-go/tea v1.1.20 + github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible + github.com/aliyun/credentials-go v1.2.6 + github.com/json-iterator/go v1.1.12 // indirect + github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect + golang.org/x/net v0.7.0 // indirect + golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect + gopkg.in/ini.v1 v1.66.6 // indirect +) diff --git a/examples/rrsa/oss-go-sdk/go.sum b/examples/rrsa/oss-go-sdk/go.sum new file mode 100644 index 00000000..5c6498a9 --- /dev/null +++ b/examples/rrsa/oss-go-sdk/go.sum @@ -0,0 +1,84 @@ +github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68 h1:NqugFkGxx1TXSh/pBcU00Y6bljgDPaFdh5MUSeJ7e50= +github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY= +github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4= +github.com/alibabacloud-go/tea v1.1.20 h1:wFK4xEbvGYMtzTyHhIju9D7ecWxvSUdoLO6y4vDLFik= +github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A= +github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible h1:KXeJoM1wo9I/6xPTyt6qCxoSZnmASiAjlrr0dyTUKt8= +github.com/aliyun/aliyun-oss-go-sdk v2.2.6+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= +github.com/aliyun/credentials-go v1.2.6 h1:dSMxpj4uXZj0MYOsEyljlssHzfdHw/M84iQ5QKF0Uxg= +github.com/aliyun/credentials-go v1.2.6/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo= +github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs= +golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.66.6 h1:LATuAqN/shcYAOkv3wl2L4rkaKqkcgTBQjOyYDvcPKI= +gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/examples/rrsa/oss-go-sdk/main.go b/examples/rrsa/oss-go-sdk/main.go new file mode 100644 index 00000000..d2e3866f --- /dev/null +++ b/examples/rrsa/oss-go-sdk/main.go @@ -0,0 +1,111 @@ +package main + +import ( + "fmt" + "log" + "os" + + "github.com/alibabacloud-go/tea/tea" + "github.com/aliyun/aliyun-oss-go-sdk/oss" + // github.com/aliyun/credentials-go >= v1.2.6 + "github.com/aliyun/credentials-go/credentials" +) + +const ( + EnvRoleArn = "ALIBABA_CLOUD_ROLE_ARN" + EnvOidcProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" + EnvOidcTokenFile = "ALIBABA_CLOUD_OIDC_TOKEN_FILE" +) + +func testOSSSDK() { + // 两种方法都可以 + cred := newCredential() + // or + // cred := newOidcCredential() + + provider := &OSSCredentialsProvider{cred: cred} + client, err := oss.New("https://oss-cn-hangzhou.aliyuncs.com", "", "", + oss.SetCredentialsProvider(provider)) + if err != nil { + panic(err) + } + ret, err := client.ListBuckets() + if err != nil { + panic(err) + } + + fmt.Println("call oss.listBuckets via oidc token success:") + for _, item := range ret.Buckets { + fmt.Printf("-%s\n", item.Name) + } +} + +func newCredential() credentials.Credential { + // https://www.alibabacloud.com/help/doc-detail/378661.html + cred, err := credentials.NewCredential(nil) + if err != nil { + panic(err) + } + return cred +} + +func newOidcCredential() credentials.Credential { + // https://www.alibabacloud.com/help/doc-detail/378661.html + config := new(credentials.Config). + SetType("oidc_role_arn"). + SetRoleArn(os.Getenv(EnvRoleArn)). + SetOIDCProviderArn(os.Getenv(EnvOidcProviderArn)). + SetOIDCTokenFilePath(os.Getenv(EnvOidcTokenFile)). + SetRoleSessionName("test-rrsa-oidc-token") + + oidcCredential, err := credentials.NewCredential(config) + if err != nil { + panic(err) + } + return oidcCredential +} + +type OSSCredentials struct { + teaCred credentials.Credential +} + +func (cred *OSSCredentials) GetAccessKeyID() string { + value, err := cred.teaCred.GetAccessKeyId() + if err != nil { + log.Printf("get access key id failed: %+v", err) + return "" + } + return tea.StringValue(value) +} + +func (cred *OSSCredentials) GetAccessKeySecret() string { + value, err := cred.teaCred.GetAccessKeySecret() + if err != nil { + log.Printf("get access key secret failed: %+v", err) + return "" + } + return tea.StringValue(value) +} + +func (cred *OSSCredentials) GetSecurityToken() string { + value, err := cred.teaCred.GetSecurityToken() + if err != nil { + log.Printf("get access security token failed: %+v", err) + return "" + } + return tea.StringValue(value) +} + +type OSSCredentialsProvider struct { + cred credentials.Credential +} + +func (p *OSSCredentialsProvider) GetCredentials() oss.Credentials { + return &OSSCredentials{teaCred: p.cred} +} + +func main() { + // test oss sdk (https://github.com/aliyun/aliyun-oss-go-sdk) use rrsa oidc token + log.Printf("test oss sdk using rrsa oidc token") + testOSSSDK() +} diff --git a/examples/rrsa/oss-go-sdk/test.sh b/examples/rrsa/oss-go-sdk/test.sh new file mode 100644 index 00000000..24726198 --- /dev/null +++ b/examples/rrsa/oss-go-sdk/test.sh @@ -0,0 +1,95 @@ +#!/usr/bin/env bash +set -e + +SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )" +CLUSTER_ID="$1" +KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig" +NAMESPACE="rrsa-demo-oss-golang-sdk" + +trap cleanup EXIT + +function bar_tip() { + echo -e "\n=== $1 ===\n" +} + +function enable_rrsa() { + bar_tip "enable RRSA" + + ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}" +} + +function install_helper() { + bar_tip "install ack-pod-identity-webhook" + + ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}" +} + +function setup_role() { + bar_tip "setup ram role" + + aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "oss:ListBuckets" + ], + "Resource": [ + "*" + ], + "Condition": {} + } + ] +}' || true + + ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \ + --namespace "${NAMESPACE}" \ + --service-account demo-sa \ + --role-name test-rrsa-demo \ + --create-role-if-not-exist \ + --attach-custom-policy oss-list-buckets +} + +function deploy_demo() { + bar_tip "deploy demo" + + ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH} + kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml" +} + +function get_logs() { + bar_tip "wait demo and get logs" + + kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" wait --for=condition=complete job/demo --timeout=240s + kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo +} + +function cleanup() { + set +e + bar_tip "cleanup" + + rm ${KUBECONFIG_PATH} + + set -e +} + +function main() { + if [[ "${CLUSTER_ID}none" == "none" ]]; then + echo "clusterId is missing. Usage: bash test.sh CLUSTER_ID" + exit 1 + fi + if [[ "${SCRIPT_DIR}none" == "none" ]]; then + echo "get script dir failed" + exit 1 + fi + + enable_rrsa + install_helper + setup_role + sleep 60 + deploy_demo + get_logs +} + +main