-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: improve alibaba cloud credential providers in OSS artifacts #11453
Conversation
ef1c465
to
fc9bea5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested this change in an actual OSS bucket?
workflow/artifacts/oss/oss.go
Outdated
return oss.New(ossDriver.Endpoint, "", "", | ||
oss.SetCredentialsProvider(provider)) | ||
} | ||
//using ak sec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Be more descriptive or remove the comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Please also resolve conflicts |
1ea96a4
to
e17a01e
Compare
@terrytangyuan Thanks for your review! I have tested both of RRSA service account mode and the original AK/SK mode in ACK cluster, it works fine when saving and loading OSS artifacts in output/input wf steps. |
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>
e17a01e
to
a45668a
Compare
Fixed, thanks!and added some instructions on how to cofigure and use Alibaba Cloud OSS RRSA in configure-artifact-repository.md |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Motivation
Improve the credential security of OSS artifacts, avoid hardcoding AK in secret
For more details abount alibaba cloud credential provider, please refer to credentails-go
Modifications
add new configuration for OSSBucket in
workflow_types.go
to support using the default provider chain or the oidc token provider to get alibaba cloud credentials.and refine the artifacts
oss.go
to init the OSS client with then given provider configurationVerification