diff --git a/.changelog/2742.txt b/.changelog/2742.txt new file mode 100644 index 0000000000..f27d3762f7 --- /dev/null +++ b/.changelog/2742.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +provider: add SAML, OIDC for STS client +``` diff --git a/tencentcloud/connectivity/client.go b/tencentcloud/connectivity/client.go index 0f60d46269..0afbcf95eb 100644 --- a/tencentcloud/connectivity/client.go +++ b/tencentcloud/connectivity/client.go @@ -563,7 +563,7 @@ func (me *TencentCloudClient) UseCamClient() *cam.Client { } // UseStsClient returns sts client for service -func (me *TencentCloudClient) UseStsClient() *sts.Client { +func (me *TencentCloudClient) UseStsClient(stsExtInfo ...StsExtInfo) *sts.Client { /* me.Credential will changed, don't cache it if me.stsConn != nil { @@ -571,9 +571,14 @@ func (me *TencentCloudClient) UseStsClient() *sts.Client { } */ + var logRoundTripper LogRoundTripper + if len(stsExtInfo) != 0 { + logRoundTripper.Authorization = stsExtInfo[0].Authorization + } + cpf := me.NewClientProfile(300) me.stsConn, _ = sts.NewClient(me.Credential, me.Region, cpf) - me.stsConn.WithHttpTransport(&LogRoundTripper{}) + me.stsConn.WithHttpTransport(&logRoundTripper) return me.stsConn } diff --git a/tencentcloud/connectivity/transport.go b/tencentcloud/connectivity/transport.go index f05eca4a58..8e6778ea8d 100644 --- a/tencentcloud/connectivity/transport.go +++ b/tencentcloud/connectivity/transport.go @@ -25,13 +25,18 @@ func SetReqClient(name string) { } type LogRoundTripper struct { - InstanceId string + InstanceId string + Authorization string } type IacExtInfo struct { InstanceId string } +type StsExtInfo struct { + Authorization string +} + func (me *LogRoundTripper) RoundTrip(request *http.Request) (response *http.Response, errRet error) { var inBytes, outBytes []byte @@ -60,6 +65,10 @@ func (me *LogRoundTripper) RoundTrip(request *http.Request) (response *http.Resp reqClientFormat = fmt.Sprintf("%s,id=%s", ReqClient, me.InstanceId) } + if me.Authorization != "" { + request.Header.Set("Authorization", me.Authorization) + } + request.Header.Set("X-TC-RequestClient", reqClientFormat) inBytes = []byte(fmt.Sprintf("%s, request: ", request.Header[headName])) requestBody, errRet := ioutil.ReadAll(bodyReader) diff --git a/tencentcloud/provider.go b/tencentcloud/provider.go index eae106adc5..364e626502 100644 --- a/tencentcloud/provider.go +++ b/tencentcloud/provider.go @@ -123,11 +123,14 @@ const ( PROVIDER_DOMAIN = "TENCENTCLOUD_DOMAIN" //internal version: replace envYunti begin, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. //internal version: replace envYunti end, please do not modify this annotation and refrain from inserting any code between the beginning and end lines of the annotation. - PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN" - PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME" - PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION" - PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR" - PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE" + PROVIDER_ASSUME_ROLE_ARN = "TENCENTCLOUD_ASSUME_ROLE_ARN" + PROVIDER_ASSUME_ROLE_SESSION_NAME = "TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME" + PROVIDER_ASSUME_ROLE_SESSION_DURATION = "TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION" + PROVIDER_ASSUME_ROLE_SAML_ASSERTION = "TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION" + PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN = "TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN" + PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN = "TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN" + PROVIDER_SHARED_CREDENTIALS_DIR = "TENCENTCLOUD_SHARED_CREDENTIALS_DIR" + PROVIDER_PROFILE = "TENCENTCLOUD_PROFILE" ) const ( @@ -233,6 +236,94 @@ func Provider() *schema.Provider { }, }, }, + "assume_role_with_saml": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"assume_role_with_web_identity"}, + Description: "The `assume_role_with_saml` block. If provided, terraform will attempt to assume this role using the supplied credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "saml_assertion": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SAML_ASSERTION, nil), + Description: "SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`.", + }, + "principal_arn": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN, nil), + Description: "Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`.", + }, + "role_arn": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_ARN, nil), + Description: "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`.", + }, + "session_name": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SESSION_NAME, nil), + Description: "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.", + }, + "session_duration": { + Type: schema.TypeInt, + Required: true, + DefaultFunc: func() (interface{}, error) { + if v := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); v != "" { + return strconv.Atoi(v) + } + return 7200, nil + }, + ValidateFunc: tccommon.ValidateIntegerInRange(0, 43200), + Description: "The duration of the session when making the AssumeRoleWithSAML call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.", + }, + }, + }, + }, + "assume_role_with_web_identity": { + Type: schema.TypeList, + Optional: true, + MaxItems: 1, + ConflictsWith: []string{"assume_role_with_saml"}, + Description: "The `assume_role_with_web_identity` block. If provided, terraform will attempt to assume this role using the supplied credentials.", + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "web_identity_token": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN, nil), + Description: "OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.", + }, + "role_arn": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_ARN, nil), + Description: "The ARN of the role to assume. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN`.", + }, + "session_name": { + Type: schema.TypeString, + Required: true, + DefaultFunc: schema.EnvDefaultFunc(PROVIDER_ASSUME_ROLE_SESSION_NAME, nil), + Description: "The session name to use when making the AssumeRole call. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`.", + }, + "session_duration": { + Type: schema.TypeInt, + Required: true, + DefaultFunc: func() (interface{}, error) { + if v := os.Getenv(PROVIDER_ASSUME_ROLE_SESSION_DURATION); v != "" { + return strconv.Atoi(v) + } + return 7200, nil + }, + ValidateFunc: tccommon.ValidateIntegerInRange(0, 43200), + Description: "The duration of the session when making the AssumeRoleWithWebIdentity call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`.", + }, + }, + }, + }, "shared_credentials_dir": { Type: schema.TypeString, Optional: true, @@ -2012,6 +2103,7 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { domain string ) + needSecret := true if v, ok := d.GetOk("secret_id"); ok { secretId = v.(string) } else { @@ -2079,7 +2171,6 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { if assumeRoleArn != "" && assumeRoleSessionName != "" { assumeRoleSessionDuration = 7200 assumeRolePolicy = "" - _ = genClientWithSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRolePolicy) } @@ -2099,7 +2190,28 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { assumeRoleSessionDuration = 7200 } - _ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "") + // get assume role with saml from env + envSamlAssertion := os.Getenv(PROVIDER_ASSUME_ROLE_SAML_ASSERTION) + envPrincipalArn := os.Getenv(PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN) + // get assume role with web identity from env + envWebIdentityToken := os.Getenv(PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN) + + if envSamlAssertion == "" && envPrincipalArn == "" && envWebIdentityToken == "" { + // use assume role + _ = genClientWithSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, "") + } else if envSamlAssertion != "" && envPrincipalArn != "" && envWebIdentityToken != "" { + return nil, fmt.Errorf("can not set `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION`, `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN`, `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` at the same time.\n") + } else if envSamlAssertion != "" && envPrincipalArn != "" { + // use assume role with saml + _ = genClientWithSamlSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envSamlAssertion, envPrincipalArn) + needSecret = false + } else if envWebIdentityToken != "" { + // use assume role with oidc + _ = genClientWithOidcSTS(&tcClient, envRoleArn, envSessionName, assumeRoleSessionDuration, envWebIdentityToken) + needSecret = false + } else { + return nil, fmt.Errorf("get `assume_role` from env error.\n") + } } // get assume role from tf @@ -2116,8 +2228,45 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) { } } - if secretId == "" || secretKey == "" { - return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.") + var ( + assumeRoleSamlAssertion string + assumeRolePrincipalArn string + assumeRoleWebIdentityToken string + ) + + // get assume role with saml from tf + if v, ok := d.GetOk("assume_role_with_saml"); ok { + assumeRoleWithSamlList := v.([]interface{}) + if len(assumeRoleWithSamlList) == 1 { + assumeRoleWithSaml := assumeRoleWithSamlList[0].(map[string]interface{}) + assumeRoleSamlAssertion = assumeRoleWithSaml["saml_assertion"].(string) + assumeRolePrincipalArn = assumeRoleWithSaml["principal_arn"].(string) + assumeRoleArn = assumeRoleWithSaml["role_arn"].(string) + assumeRoleSessionName = assumeRoleWithSaml["session_name"].(string) + assumeRoleSessionDuration = assumeRoleWithSaml["session_duration"].(int) + + _ = genClientWithSamlSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleSamlAssertion, assumeRolePrincipalArn) + needSecret = false + } + } + + // get assume role with web identity from tf + if v, ok := d.GetOk("assume_role_with_web_identity"); ok { + assumeRoleWithWebIdentityList := v.([]interface{}) + if len(assumeRoleWithWebIdentityList) == 1 { + assumeRoleWithWebIdentity := assumeRoleWithWebIdentityList[0].(map[string]interface{}) + assumeRoleWebIdentityToken = assumeRoleWithWebIdentity["web_identity_token"].(string) + assumeRoleArn = assumeRoleWithWebIdentity["role_arn"].(string) + assumeRoleSessionName = assumeRoleWithWebIdentity["session_name"].(string) + assumeRoleSessionDuration = assumeRoleWithWebIdentity["session_duration"].(int) + + _ = genClientWithOidcSTS(&tcClient, assumeRoleArn, assumeRoleSessionName, assumeRoleSessionDuration, assumeRoleWebIdentityToken) + needSecret = false + } + } + + if needSecret && (secretId == "" || secretKey == "") { + return nil, fmt.Errorf("Please set your `secret_id` and `secret_key`.\n") } return &tcClient, nil @@ -2149,6 +2298,60 @@ func genClientWithSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSes return nil } +func genClientWithSamlSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRoleSamlAssertion, assumeRolePrincipalArn string) error { + // applying STS credentials + request := sdksts.NewAssumeRoleWithSAMLRequest() + request.RoleArn = helper.String(assumeRoleArn) + request.RoleSessionName = helper.String(assumeRoleSessionName) + request.DurationSeconds = helper.IntUint64(assumeRoleSessionDuration) + request.SAMLAssertion = helper.String(assumeRoleSamlAssertion) + request.PrincipalArn = helper.String(assumeRolePrincipalArn) + + ratelimit.Check(request.GetAction()) + var stsExtInfo connectivity.StsExtInfo + stsExtInfo.Authorization = "SKIP" + response, err := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithSAML(request) + if err != nil { + return err + } + + // using STS credentials + tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential( + *response.Response.Credentials.TmpSecretId, + *response.Response.Credentials.TmpSecretKey, + *response.Response.Credentials.Token, + ) + + return nil +} + +func genClientWithOidcSTS(tcClient *TencentCloudClient, assumeRoleArn, assumeRoleSessionName string, assumeRoleSessionDuration int, assumeRolePolicy string) error { + // applying STS credentials + request := sdksts.NewAssumeRoleWithWebIdentityRequest() + request.ProviderId = helper.String("OIDC") + request.RoleArn = helper.String(assumeRoleArn) + request.RoleSessionName = helper.String(assumeRoleSessionName) + request.DurationSeconds = helper.IntInt64(assumeRoleSessionDuration) + request.WebIdentityToken = helper.String(assumeRolePolicy) + + ratelimit.Check(request.GetAction()) + var stsExtInfo connectivity.StsExtInfo + stsExtInfo.Authorization = "SKIP" + response, err := tcClient.apiV3Conn.UseStsClient(stsExtInfo).AssumeRoleWithWebIdentity(request) + if err != nil { + return err + } + + // using STS credentials + tcClient.apiV3Conn.Credential = sdkcommon.NewTokenCredential( + *response.Response.Credentials.TmpSecretId, + *response.Response.Credentials.TmpSecretKey, + *response.Response.Credentials.Token, + ) + + return nil +} + var providerConfig map[string]interface{} func getConfigFromProfile(d *schema.ResourceData, ProfileKey string) (interface{}, error) { diff --git a/website/docs/index.html.markdown b/website/docs/index.html.markdown index 7c5c2e9d28..d801c78a11 100644 --- a/website/docs/index.html.markdown +++ b/website/docs/index.html.markdown @@ -34,8 +34,7 @@ provider "tencentcloud" { } # Get availability zones -data "tencentcloud_availability_zones" "default" { -} +data "tencentcloud_availability_zones" "default" {} # Get availability images data "tencentcloud_images" "default" { @@ -98,6 +97,8 @@ The following methods are supported, in this order, and explained below: - Static credentials - Environment variables - Assume role +- Assume role with SAML +- Assume role with OIDC - Shared credentials ### Static credentials @@ -124,8 +125,7 @@ You can provide your credentials via `TENCENTCLOUD_SECRET_ID` and `TENCENTCLOUD_ representing your TencentCloud Secret Id and Secret Key respectively. `TENCENTCLOUD_REGION` is also used, if applicable: ```hcl -provider "tencentcloud" { -} +provider "tencentcloud" {} ``` Usage: @@ -139,7 +139,7 @@ $ terraform plan ### Assume role -If provided with an assume role, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` and `assume_role_policy`(optional) in-line in the tencentcloud provider block: +If provided with an assume role, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `role_arn`, `session_name`, `session_duration` and `policy`(optional) in-line in the tencentcloud provider block: Usage: @@ -158,7 +158,7 @@ provider "tencentcloud" { } ``` -The `assume_role_arn`, `assume_role_session_name`, `assume_role_session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables. +The `role_arn`, `session_name`, `session_duration` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` and `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variables. Usage: @@ -172,6 +172,70 @@ $ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600 $ terraform plan ``` +### Assume role with SAML + +If provided with an assume role with SAML, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `role_arn`, `session_name`, `session_duration`, `saml_assertion` and `principal_arn` in-line in the tencentcloud provider block: + +-> **Note:** Assume-role-with-SAML is a no-AK auth type, and there is no need setting secret_id and secret_key while using it. + +Usage: + +```hcl +provider "tencentcloud" { + assume_role_with_saml { + role_arn = "my-role-arn" + session_name = "my-session-name" + session_duration = 3600 + saml_assertion = "my-saml-assertion" + principal_arn = "my-principal-arn" + } +} +``` + +The `role_arn`, `session_name`, `session_duration`, `saml_assertion`, `principal_arn` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION`, `TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION` and `TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN` environment variables. + +Usage: + +```shell +$ export TENCENTCLOUD_ASSUME_ROLE_ARN="my-role-arn" +$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME="my-session-name" +$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600 +$ export TENCENTCLOUD_ASSUME_ROLE_SAML_ASSERTION="my-saml-assertion" +$ export TENCENTCLOUD_ASSUME_ROLE_PRINCIPAL_ARN="my-principal-arn" +$ terraform plan +``` + +### Assume role with OIDC + +If provided with an assume role with OIDC, Terraform will attempt to assume this role using the supplied credentials. Assume role can be provided by adding an `role_arn`, `session_name`, `session_duration` and `web_identity_token` in-line in the tencentcloud provider block: + +-> **Note:** Assume-role-with-OIDC is a no-AK auth type, and there is no need setting secret_id and secret_key while using it. + +Usage: + +```hcl +provider "tencentcloud" { + assume_role_with_web_identity { + role_arn = "my-role-arn" + session_name = "my-session-name" + session_duration = 3600 + web_identity_token = "my-web-identity-token" + } +} +``` + +The `role_arn`, `session_name`, `session_duration`, `web_identity_token` can also provided via `TENCENTCLOUD_ASSUME_ROLE_ARN`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME`, `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` and `TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN` environment variables. + +Usage: + +```shell +$ export TENCENTCLOUD_SECRET_ID="my-secret-id" +$ export TENCENTCLOUD_SECRET_KEY="my-secret-key" +$ export TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION=3600 +$ export TENCENTCLOUD_ASSUME_ROLE_WEB_IDENTITY_TOKEN="my-web-identity-token" +$ terraform plan +``` + ### Shared credentials You can use [Tencent Cloud credentials](https://www.tencentcloud.com/document/product/1013/33464) to specify your credentials. The default location is `$HOME/.tccli` on Linux and macOS, And `"%USERPROFILE%\.tccli"` on Windows. You can optionally specify a different location in the Terraform configuration by providing the `shared_credentials_dir` argument or using the `TENCENTCLOUD_SHARED_CREDENTIALS_DIR` environment variable. This method also supports a `profile` configuration and matching `TENCENTCLOUD_PROFILE` environment variable: @@ -207,6 +271,8 @@ In addition to generic provider arguments (e.g. alias and version), the followin * `shared_credentials_dir` - (Optional) The directory of the shared credentials. It can also be sourced from the `TENCENTCLOUD_SHARED_CREDENTIALS_DIR` environment variable. If not set this defaults to ~/.tccli. * `profile` - (Optional) The profile name as set in the shared credentials. It can also be sourced from the `TENCENTCLOUD_PROFILE` environment variable. If not set, the default profile created with `tccli configure` will be used. * `assume_role` - (Optional, Available in 1.33.1+) An `assume_role` block (documented below). If provided, terraform will attempt to assume this role using the supplied credentials. Only one `assume_role` block may be in the configuration. +* `assume_role_with_saml` - (Optional, Available in 1.81.111+) An `assume_role_with_saml` block (documented below). If provided, terraform will attempt to assume this role using the supplied credentials. Only one `assume_role_with_saml` block may be in the configuration. +* `assume_role_with_web_identity` - (Optional, Available in 1.81.111+) An `assume_role_with_web_identity` block (documented below). If provided, terraform will attempt to assume this role using the supplied credentials. Only one `assume_role_with_web_identity` block may be in the configuration. * `protocol` - (Optional, Available in 1.37.0+) The protocol of the API request. Valid values: `HTTP` and `HTTPS`. Default is `HTTPS`. * `domain` - (Optional, Available in 1.37.0+) The root domain of the API request, Default is `tencentcloudapi.com`. @@ -215,3 +281,16 @@ The nested `assume_role` block supports the following: * `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. * `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. * `policy` - (Optional) A more restrictive policy to apply to the temporary credentials. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. + +The nested `assume_role_with_saml` block supports the following: +* `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable. +* `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. +* `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. +* `saml_assertion` - (Required) SAML assertion information encoded in base64. It can be sourced from the `PROVIDER_ASSUME_ROLE_SAML_ASSERTION`. +* `principal_arn` - (Required) Player Access Description Name. It can be sourced from the `PROVIDER_ASSUME_ROLE_PRINCIPAL_ARN`. + +The nested `assume_role_with_web_identity` block supports the following: +* `role_arn` - (Required) The ARN of the role to assume. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_ARN` environment variable. +* `session_name` - (Required) The session name to use when making the AssumeRole call. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_NAME` environment variable. +* `session_duration` - (Required) The duration of the session when making the AssumeRole call. Its value ranges from 0 to 43200(seconds), and default is 7200 seconds. It can also be sourced from the `TENCENTCLOUD_ASSUME_ROLE_SESSION_DURATION` environment variable. +* `web_identity_token` - (Required) OIDC token issued by IdP. It can be sourced from the `PROVIDER_ASSUME_ROLE_WEB_IDENTITY_TOKEN`.