credentials: support vpc endpoint and don't ignroe error when get cre…

…dentials from aliyun cli config files

make credentials support using vpc sts endpoint and ignore not exist default credentials file

cmd/ack-ram-tool/main.go

@@ -41,7 +41,7 @@ func init() {
 	exportcredentials.SetupCmd(rootCmd)
 
 	rootCmd.PersistentFlags().StringVar(&ctl.GlobalOption.Region, "region-id",
-		"", fmt.Sprintf("The region to use (default \"%s\")", ctl.DefaultRegion)+
+		"", "The region to use"+
 			" (env: \"ACK_RAM_TOOL_REGION_ID\")")
 	rootCmd.PersistentFlags().BoolVarP(&ctl.GlobalOption.AssumeYes, "assume-yes", "y", false,
 		"Automatic yes to prompts; assume \"yes\" as answer to all prompts and run non-interactively"+

go.mod

@@ -4,7 +4,6 @@ go 1.18
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.0.0
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider v0.0.0
 	github.com/alibabacloud-go/cs-20151215/v3 v3.0.35
 	github.com/alibabacloud-go/darabonba-openapi v0.2.1
@@ -89,7 +88,4 @@ require (
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
-replace (
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper => ./pkg/credentials/alibabacloudsdkgo/helper
-	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider => ./pkg/credentials/provider
-)
+replace github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider => ./pkg/credentials/provider

pkg/credentials/alibabacloudsdkgo/helper/env/env.go → pkg/credentials/alibabacloudgo/env/env.go

@@ -2,8 +2,12 @@ package env
 
 import (
 	"errors"
+	"fmt"
 	"os"
 
+	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudgo"
+	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider"
+	"github.com/AliyunContainerService/ack-ram-tool/pkg/log"
 	"github.com/aliyun/credentials-go/credentials"
 )
 
@@ -70,8 +74,12 @@ var (
 	}
 )
 
-// NewCredential return a Credential base on environment variables
-func NewCredential() (credentials.Credential, error) {
+type CredentialsProviderOptions struct {
+	STSEndpoint string
+}
+
+// NewCredentialsProvider return a CredentialsProvider base on environment variables
+func NewCredentialsProvider(opts CredentialsProviderOptions) (provider.CredentialsProvider, error) {
 	keyId := GetAccessKeyId()
 	keySecret := GetAccessKeySecret()
 	stsToken := GetSecurityToken()
@@ -92,18 +100,32 @@ func NewCredential() (credentials.Credential, error) {
 		RoleSessionName:   stringPoint(sessionName),
 	}
 	if keyId != "" && keySecret != "" && stsToken != "" {
-		config.Type = stringPoint("sts")
-	} else if credURI != "" {
+		return provider.NewSTSTokenProvider(keyId, keySecret, stsToken), nil
+	}
+	if roleArn != "" && oidcProviderArn != "" && oidcTokenFile != "" {
+		return provider.NewOIDCProvider(provider.OIDCProviderOptions{
+			STSEndpoint:     opts.STSEndpoint,
+			SessionName:     sessionName,
+			RoleArn:         roleArn,
+			OIDCProviderArn: oidcProviderArn,
+			OIDCTokenFile:   oidcTokenFile,
+			Logger:          &log.ProviderLogWrapper{ZP: log.Logger},
+		}), nil
+	}
+	if keyId != "" && keySecret != "" {
+		return provider.NewAccessKeyProvider(keyId, keySecret), nil
+	}
+	if credURI != "" {
 		config.Type = stringPoint("credentials_uri")
-	} else if keyId != "" && keySecret != "" {
-		config.Type = stringPoint("access_key")
-	} else if roleArn != "" && oidcProviderArn != "" && oidcTokenFile != "" {
-		config.Type = stringPoint("oidc_role_arn")
 	} else {
 		return nil, errors.New("not found credentials related environment variables")
 	}
 
-	return credentials.NewCredential(config)
+	cred, err := credentials.NewCredential(config)
+	if err != nil {
+		return nil, fmt.Errorf("init credential failed: %w", err)
+	}
+	return alibabacloudgo.NewCredentialsProviderWrapper(cred), nil
 }
 
 func GetAccessKeyId() string {

pkg/credentials/alibabacloudsdkgo/helper/env/newsdk.go → pkg/credentials/alibabacloudgo/env/newsdk.go

@@ -6,6 +6,7 @@ const (
 	envNewSdkAccessKeySecret = "ALIBABA_CLOUD_ACCESS_KEY_SECRET" // #nosec G101
 	envNewSdkSecurityToken   = "ALIBABA_CLOUD_SECURITY_TOKEN"    // #nosec G101
 	envNewSdkRoleSessionName = "ALIBABA_CLOUD_ROLE_SESSION_NAME"
+	//envNewSdkECSRoleName     = "ALIBABA_CLOUD_ECS_METADATA"
 
 	envNewSdkCredentialsURI = "ALIBABA_CLOUD_CREDENTIALS_URI" // #nosec G101
 

vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper/env/oldsdk.go → pkg/credentials/alibabacloudgo/env/oldsdk.go

@@ -11,5 +11,5 @@ const (
 	//envOldSdkPrivateKey            = "ALICLOUD_PRIVATE_KEY"
 	//envOldSdkPublicKeyID           = "ALICLOUD_PUBLIC_KEY_ID"
 	//envOldSdkSessionExpiration     = "ALICLOUD_SESSION_EXPIRATION"
-	//envOldSdkRoleName              = "ALICLOUD_ROLE_NAME"
+	//envOldSdkRoleName = "ALICLOUD_ROLE_NAME"
 )

pkg/credentials/alibabacloudsdkgo/helper/helper.go

@@ -5,8 +5,6 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper/aliyuncli"
-	"github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper/env"
 	"github.com/aliyun/credentials-go/credentials"
 )
 
@@ -16,45 +14,6 @@ const (
 	EnvOidcTokenFile   = "ALIBABA_CLOUD_OIDC_TOKEN_FILE"
 )
 
-// NewCredential return a Credential base on:
-// * environment variables
-// * credentialFilePath: credential file
-// * aliyuncliConfigFilePath: aliyun cli config file
-// * aliyuncliProfileName: profile name of aliyun cli
-func NewCredential(credentialFilePath, aliyuncliConfigFilePath, aliyuncliProfileName, sessionName string) (credentials.Credential, error) {
-	if credentialFilePath == "" {
-		credentialFilePath = env.GetCredentialsFile()
-	}
-	if credentialFilePath != "" {
-		credentialFilePath, _ = expandPath(credentialFilePath)
-	}
-	if credentialFilePath != "" {
-		if _, err := os.Stat(credentialFilePath); err == nil {
-			_ = os.Setenv(credentials.ENVCredentialFile, credentialFilePath)
-		}
-	}
-	if aliyuncliProfileName == "" {
-		aliyuncliProfileName = env.GetAliyuncliProfileName()
-	}
-	if sessionName != "" {
-		_ = os.Setenv(env.EnvRoleSessionName, sessionName)
-	}
-	if rawP := env.GetAliyuncliProfilePath(); aliyuncliConfigFilePath == "" && rawP != "" {
-		if path, err := expandPath(rawP); err == nil && path != "" {
-			if _, err := os.Stat(path); err == nil {
-				aliyuncliConfigFilePath = path
-			}
-		}
-	}
-	if aliyuncliConfigFilePath == "" || env.GetAliyuncliIgnoreProfile() == "TRUE" {
-		if cred, err := env.NewCredential(); err == nil && cred != nil {
-			return cred, err
-		}
-	}
-	cred, err := aliyuncli.NewCredential(aliyuncliConfigFilePath, aliyuncliProfileName)
-	return cred, err
-}
-
 func HaveOidcCredentialRequiredEnv() bool {
 	return os.Getenv(EnvRoleArn) != "" &&
 		os.Getenv(EnvOidcProviderArn) != "" &&