Skip to content

Commit ba77280

Browse files
authored
feat(provider): [119093637] support cam role name auth (#2767)
* add * add * add * fix
1 parent 0279c01 commit ba77280

File tree

3 files changed

+84
-3
lines changed

3 files changed

+84
-3
lines changed

.changelog/2767.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
```release-note:enhancement
2+
provider: support cam role name auth
3+
```

tencentcloud/common/common.go

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,10 @@ import (
55
"encoding/base64"
66
"encoding/json"
77
"fmt"
8+
"io"
89
"io/ioutil"
910
"log"
11+
"net/http"
1012
"os"
1113
"os/user"
1214
"path/filepath"
@@ -32,6 +34,15 @@ var ContextNil context.Context = nil
3234

3335
type contextLogId string
3436

37+
type CAMResponse struct {
38+
TmpSecretId string `json:"TmpSecretId"`
39+
TmpSecretKey string `json:"TmpSecretKey"`
40+
ExpiredTime int64 `json:"ExpiredTime"`
41+
Expiration string `json:"Expiration"`
42+
Token string `json:"Token"`
43+
Code string `json:"Code"`
44+
}
45+
3546
const LogIdKey = contextLogId("logId")
3647

3748
const (
@@ -612,3 +623,36 @@ func ShortRegionNameParse(shortRegion string) string {
612623
}
613624
return regionMap[shortRegion]
614625
}
626+
627+
func GetAuthFromCAM(roleName string) (camResp *CAMResponse, err error) {
628+
url := fmt.Sprintf("http://metadata.tencentyun.com/latest/meta-data/cam/security-credentials/%s", roleName)
629+
log.Printf("[CRITAL] Request CAM security credentials url: %s\n", url)
630+
// maximum waiting time
631+
client := &http.Client{Timeout: 2 * time.Second}
632+
req, err := http.NewRequest("GET", url, nil)
633+
if err != nil {
634+
return
635+
}
636+
637+
resp, err := client.Do(req)
638+
if err != nil {
639+
log.Printf("[CRITAL] Request CAM security credentials resp err: %s", err.Error())
640+
return
641+
}
642+
643+
defer resp.Body.Close()
644+
645+
body, err := io.ReadAll(resp.Body)
646+
if err != nil {
647+
log.Printf("[CRITAL] Request CAM security credentials body read err: %s", err.Error())
648+
return
649+
}
650+
651+
err = json.Unmarshal(body, &camResp)
652+
if err != nil {
653+
log.Printf("[CRITAL] Request CAM security credentials resp json err: %s", err.Error())
654+
return
655+
}
656+
657+
return
658+
}

tencentcloud/provider.go

Lines changed: 37 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,7 @@ const (
132132
PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN"
133133
PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR"
134134
PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE"
135+
PROVIDER_CAM_ROLE_NAME = "TENCENTCLOUD_CAM_ROLE_NAME"
135136
)
136137

137138
const (
@@ -161,13 +162,13 @@ func Provider() *schema.Provider {
161162
Type: schema.TypeString,
162163
Optional: true,
163164
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_SECRET_ID, nil),
164-
Description: "This is the TencentCloud access key. It must be provided, but it can also be sourced from the `TENCENTCLOUD_SECRET_ID` environment variable.",
165+
Description: "This is the TencentCloud access key. It can also be sourced from the `TENCENTCLOUD_SECRET_ID` environment variable.",
165166
},
166167
"secret_key": {
167168
Type: schema.TypeString,
168169
Optional: true,
169170
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_SECRET_KEY, nil),
170-
Description: "This is the TencentCloud secret key. It must be provided, but it can also be sourced from the `TENCENTCLOUD_SECRET_KEY` environment variable.",
171+
Description: "This is the TencentCloud secret key. It can also be sourced from the `TENCENTCLOUD_SECRET_KEY` environment variable.",
171172
Sensitive: true,
172173
},
173174
"security_token": {
@@ -181,7 +182,7 @@ func Provider() *schema.Provider {
181182
Type: schema.TypeString,
182183
Optional: true,
183184
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_REGION, nil),
184-
Description: "This is the TencentCloud region. It must be provided, but it can also be sourced from the `TENCENTCLOUD_REGION` environment variables. The default input value is ap-guangzhou.",
185+
Description: "This is the TencentCloud region. It can also be sourced from the `TENCENTCLOUD_REGION` environment variables. The default input value is ap-guangzhou.",
185186
},
186187
"protocol": {
187188
Type: schema.TypeString,
@@ -337,6 +338,12 @@ func Provider() *schema.Provider {
337338
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_PROFILE, nil),
338339
Description: "The profile name as set in the shared credentials. It can also be sourced from the `TENCENTCLOUD_PROFILE` environment variable. If not set, the default profile created with `tccli configure` will be used.",
339340
},
341+
"cam_role_name": {
342+
Type: schema.TypeString,
343+
Optional: true,
344+
DefaultFunc: schema.EnvDefaultFunc(PROVIDER_CAM_ROLE_NAME, nil),
345+
Description: "The name of the CVM instance CAM role. It can be sourced from the `TENCENTCLOUD_CAM_ROLE_NAME` environment variable.",
346+
},
340347
},
341348

342349
DataSourcesMap: map[string]*schema.Resource{
@@ -2112,6 +2119,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
21122119
region string
21132120
protocol string
21142121
domain string
2122+
camRoleName string
21152123
)
21162124

21172125
needSecret := true
@@ -2150,6 +2158,10 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
21502158
domain = v.(string)
21512159
}
21522160

2161+
if v, ok := d.GetOk("cam_role_name"); ok {
2162+
camRoleName = v.(string)
2163+
}
2164+
21532165
// standard client
21542166
var tcClient TencentCloudClient
21552167
tcClient.apiV3Conn = &connectivity.TencentCloudClient{
@@ -2163,6 +2175,12 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
21632175
Domain: domain,
21642176
}
21652177

2178+
// get auth from CAM role name
2179+
if camRoleName != "" {
2180+
needSecret = false
2181+
_ = genClientWithCAM(&tcClient, camRoleName)
2182+
}
2183+
21662184
var (
21672185
assumeRoleArn string
21682186
assumeRoleSessionName string
@@ -2284,6 +2302,22 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
22842302
return &tcClient, nil
22852303
}
22862304

2305+
func genClientWithCAM(tcClient *TencentCloudClient, roleName string) error {
2306+
camResp, err := tccommon.GetAuthFromCAM(roleName)
2307+
if err != nil {
2308+
return err
2309+
}
2310+
2311+
// using STS credentials
2312+
tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential(
2313+
camResp.TmpSecretId,
2314+
camResp.TmpSecretKey,
2315+
camResp.Token,
2316+
)
2317+
2318+
return nil
2319+
}
2320+
22872321
func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error {
22882322
// applying STS credentials
22892323
request := sdksts.NewAssumeRoleRequest()

0 commit comments

Comments
 (0)