backend/oss: Support for assume role config

2019-07-30 23:26:51 +08:00 · 2019-07-30 23:26:51 +08:00 · a490dfa495
parent 447fe62986
commit a490dfa495
12 changed files with 563 additions and 5 deletions
--- a/backend/remote-state/oss/backend.go
+++ b/backend/remote-state/oss/backend.go
@ -3,9 +3,12 @@ package oss
 import (
 	"context"
 	"fmt"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
+	"github.com/aliyun/alibaba-cloud-sdk-go/services/sts"
 	"github.com/aliyun/aliyun-oss-go-sdk/oss"
 	"github.com/hashicorp/terraform/backend"
 	"github.com/hashicorp/terraform/helper/schema"
+	"github.com/hashicorp/terraform/helper/validation"
 	"os"
 	"strings"

@ -129,6 +132,8 @@ func New() backend.Backend {
 					return nil, nil
 				},
 			},
+
+			"assume_role": assumeRoleSchema(),
 		},
 	}

@ -137,6 +142,42 @@ func New() backend.Backend {
 	return result
 }

+func assumeRoleSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeSet,
+		Optional: true,
+		MaxItems: 1,
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"role_arn": {
+					Type:        schema.TypeString,
+					Required:    true,
+					Description: "The ARN of a RAM role to assume prior to making API calls.",
+					DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_ARN", ""),
+				},
+				"session_name": {
+					Type:        schema.TypeString,
+					Optional:    true,
+					Description: "The session name to use when assuming the role.",
+					DefaultFunc: schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_NAME", "terraform"),
+				},
+				"policy": {
+					Type:        schema.TypeString,
+					Optional:    true,
+					Description: "The permissions applied when assuming a role. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.",
+				},
+				"session_expiration": {
+					Type:         schema.TypeInt,
+					Optional:     true,
+					Description:  "The time after which the established session for assuming role expires.",
+					ValidateFunc: validation.IntBetween(900, 3600),
+					DefaultFunc:  schema.EnvDefaultFunc("ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION", 3600),
+				},
+			},
+		},
+	}
+}
+
 type Backend struct {
 	*schema.Backend

@ -175,6 +216,21 @@ func (b *Backend) configure(ctx context.Context) error {
 	endpoint := d.Get("endpoint").(string)
 	schma := "https"

+	if v, ok := d.GetOk("assume_role"); ok {
+		for _, v := range v.(*schema.Set).List() {
+			assumeRole := v.(map[string]interface{})
+			roleArn := assumeRole["role_arn"].(string)
+			sessionName := assumeRole["session_name"].(string)
+			policy := assumeRole["policy"].(string)
+			sessionExpiration := assumeRole["session_expiration"].(int)
+			subAccessKeyId, subAccessKeySecret, subSecurityToken, err := getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy, sessionExpiration)
+			if err != nil {
+				return err
+			}
+			accessKey, secretKey, securityToken = subAccessKeyId, subAccessKeySecret, subSecurityToken
+		}
+	}
+
 	if endpoint == "" {
 		endpointItem, _ := b.getOSSEndpointByRegion(accessKey, secretKey, securityToken, region)
 		if endpointItem != nil && len(endpointItem.Endpoint) > 0 {
@ -238,6 +294,25 @@ func (b *Backend) getOSSEndpointByRegion(access_key, secret_key, security_token,
 	return endpointsResponse, nil
 }

+func getAssumeRoleAK(accessKey, secretKey, region, roleArn, sessionName, policy string, sessionExpiration int) (string, string, string, error) {
+	request := sts.CreateAssumeRoleRequest()
+	request.RoleArn = roleArn
+	request.RoleSessionName = sessionName
+	request.DurationSeconds = requests.NewInteger(sessionExpiration)
+	request.Policy = policy
+	request.Scheme = "https"
+
+	client, err := sts.NewClientWithAccessKey(region, accessKey, secretKey)
+	if err != nil {
+		return "", "", "", err
+	}
+	response, err := client.AssumeRole(request)
+	if err != nil {
+		return "", "", "", err
+	}
+	return response.Credentials.AccessKeyId, response.Credentials.AccessKeySecret, response.Credentials.SecurityToken, nil
+}
+
 func getSdkConfig() *sdk.Config {
 	return sdk.NewConfig().
 		WithMaxRetryTime(5).
--- a/backend/remote-state/oss/backend_test.go
+++ b/backend/remote-state/oss/backend_test.go
@ -112,7 +112,7 @@ func createOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) {
 }

 func deleteOSSBucket(t *testing.T, ossClient *oss.Client, bucketName string) {
-	warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alicloud account and may incur storage charges. (error was %s)"
+	warning := "WARNING: Failed to delete the test OSS bucket. It may have been left in your Alibaba Cloud account and may incur storage charges. (error was %s)"

 	// first we have to get rid of the env objects, or we can't delete the bucket
 	bucket, err := ossClient.Bucket(bucketName)
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/assume_role.go
@ -0,0 +1,108 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+import (
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
+)
+
+// AssumeRole invokes the sts.AssumeRole API synchronously
+// api document: https://help.aliyun.com/api/sts/assumerole.html
+func (client *Client) AssumeRole(request *AssumeRoleRequest) (response *AssumeRoleResponse, err error) {
+	response = CreateAssumeRoleResponse()
+	err = client.DoAction(request, response)
+	return
+}
+
+// AssumeRoleWithChan invokes the sts.AssumeRole API asynchronously
+// api document: https://help.aliyun.com/api/sts/assumerole.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) AssumeRoleWithChan(request *AssumeRoleRequest) (<-chan *AssumeRoleResponse, <-chan error) {
+	responseChan := make(chan *AssumeRoleResponse, 1)
+	errChan := make(chan error, 1)
+	err := client.AddAsyncTask(func() {
+		defer close(responseChan)
+		defer close(errChan)
+		response, err := client.AssumeRole(request)
+		if err != nil {
+			errChan <- err
+		} else {
+			responseChan <- response
+		}
+	})
+	if err != nil {
+		errChan <- err
+		close(responseChan)
+		close(errChan)
+	}
+	return responseChan, errChan
+}
+
+// AssumeRoleWithCallback invokes the sts.AssumeRole API asynchronously
+// api document: https://help.aliyun.com/api/sts/assumerole.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) AssumeRoleWithCallback(request *AssumeRoleRequest, callback func(response *AssumeRoleResponse, err error)) <-chan int {
+	result := make(chan int, 1)
+	err := client.AddAsyncTask(func() {
+		var response *AssumeRoleResponse
+		var err error
+		defer close(result)
+		response, err = client.AssumeRole(request)
+		callback(response, err)
+		result <- 1
+	})
+	if err != nil {
+		defer close(result)
+		callback(nil, err)
+		result <- 0
+	}
+	return result
+}
+
+// AssumeRoleRequest is the request struct for api AssumeRole
+type AssumeRoleRequest struct {
+	*requests.RpcRequest
+	RoleArn         string           `position:"Query" name:"RoleArn"`
+	RoleSessionName string           `position:"Query" name:"RoleSessionName"`
+	DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"`
+	Policy          string           `position:"Query" name:"Policy"`
+}
+
+// AssumeRoleResponse is the response struct for api AssumeRole
+type AssumeRoleResponse struct {
+	*responses.BaseResponse
+	RequestId       string          `json:"RequestId" xml:"RequestId"`
+	Credentials     Credentials     `json:"Credentials" xml:"Credentials"`
+	AssumedRoleUser AssumedRoleUser `json:"AssumedRoleUser" xml:"AssumedRoleUser"`
+}
+
+// CreateAssumeRoleRequest creates a request to invoke AssumeRole API
+func CreateAssumeRoleRequest() (request *AssumeRoleRequest) {
+	request = &AssumeRoleRequest{
+		RpcRequest: &requests.RpcRequest{},
+	}
+	request.InitWithApiInfo("Sts", "2015-04-01", "AssumeRole", "sts", "openAPI")
+	return
+}
+
+// CreateAssumeRoleResponse creates a response to parse from AssumeRole response
+func CreateAssumeRoleResponse() (response *AssumeRoleResponse) {
+	response = &AssumeRoleResponse{
+		BaseResponse: &responses.BaseResponse{},
+	}
+	return
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/client.go
@ -0,0 +1,81 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+import (
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth"
+)
+
+// Client is the sdk client struct, each func corresponds to an OpenAPI
+type Client struct {
+	sdk.Client
+}
+
+// NewClient creates a sdk client with environment variables
+func NewClient() (client *Client, err error) {
+	client = &Client{}
+	err = client.Init()
+	return
+}
+
+// NewClientWithOptions creates a sdk client with regionId/sdkConfig/credential
+// this is the common api to create a sdk client
+func NewClientWithOptions(regionId string, config *sdk.Config, credential auth.Credential) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithOptions(regionId, config, credential)
+	return
+}
+
+// NewClientWithAccessKey is a shortcut to create sdk client with accesskey
+// usage: https://help.aliyun.com/document_detail/66217.html
+func NewClientWithAccessKey(regionId, accessKeyId, accessKeySecret string) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithAccessKey(regionId, accessKeyId, accessKeySecret)
+	return
+}
+
+// NewClientWithStsToken is a shortcut to create sdk client with sts token
+// usage: https://help.aliyun.com/document_detail/66222.html
+func NewClientWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken string) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithStsToken(regionId, stsAccessKeyId, stsAccessKeySecret, stsToken)
+	return
+}
+
+// NewClientWithRamRoleArn is a shortcut to create sdk client with ram roleArn
+// usage: https://help.aliyun.com/document_detail/66222.html
+func NewClientWithRamRoleArn(regionId string, accessKeyId, accessKeySecret, roleArn, roleSessionName string) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithRamRoleArn(regionId, accessKeyId, accessKeySecret, roleArn, roleSessionName)
+	return
+}
+
+// NewClientWithEcsRamRole is a shortcut to create sdk client with ecs ram role
+// usage: https://help.aliyun.com/document_detail/66223.html
+func NewClientWithEcsRamRole(regionId string, roleName string) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithEcsRamRole(regionId, roleName)
+	return
+}
+
+// NewClientWithRsaKeyPair is a shortcut to create sdk client with rsa key pair
+// attention: rsa key pair auth is only Japan regions available
+func NewClientWithRsaKeyPair(regionId string, publicKeyId, privateKey string, sessionExpiration int) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithRsaKeyPair(regionId, publicKeyId, privateKey, sessionExpiration)
+	return
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/generate_session_access_key.go
@ -0,0 +1,104 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+import (
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
+)
+
+// GenerateSessionAccessKey invokes the sts.GenerateSessionAccessKey API synchronously
+// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
+func (client *Client) GenerateSessionAccessKey(request *GenerateSessionAccessKeyRequest) (response *GenerateSessionAccessKeyResponse, err error) {
+	response = CreateGenerateSessionAccessKeyResponse()
+	err = client.DoAction(request, response)
+	return
+}
+
+// GenerateSessionAccessKeyWithChan invokes the sts.GenerateSessionAccessKey API asynchronously
+// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) GenerateSessionAccessKeyWithChan(request *GenerateSessionAccessKeyRequest) (<-chan *GenerateSessionAccessKeyResponse, <-chan error) {
+	responseChan := make(chan *GenerateSessionAccessKeyResponse, 1)
+	errChan := make(chan error, 1)
+	err := client.AddAsyncTask(func() {
+		defer close(responseChan)
+		defer close(errChan)
+		response, err := client.GenerateSessionAccessKey(request)
+		if err != nil {
+			errChan <- err
+		} else {
+			responseChan <- response
+		}
+	})
+	if err != nil {
+		errChan <- err
+		close(responseChan)
+		close(errChan)
+	}
+	return responseChan, errChan
+}
+
+// GenerateSessionAccessKeyWithCallback invokes the sts.GenerateSessionAccessKey API asynchronously
+// api document: https://help.aliyun.com/api/sts/generatesessionaccesskey.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) GenerateSessionAccessKeyWithCallback(request *GenerateSessionAccessKeyRequest, callback func(response *GenerateSessionAccessKeyResponse, err error)) <-chan int {
+	result := make(chan int, 1)
+	err := client.AddAsyncTask(func() {
+		var response *GenerateSessionAccessKeyResponse
+		var err error
+		defer close(result)
+		response, err = client.GenerateSessionAccessKey(request)
+		callback(response, err)
+		result <- 1
+	})
+	if err != nil {
+		defer close(result)
+		callback(nil, err)
+		result <- 0
+	}
+	return result
+}
+
+// GenerateSessionAccessKeyRequest is the request struct for api GenerateSessionAccessKey
+type GenerateSessionAccessKeyRequest struct {
+	*requests.RpcRequest
+	DurationSeconds requests.Integer `position:"Query" name:"DurationSeconds"`
+}
+
+// GenerateSessionAccessKeyResponse is the response struct for api GenerateSessionAccessKey
+type GenerateSessionAccessKeyResponse struct {
+	*responses.BaseResponse
+	RequestId        string           `json:"RequestId" xml:"RequestId"`
+	SessionAccessKey SessionAccessKey `json:"SessionAccessKey" xml:"SessionAccessKey"`
+}
+
+// CreateGenerateSessionAccessKeyRequest creates a request to invoke GenerateSessionAccessKey API
+func CreateGenerateSessionAccessKeyRequest() (request *GenerateSessionAccessKeyRequest) {
+	request = &GenerateSessionAccessKeyRequest{
+		RpcRequest: &requests.RpcRequest{},
+	}
+	request.InitWithApiInfo("Sts", "2015-04-01", "GenerateSessionAccessKey", "sts", "openAPI")
+	return
+}
+
+// CreateGenerateSessionAccessKeyResponse creates a response to parse from GenerateSessionAccessKey response
+func CreateGenerateSessionAccessKeyResponse() (response *GenerateSessionAccessKeyResponse) {
+	response = &GenerateSessionAccessKeyResponse{
+		BaseResponse: &responses.BaseResponse{},
+	}
+	return
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/get_caller_identity.go
@ -0,0 +1,108 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+import (
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
+)
+
+// GetCallerIdentity invokes the sts.GetCallerIdentity API synchronously
+// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
+func (client *Client) GetCallerIdentity(request *GetCallerIdentityRequest) (response *GetCallerIdentityResponse, err error) {
+	response = CreateGetCallerIdentityResponse()
+	err = client.DoAction(request, response)
+	return
+}
+
+// GetCallerIdentityWithChan invokes the sts.GetCallerIdentity API asynchronously
+// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) GetCallerIdentityWithChan(request *GetCallerIdentityRequest) (<-chan *GetCallerIdentityResponse, <-chan error) {
+	responseChan := make(chan *GetCallerIdentityResponse, 1)
+	errChan := make(chan error, 1)
+	err := client.AddAsyncTask(func() {
+		defer close(responseChan)
+		defer close(errChan)
+		response, err := client.GetCallerIdentity(request)
+		if err != nil {
+			errChan <- err
+		} else {
+			responseChan <- response
+		}
+	})
+	if err != nil {
+		errChan <- err
+		close(responseChan)
+		close(errChan)
+	}
+	return responseChan, errChan
+}
+
+// GetCallerIdentityWithCallback invokes the sts.GetCallerIdentity API asynchronously
+// api document: https://help.aliyun.com/api/sts/getcalleridentity.html
+// asynchronous document: https://help.aliyun.com/document_detail/66220.html
+func (client *Client) GetCallerIdentityWithCallback(request *GetCallerIdentityRequest, callback func(response *GetCallerIdentityResponse, err error)) <-chan int {
+	result := make(chan int, 1)
+	err := client.AddAsyncTask(func() {
+		var response *GetCallerIdentityResponse
+		var err error
+		defer close(result)
+		response, err = client.GetCallerIdentity(request)
+		callback(response, err)
+		result <- 1
+	})
+	if err != nil {
+		defer close(result)
+		callback(nil, err)
+		result <- 0
+	}
+	return result
+}
+
+// GetCallerIdentityRequest is the request struct for api GetCallerIdentity
+type GetCallerIdentityRequest struct {
+	*requests.RpcRequest
+}
+
+// GetCallerIdentityResponse is the response struct for api GetCallerIdentity
+type GetCallerIdentityResponse struct {
+	*responses.BaseResponse
+	AccountId    string `json:"AccountId" xml:"AccountId"`
+	UserId       string `json:"UserId" xml:"UserId"`
+	RoleId       string `json:"RoleId" xml:"RoleId"`
+	Arn          string `json:"Arn" xml:"Arn"`
+	IdentityType string `json:"IdentityType" xml:"IdentityType"`
+	PrincipalId  string `json:"PrincipalId" xml:"PrincipalId"`
+	RequestId    string `json:"RequestId" xml:"RequestId"`
+}
+
+// CreateGetCallerIdentityRequest creates a request to invoke GetCallerIdentity API
+func CreateGetCallerIdentityRequest() (request *GetCallerIdentityRequest) {
+	request = &GetCallerIdentityRequest{
+		RpcRequest: &requests.RpcRequest{},
+	}
+	request.InitWithApiInfo("Sts", "2015-04-01", "GetCallerIdentity", "sts", "openAPI")
+	return
+}
+
+// CreateGetCallerIdentityResponse creates a response to parse from GetCallerIdentity response
+func CreateGetCallerIdentityResponse() (response *GetCallerIdentityResponse) {
+	response = &GetCallerIdentityResponse{
+		BaseResponse: &responses.BaseResponse{},
+	}
+	return
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_assumed_role_user.go
@ -0,0 +1,22 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+// AssumedRoleUser is a nested struct in sts response
+type AssumedRoleUser struct {
+	Arn           string `json:"Arn" xml:"Arn"`
+	AssumedRoleId string `json:"AssumedRoleId" xml:"AssumedRoleId"`
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_credentials.go
@ -0,0 +1,24 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+// Credentials is a nested struct in sts response
+type Credentials struct {
+	SecurityToken   string `json:"SecurityToken" xml:"SecurityToken"`
+	AccessKeySecret string `json:"AccessKeySecret" xml:"AccessKeySecret"`
+	AccessKeyId     string `json:"AccessKeyId" xml:"AccessKeyId"`
+	Expiration      string `json:"Expiration" xml:"Expiration"`
+}
--- a/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go
+++ b/vendor/github.com/aliyun/alibaba-cloud-sdk-go/services/sts/struct_session_access_key.go
@ -0,0 +1,23 @@
+package sts
+
+//Licensed under the Apache License, Version 2.0 (the "License");
+//you may not use this file except in compliance with the License.
+//You may obtain a copy of the License at
+//
+//http://www.apache.org/licenses/LICENSE-2.0
+//
+//Unless required by applicable law or agreed to in writing, software
+//distributed under the License is distributed on an "AS IS" BASIS,
+//WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//See the License for the specific language governing permissions and
+//limitations under the License.
+//
+// Code generated by Alibaba Cloud SDK Code Generator.
+// Changes may cause incorrect behavior and will be lost if the code is regenerated.
+
+// SessionAccessKey is a nested struct in sts response
+type SessionAccessKey struct {
+	SessionAccessKeyId     string `json:"SessionAccessKeyId" xml:"SessionAccessKeyId"`
+	SessionAccessKeySecret string `json:"SessionAccessKeySecret" xml:"SessionAccessKeySecret"`
+	Expiration             string `json:"Expiration" xml:"Expiration"`
+}
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -50,12 +50,13 @@ github.com/agl/ed25519/edwards25519
 # github.com/aliyun/alibaba-cloud-sdk-go v0.0.0-20190329064014-6e358769c32a
 github.com/aliyun/alibaba-cloud-sdk-go/sdk
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials
+github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests
 github.com/aliyun/alibaba-cloud-sdk-go/services/location
+github.com/aliyun/alibaba-cloud-sdk-go/services/sts
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors
-github.com/aliyun/alibaba-cloud-sdk-go/sdk/requests
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/utils
 github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/signers
--- a/website/docs/backends/types/oss.html.md
+++ b/website/docs/backends/types/oss.html.md
@ -75,8 +75,8 @@ data "terraform_remote_state" "network" {

 The following configuration options or environment variables are supported:

- * `access_key` - (Optional) Alicloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and  `ALICLOUD_ACCESS_KEY_ID`.
- * `secret_key` - (Optional) Alicloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and  `ALICLOUD_ACCESS_KEY_SECRET`.
+ * `access_key` - (Optional) Alibaba Cloud access key. It supports environment variables `ALICLOUD_ACCESS_KEY` and  `ALICLOUD_ACCESS_KEY_ID`.
+ * `secret_key` - (Optional) Alibaba Cloud secret access key. It supports environment variables `ALICLOUD_SECRET_KEY` and  `ALICLOUD_ACCESS_KEY_SECRET`.
 * `security_token` - (Optional) STS access token. It supports environment variable `ALICLOUD_SECURITY_TOKEN`.
 * `region` - (Optional) The region of the OSS bucket. It supports environment variables `ALICLOUD_REGION` and `ALICLOUD_DEFAULT_REGION`.
 * `endpoint` - (Optional) A custom endpoint for the OSS API. It supports environment variables `ALICLOUD_OSS_ENDPOINT` and `OSS_ENDPOINT`.
@ -90,6 +90,18 @@ The following configuration options or environment variables are supported:
 * `acl` - (Optional) [Object
   ACL](https://www.alibabacloud.com/help/doc-detail/52284.htm)
   to be applied to the state file.
+ * `assume_role` - (Optional) If provided with a role ARN, will attempt to assume this role using the supplied credentials.
+ 
+The nested `assume_role` block supports the following:
+* `role_arn` - (Required) The ARN of the role to assume. If ARN is set to an empty string, it does not perform role switching. It supports environment variable `ALICLOUD_ASSUME_ROLE_ARN`.
+  Terraform executes configuration on account with provided credentials.
+
+* `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary
+  security credentials. You cannot use this policy to grant permissions which exceed those of the role that is being assumed.
+
+* `session_name` - (Optional) The session name to use when assuming the role. If omitted, 'terraform' is passed to the AssumeRole call as session name. It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_NAME`.
+
+* `session_expiration` - (Optional) The time after which the established session for assuming role expires. Valid value range: [900-3600] seconds. Default to 3600 (in this case Alibaba Cloud use own default value). It supports environment variable `ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION`.

 -> **Note:** If you want to store state in the custom OSS endpoint, you can specify a environment variable `OSS_ENDPOINT`, like "oss-cn-beijing-internal.aliyuncs.com"

--- a/website/docs/providers/index.html.markdown
+++ b/website/docs/providers/index.html.markdown
@ -25,7 +25,7 @@ down to see all providers.

 - [ACME](/docs/providers/acme/index.html)
 - [Akamai](/docs/providers/akamai/index.html)
- [Alicloud](/docs/providers/alicloud/index.html)
+- [Alibaba Cloud](/docs/providers/alicloud/index.html)
 - [Archive](/docs/providers/archive/index.html)
 - [Arukas](/docs/providers/arukas/index.html)
 - [Avi Vantage](/docs/providers/avi/index.html)