From f686b117a22ec94e905aa23c8ac8f2e2312cbb22 Mon Sep 17 00:00:00 2001 From: "anjali.agarwal" Date: Tue, 19 Nov 2024 12:08:58 +0530 Subject: [PATCH] feat: add support for cross account access management --- plugins/providers/alicloudiam/client.go | 38 ++++++++++++++++++----- plugins/providers/alicloudiam/config.go | 1 + plugins/providers/alicloudiam/provider.go | 2 +- 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/plugins/providers/alicloudiam/client.go b/plugins/providers/alicloudiam/client.go index 6a6a97f9d..ac252c75b 100644 --- a/plugins/providers/alicloudiam/client.go +++ b/plugins/providers/alicloudiam/client.go @@ -28,14 +28,36 @@ type iamClient struct { iamService *ram.Client } -func NewIamClient(accessKeyID, accessKeySecret, resourceName string) (AliCloudIamClient, error) { - creds, err := credentials.NewCredential(&credentials.Config{ - Type: bptr.FromString("access_key"), - AccessKeyId: bptr.FromString(accessKeyID), - AccessKeySecret: bptr.FromString(accessKeySecret), - }) - if err != nil { - return nil, fmt.Errorf("failed to create a new credentials: %w", err) +func NewIamClient(accessKeyID, accessKeySecret, resourceName, roleToAssume string) (AliCloudIamClient, error) { + var creds credentials.Credential + var err error + fmt.Println(roleToAssume) + if roleToAssume != "" { + credentialsConfig := new(credentials.Config). + // Specify the type of the credential. + SetType("ram_role_arn"). + // Specify the AccessKey ID. + SetAccessKeyId(accessKeyID). + // Specify the AccessKey secret. + SetAccessKeySecret(accessKeySecret). + SetRoleArn(roleToAssume). + SetRoleSessionName("session2"). + SetRoleSessionExpiration(3600) + + creds, err = credentials.NewCredential(credentialsConfig) + if err != nil { + fmt.Println("error creating credential client:", err.Error()) + return nil, err + } + } else { + creds, err = credentials.NewCredential(&credentials.Config{ + Type: bptr.FromString("access_key"), + AccessKeyId: bptr.FromString(accessKeyID), + AccessKeySecret: bptr.FromString(accessKeySecret), + }) + if err != nil { + return nil, fmt.Errorf("failed to create a new credentials: %w", err) + } } iamService, err := ram.NewClient(&openapi.Config{Credential: creds}) diff --git a/plugins/providers/alicloudiam/config.go b/plugins/providers/alicloudiam/config.go index bbdabd417..84d8f0d1f 100644 --- a/plugins/providers/alicloudiam/config.go +++ b/plugins/providers/alicloudiam/config.go @@ -20,6 +20,7 @@ const ( type Credentials struct { AccessKeyID string `mapstructure:"access_key_id" json:"access_key_id" validate:"required,base64"` AccessKeySecret string `mapstructure:"access_key_secret" json:"access_key_secret" validate:"required,base64"` + RoleToAssume string `mapstructure:"role_to_assume" json:"role_to_assume,omitempty"` ResourceName string `mapstructure:"resource_name" json:"resource_name" validate:"required"` } diff --git a/plugins/providers/alicloudiam/provider.go b/plugins/providers/alicloudiam/provider.go index 31af9d2ee..209bc088e 100644 --- a/plugins/providers/alicloudiam/provider.go +++ b/plugins/providers/alicloudiam/provider.go @@ -219,7 +219,7 @@ func (p *Provider) getIamClient(pc *domain.ProviderConfig) (AliCloudIamClient, e } _ = credentials.Decrypt(p.crypto) - client, err := NewIamClient(credentials.AccessKeyID, credentials.AccessKeySecret, credentials.ResourceName) + client, err := NewIamClient(credentials.AccessKeyID, credentials.AccessKeySecret, credentials.ResourceName, credentials.RoleToAssume) if err != nil { return nil, err }