backend/oss: Support for assume role config

This commit is contained in:
He Guimin 2019-07-30 23:26:51 +08:00
parent 447fe62986
commit a490dfa495
12 changed files with 563 additions and 5 deletions

View File

@ -3,9 +3,12 @@ package oss
import (
"context"
"fmt"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
"github.com/aliyun/alibaba-cloud-sdk-go/services/sts"
"github.com/aliyun/aliyun-oss-go-sdk/oss"
"github.com/hashicorp/terraform/backend"
"github.com/hashicorp/terraform/helper/schema"
"github.com/hashicorp/terraform/helper/validation"
"os"
"strings"
@ -129,6 +132,8 @@ func New() backend.Backend {
return nil, nil
},
},
"assume_role": assumeRoleSchema(),
},
}
@ -137,6 +142,42 @@ func New() backend.Backend {
return result
}
func assumeRoleSchema() *schema.Schema {
return &schema.Schema{
Type: schema.TypeSet,
Optional: true,
MaxItems: 1,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"role_arn": {
Type: schema.TypeString,
Required: true,
Description: "The ARN of a RAM role to assume prior to making API calls.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
},
"session_name": {
Type: schema.TypeString,
Optional: true,
Description: "The session name to use when assuming the role.",
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", "terraform"),
},
"policy": {
Type: schema.TypeString,
Optional: true,
Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
},
"session_expiration": {
Type: schema.TypeInt,
Optional: true,
Description: "The time after which the established session for assuming role expires.",
ValidateFunc: validation.IntBetween(900, 3600),
DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION", 3600),
},
},
},
}
}
type Backend struct {
*schema.Backend
@ -175,6 +216,21 @@ func (b *Backend) configure(ctx context.Context) error {
endpoint := d.Get("endpoint").(string)
schma := "https"
if v, ok := d.GetOk("assume_role"); ok {
for _, v := range v.(*schema.Set).List() {
assumeRole := v.(map[string]interface{})
roleArn := assumeRole["role_arn"].(string)
sessionName := assumeRole["session_name"].(string)
policy := assumeRole["policy"].(string)
sessionExpiration := assumeRole["session_expiration"].(int)
subAccessKeyId, subAccessKeySecret, subSecurityToken, err := getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy, sessionExpiration)
if err != nil {
return err
}
accessKey, secretKey, securityToken = subAccessKeyId, subAccessKeySecret, subSecurityToken
}
}
if endpoint == "" {
endpointItem, _ := b.getOSSEndpointByRegion(accessKey, secretKey, securityToken, region)
if endpointItem != nil && len(endpointItem.Endpoint) > 0 {
@ -238,6 +294,25 @@ func (b *Backend) getOSSEndpointByRegion(access_key, secret_key, security_token,
return endpointsResponse, nil
}
func getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy string, sessionExpiration int) (string, string, string, error) {
request := sts.CreateAssumeRoleRequest()
request.RoleArn = roleArn
request.RoleSessionName = sessionName
request.DurationSeconds = requests.NewInteger(sessionExpiration)
request.Policy = policy
request.Scheme = "https"
client, err := sts.NewClientWithAccessKey(region, accessKey, secretKey)
if err != nil {
return "", "", "", err
}
response, err := client.AssumeRole(request)
if err != nil {
return "", "", "", err
}
return response.Credentials.AccessKeyId, response.Credentials.AccessKeySecret, response.Credentials.SecurityToken, nil
}
func getSdkConfig() *sdk.Config {
return sdk.NewConfig().
WithMaxRetryTime(5).

View File

@ -112,7 +112,7 @@ func createOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) {
}
func deleteOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) {
warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alicloud account and may incur storage charges. (error was %s)"
warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alibaba Cloud account and may incur storage charges. (error was %s)"
// first we have to get rid of the env objects, or we can't delete the bucket
bucket, err := ossClient.Bucket(bucketName)

View File

@ -0,0 +1,108 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
import (
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
)
// AssumeRole invokes the sts.AssumeRole API synchronously
// api document: https://help.aliyun.com/api/sts/assumerole.html
func (client *Client) AssumeRole(request *AssumeRoleRequest) (response *AssumeRoleResponse, err error) {
response = CreateAssumeRoleResponse()
err = client.DoAction(request, response)
return
}
// AssumeRoleWithChan invokes the sts.AssumeRole API asynchronously
// api document: https://help.aliyun.com/api/sts/assumerole.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) AssumeRoleWithChan(request *AssumeRoleRequest) (<-chan *AssumeRoleResponse, <-chan error) {
responseChan := make(chan *AssumeRoleResponse, 1)
errChan := make(chan error, 1)
err := client.AddAsyncTask(func() {
defer close(responseChan)
defer close(errChan)
response, err := client.AssumeRole(request)
if err != nil {
errChan <- err
} else {
responseChan <- response
}
})
if err != nil {
errChan <- err
close(responseChan)
close(errChan)
}
return responseChan, errChan
}
// AssumeRoleWithCallback invokes the sts.AssumeRole API asynchronously
// api document: https://help.aliyun.com/api/sts/assumerole.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) AssumeRoleWithCallback(request *AssumeRoleRequest, callback func(response *AssumeRoleResponse, err error)) <-chan int {
result := make(chan int, 1)
err := client.AddAsyncTask(func() {
var response *AssumeRoleResponse
var err error
defer close(result)
response, err = client.AssumeRole(request)
callback(response, err)
result <- 1
})
if err != nil {
defer close(result)
callback(nil, err)
result <- 0
}
return result
}
// AssumeRoleRequest is the request struct for api AssumeRole
type AssumeRoleRequest struct {
*requests.RpcRequest
RoleArn string `position:"Query" name:"RoleArn"`
RoleSessionName string `position:"Query" name:"RoleSessionName"`
DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"`
Policy string `position:"Query" name:"Policy"`
}
// AssumeRoleResponse is the response struct for api AssumeRole
type AssumeRoleResponse struct {
*responses.BaseResponse
RequestId string `json:"RequestId" xml:"RequestId"`
Credentials Credentials `json:"Credentials" xml:"Credentials"`
AssumedRoleUser AssumedRoleUser `json:"AssumedRoleUser" xml:"AssumedRoleUser"`
}
// CreateAssumeRoleRequest creates a request to invoke AssumeRole API
func CreateAssumeRoleRequest() (request *AssumeRoleRequest) {
request = &AssumeRoleRequest{
RpcRequest: &requests.RpcRequest{},
}
request.InitWithApiInfo("Sts", "2015-04-01", "AssumeRole", "sts", "openAPI")
return
}
// CreateAssumeRoleResponse creates a response to parse from AssumeRole response
func CreateAssumeRoleResponse() (response *AssumeRoleResponse) {
response = &AssumeRoleResponse{
BaseResponse: &responses.BaseResponse{},
}
return
}

View File

@ -0,0 +1,81 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
import (
"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth"
)
// Client is the sdk client struct, each func corresponds to an OpenAPI
type Client struct {
sdk.Client
}
// NewClient creates a sdk client with environment variables
func NewClient() (client *Client, err error) {
client = &Client{}
err = client.Init()
return
}
// NewClientWithOptions creates a sdk client with regionId/sdkConfig/credential
// this is the common api to create a sdk client
func NewClientWithOptions(regionId string, config *sdk.Config, credential auth.Credential) (client *Client, err error) {
client = &Client{}
err = client.InitWithOptions(regionId, config, credential)
return
}
// NewClientWithAccessKey is a shortcut to create sdk client with accesskey
// usage: https://help.aliyun.com/document_detail/66217.html
func NewClientWithAccessKey(regionId, accessKeyId, accessKeySecret string) (client *Client, err error) {
client = &Client{}
err = client.InitWithAccessKey(regionId, accessKeyId, accessKeySecret)
return
}
// NewClientWithStsToken is a shortcut to create sdk client with sts token
// usage: https://help.aliyun.com/document_detail/66222.html
func NewClientWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken string) (client *Client, err error) {
client = &Client{}
err = client.InitWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken)
return
}
// NewClientWithRamRoleArn is a shortcut to create sdk client with ram roleArn
// usage: https://help.aliyun.com/document_detail/66222.html
func NewClientWithRamRoleArn(regionId string, accessKeyId, accessKeySecret, roleArn, roleSessionName string) (client *Client, err error) {
client = &Client{}
err = client.InitWithRamRoleArn(regionId, accessKeyId, accessKeySecret, roleArn, roleSessionName)
return
}
// NewClientWithEcsRamRole is a shortcut to create sdk client with ecs ram role
// usage: https://help.aliyun.com/document_detail/66223.html
func NewClientWithEcsRamRole(regionId string, roleName string) (client *Client, err error) {
client = &Client{}
err = client.InitWithEcsRamRole(regionId, roleName)
return
}
// NewClientWithRsaKeyPair is a shortcut to create sdk client with rsa key pair
// attention: rsa key pair auth is only Japan regions available
func NewClientWithRsaKeyPair(regionId string, publicKeyId, privateKey string, sessionExpiration int) (client *Client, err error) {
client = &Client{}
err = client.InitWithRsaKeyPair(regionId, publicKeyId, privateKey, sessionExpiration)
return
}

View File

@ -0,0 +1,104 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
import (
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
)
// GenerateSessionAccessKey invokes the sts.GenerateSessionAccessKey API synchronously
// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
func (client *Client) GenerateSessionAccessKey(request *GenerateSessionAccessKeyRequest) (response *GenerateSessionAccessKeyResponse, err error) {
response = CreateGenerateSessionAccessKeyResponse()
err = client.DoAction(request, response)
return
}
// GenerateSessionAccessKeyWithChan invokes the sts.GenerateSessionAccessKey API asynchronously
// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) GenerateSessionAccessKeyWithChan(request *GenerateSessionAccessKeyRequest) (<-chan *GenerateSessionAccessKeyResponse, <-chan error) {
responseChan := make(chan *GenerateSessionAccessKeyResponse, 1)
errChan := make(chan error, 1)
err := client.AddAsyncTask(func() {
defer close(responseChan)
defer close(errChan)
response, err := client.GenerateSessionAccessKey(request)
if err != nil {
errChan <- err
} else {
responseChan <- response
}
})
if err != nil {
errChan <- err
close(responseChan)
close(errChan)
}
return responseChan, errChan
}
// GenerateSessionAccessKeyWithCallback invokes the sts.GenerateSessionAccessKey API asynchronously
// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) GenerateSessionAccessKeyWithCallback(request *GenerateSessionAccessKeyRequest, callback func(response *GenerateSessionAccessKeyResponse, err error)) <-chan int {
result := make(chan int, 1)
err := client.AddAsyncTask(func() {
var response *GenerateSessionAccessKeyResponse
var err error
defer close(result)
response, err = client.GenerateSessionAccessKey(request)
callback(response, err)
result <- 1
})
if err != nil {
defer close(result)
callback(nil, err)
result <- 0
}
return result
}
// GenerateSessionAccessKeyRequest is the request struct for api GenerateSessionAccessKey
type GenerateSessionAccessKeyRequest struct {
*requests.RpcRequest
DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"`
}
// GenerateSessionAccessKeyResponse is the response struct for api GenerateSessionAccessKey
type GenerateSessionAccessKeyResponse struct {
*responses.BaseResponse
RequestId string `json:"RequestId" xml:"RequestId"`
SessionAccessKey SessionAccessKey `json:"SessionAccessKey" xml:"SessionAccessKey"`
}
// CreateGenerateSessionAccessKeyRequest creates a request to invoke GenerateSessionAccessKey API
func CreateGenerateSessionAccessKeyRequest() (request *GenerateSessionAccessKeyRequest) {
request = &GenerateSessionAccessKeyRequest{
RpcRequest: &requests.RpcRequest{},
}
request.InitWithApiInfo("Sts", "2015-04-01", "GenerateSessionAccessKey", "sts", "openAPI")
return
}
// CreateGenerateSessionAccessKeyResponse creates a response to parse from GenerateSessionAccessKey response
func CreateGenerateSessionAccessKeyResponse() (response *GenerateSessionAccessKeyResponse) {
response = &GenerateSessionAccessKeyResponse{
BaseResponse: &responses.BaseResponse{},
}
return
}

View File

@ -0,0 +1,108 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
import (
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
)
// GetCallerIdentity invokes the sts.GetCallerIdentity API synchronously
// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
func (client *Client) GetCallerIdentity(request *GetCallerIdentityRequest) (response *GetCallerIdentityResponse, err error) {
response = CreateGetCallerIdentityResponse()
err = client.DoAction(request, response)
return
}
// GetCallerIdentityWithChan invokes the sts.GetCallerIdentity API asynchronously
// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) GetCallerIdentityWithChan(request *GetCallerIdentityRequest) (<-chan *GetCallerIdentityResponse, <-chan error) {
responseChan := make(chan *GetCallerIdentityResponse, 1)
errChan := make(chan error, 1)
err := client.AddAsyncTask(func() {
defer close(responseChan)
defer close(errChan)
response, err := client.GetCallerIdentity(request)
if err != nil {
errChan <- err
} else {
responseChan <- response
}
})
if err != nil {
errChan <- err
close(responseChan)
close(errChan)
}
return responseChan, errChan
}
// GetCallerIdentityWithCallback invokes the sts.GetCallerIdentity API asynchronously
// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
// asynchronous document: https://help.aliyun.com/document_detail/66220.html
func (client *Client) GetCallerIdentityWithCallback(request *GetCallerIdentityRequest, callback func(response *GetCallerIdentityResponse, err error)) <-chan int {
result := make(chan int, 1)
err := client.AddAsyncTask(func() {
var response *GetCallerIdentityResponse
var err error
defer close(result)
response, err = client.GetCallerIdentity(request)
callback(response, err)
result <- 1
})
if err != nil {
defer close(result)
callback(nil, err)
result <- 0
}
return result
}
// GetCallerIdentityRequest is the request struct for api GetCallerIdentity
type GetCallerIdentityRequest struct {
*requests.RpcRequest
}
// GetCallerIdentityResponse is the response struct for api GetCallerIdentity
type GetCallerIdentityResponse struct {
*responses.BaseResponse
AccountId string `json:"AccountId" xml:"AccountId"`
UserId string `json:"UserId" xml:"UserId"`
RoleId string `json:"RoleId" xml:"RoleId"`
Arn string `json:"Arn" xml:"Arn"`
IdentityType string `json:"IdentityType" xml:"IdentityType"`
PrincipalId string `json:"PrincipalId" xml:"PrincipalId"`
RequestId string `json:"RequestId" xml:"RequestId"`
}
// CreateGetCallerIdentityRequest creates a request to invoke GetCallerIdentity API
func CreateGetCallerIdentityRequest() (request *GetCallerIdentityRequest) {
request = &GetCallerIdentityRequest{
RpcRequest: &requests.RpcRequest{},
}
request.InitWithApiInfo("Sts", "2015-04-01", "GetCallerIdentity", "sts", "openAPI")
return
}
// CreateGetCallerIdentityResponse creates a response to parse from GetCallerIdentity response
func CreateGetCallerIdentityResponse() (response *GetCallerIdentityResponse) {
response = &GetCallerIdentityResponse{
BaseResponse: &responses.BaseResponse{},
}
return
}

View File

@ -0,0 +1,22 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
// AssumedRoleUser is a nested struct in sts response
type AssumedRoleUser struct {
Arn string `json:"Arn" xml:"Arn"`
AssumedRoleId string `json:"AssumedRoleId" xml:"AssumedRoleId"`
}

View File

@ -0,0 +1,24 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
// Credentials is a nested struct in sts response
type Credentials struct {
SecurityToken string `json:"SecurityToken" xml:"SecurityToken"`
AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
AccessKeyId string `json:"AccessKeyId" xml:"AccessKeyId"`
Expiration string `json:"Expiration" xml:"Expiration"`
}

View File

@ -0,0 +1,23 @@
package sts
//Licensed under the Apache License, Version 2.0 (the "License");
//you may not use this file except in compliance with the License.
//You may obtain a copy of the License at
//
//http://www.apache.org/licenses/LICENSE-2.0
//
//Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//See the License for the specific language governing permissions and
//limitations under the License.
//
// Code generated by Alibaba Cloud SDK Code Generator.
// Changes may cause incorrect behavior and will be lost if the code is regenerated.
// SessionAccessKey is a nested struct in sts response
type SessionAccessKey struct {
SessionAccessKeyId string `json:"SessionAccessKeyId" xml:"SessionAccessKeyId"`
SessionAccessKeySecret string `json:"SessionAccessKeySecret" xml:"SessionAccessKeySecret"`
Expiration string `json:"Expiration" xml:"Expiration"`
}

3
vendor/modules.txt vendored
View File

@ -50,12 +50,13 @@ github.com/agl/ed25519/edwards25519
# github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190329064014-6e358769c32a
github.com/aliyun/alibaba-cloud-sdk-go/sdk
github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials
github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests
github.com/aliyun/alibaba-cloud-sdk-go/services/location
github.com/aliyun/alibaba-cloud-sdk-go/services/sts
github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth
github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider
github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints
github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors
github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests
github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses
github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils
github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/signers

View File

@ -75,8 +75,8 @@ data "terraform_remote_state" "network" {
The following configuration options or environment variables are supported:
* `access_key` - (Optional) Alicloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and `ALICLOUD_ACCESS_KEY_ID`.
* `secret_key` - (Optional) Alicloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and `ALICLOUD_ACCESS_KEY_SECRET`.
* `access_key` - (Optional) Alibaba Cloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and `ALICLOUD_ACCESS_KEY_ID`.
* `secret_key` - (Optional) Alibaba Cloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and `ALICLOUD_ACCESS_KEY_SECRET`.
* `security_token` - (Optional) STS access token. It supports environment variable `ALICLOUD_SECURITY_TOKEN`.
* `region` - (Optional) The region of the OSS bucket. It supports environment variables `ALICLOUD_REGION` and `ALICLOUD_DEFAULT_REGION`.
* `endpoint` - (Optional) A custom endpoint for the OSS API. It supports environment variables `ALICLOUD_OSS_ENDPOINT` and `OSS_ENDPOINT`.
@ -90,6 +90,18 @@ The following configuration options or environment variables are supported:
* `acl` - (Optional) [Object
ACL](https://www.alibabacloud.com/help/doc-detail/52284.htm)
to be applied to the state file.
* `assume_role` - (Optional) If provided with a role ARN, will attempt to assume this role using the supplied credentials.
The nested `assume_role` block supports the following:
* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
Terraform executes configuration on account with provided credentials.
* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.
-> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"

View File

@ -25,7 +25,7 @@ down to see all providers.
- [ACME](/docs/providers/acme/index.html)
- [Akamai](/docs/providers/akamai/index.html)
- [Alicloud](/docs/providers/alicloud/index.html)
- [Alibaba Cloud](/docs/providers/alicloud/index.html)
- [Archive](/docs/providers/archive/index.html)
- [Arukas](/docs/providers/arukas/index.html)
- [Avi Vantage](/docs/providers/avi/index.html)