Python SDK for IDaaS (Identity as a Service) AKless Adapter - Enables AK-free authentication for Alibaba Cloud services
Project description
cloud-idaas-akless-alibabacloud-adapter
简体中文 | English
Python SDK for IDaaS (Identity as a Service) AKless Adapter — Enables AK-free authentication for Alibaba Cloud services using IDaaS PAM (Privileged Access Management) to obtain STS temporary credentials.
Features
- AK-free Authentication: Eliminates the need for long-term AccessKey, uses OIDC Token to obtain STS temporary credentials via IDaaS PAM, reducing the risk of credential leakage
- Multi-SDK Adaptation: Provides credential provider adapters for multiple Alibaba Cloud SDKs, including OSS V1, OSS V2, and SLS
- Automatic Credential Refresh: Built-in credential caching and automatic refresh based on expiration time, ensuring seamless credential rotation
- Simple Integration: Factory class provides one-line creation of credential providers, minimizing integration effort
Requirements
- Python >= 3.9
- Dependencies:
- cloud-idaas-core >= 0.0.5b0
- alibabacloud-credentials >= 1.0.0
- oss2 >= 2.18.0
- alibabacloud-oss-v2 >= 1.0.0
- aliyun-log-python-sdk >= 0.9.0
Installation
pip install cloud-idaas-akless-alibabacloud-adapter
Prerequisites
This SDK depends on cloud-idaas-core. You need to complete the IDaaS Core SDK initialization before using this adapter.
-
Install and configure
cloud-idaas-core, refer to cloud-idaas-core README for details. -
In the configuration file, set the
scopeto the IDaaS built-in scope for PAM:{ "scope": "urn:cloud:idaas:pam|.all" }
-
Complete the IDaaS Core SDK initialization:
from cloud_idaas.core import IDaaSCredentialProviderFactory IDaaSCredentialProviderFactory.init()
Quick Start
The simplest way to use this SDK is through the IDaaSPamAklessCredentialFactory factory class:
from cloud_idaas.core import IDaaSCredentialProviderFactory
from cloud_idaas.adapter.alibabacloud.pam import IDaaSPamAklessCredentialFactory
# 1. Initialize IDaaS Core SDK
IDaaSCredentialProviderFactory.init()
# 2. Create an Alibaba Cloud credentials provider
credentials_provider = IDaaSPamAklessCredentialFactory.get_alibaba_cloud_credentials_provider(
role_arn="acs:ram::123456789:role/your-role-name"
)
# 3. Get credentials
credentials = credentials_provider.get_credentials()
print(credentials.access_key_id)
print(credentials.access_key_secret)
print(credentials.security_token)
Note: The
role_arnparameter can also be configured via the environment variableALIBABA_CLOUD_ROLE_ARN.
Usage Examples
OSS V1 (oss2)
import oss2
from cloud_idaas.core import IDaaSCredentialProviderFactory
from cloud_idaas.adapter.alibabacloud.pam import IDaaSPamAklessCredentialFactory
# Initialize
IDaaSCredentialProviderFactory.init()
# Create OSS V1 credentials provider
oss_v1_provider = IDaaSPamAklessCredentialFactory.get_oss_v1_credential_provider(
role_arn="acs:ram::123456789:role/your-role-name"
)
# Use with OSS V1 SDK
auth = oss2.ProviderAuthV4(oss_v1_provider)
bucket = oss2.Bucket(auth, "https://oss-cn-hangzhou.aliyuncs.com", "your-bucket-name")
OSS V2 (alibabacloud-oss-v2)
import alibabacloud_oss_v2 as oss
from cloud_idaas.core import IDaaSCredentialProviderFactory
from cloud_idaas.adapter.alibabacloud.pam import IDaaSPamAklessCredentialFactory
# Initialize
IDaaSCredentialProviderFactory.init()
# Create OSS V2 credentials provider
oss_v2_provider = IDaaSPamAklessCredentialFactory.get_oss_v2_credential_provider(
role_arn="acs:ram::123456789:role/your-role-name"
)
# Use with OSS V2 SDK
cfg = oss.config.load_default()
cfg.credentials_provider = oss_v2_provider
cfg.region = "cn-hangzhou"
client = oss.Client(cfg)
SLS (aliyun-log-python-sdk)
from aliyun.log import LogClient
from cloud_idaas.core import IDaaSCredentialProviderFactory
from cloud_idaas.adapter.alibabacloud.pam import IDaaSPamAklessCredentialFactory
# Initialize
IDaaSCredentialProviderFactory.init()
# Create SLS credentials provider
sls_provider = IDaaSPamAklessCredentialFactory.get_sls_credential_provider(
role_arn="acs:ram::123456789:role/your-role-name"
)
# Use with SLS SDK
client = LogClient("cn-hangzhou.log.aliyuncs.com", credentials_provider=sls_provider)
API Reference
IDaaSPamAklessCredentialFactory
Factory class providing static methods to create credential providers.
| Method | Return Type | Description |
|---|---|---|
get_alibaba_cloud_credentials_provider(role_arn=None) |
IDaaSPamAlibabaCloudCredentialsProvider |
Creates a general Alibaba Cloud credentials provider |
get_oss_v1_credential_provider(role_arn=None) |
IDaaSPamOSSV1CredentialsProvider |
Creates an OSS V1 SDK credentials provider |
get_oss_v2_credential_provider(role_arn=None) |
IDaaSPamOSSV2CredentialsProvider |
Creates an OSS V2 SDK credentials provider |
get_sls_credential_provider(role_arn=None) |
IDaaSPamSLSCredentialsProvider |
Creates an SLS SDK credentials provider |
IDaaSPamAlibabaCloudCredentialsProvider
Core credentials provider that obtains STS temporary credentials from PAM API using OIDC Token.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
| developer_api_endpoint | str | Yes | - | PAM Developer API endpoint |
| idaas_instance_id | str | Yes | - | IDaaS instance ID |
| role_arn | str | No | Env ALIBABA_CLOUD_ROLE_ARN |
RAM role ARN to assume |
| duration_seconds | int | No | 3600 | Session duration in seconds (minimum 900) |
| connect_timeout | int | No | 5000 | Connection timeout in milliseconds |
| read_timeout | int | No | 10000 | Read timeout in milliseconds |
Environment Variables
| Variable | Description |
|---|---|
ALIBABA_CLOUD_ROLE_ARN |
RAM role ARN. Used when role_arn is not explicitly provided |
ALIBABA_CLOUD_OIDC_TOKEN_FILE |
Path to the OIDC Token file. Used for OIDC Token provider |
Support and Feedback
- Email: cloudidaas@list.alibaba-inc.com
- Issues: Please submit an Issue for questions or suggestions
License
This project is licensed under the Apache License 2.0.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cloud_idaas_akless_alibabacloud_adapter-0.0.1b0.tar.gz.
File metadata
- Download URL: cloud_idaas_akless_alibabacloud_adapter-0.0.1b0.tar.gz
- Upload date:
- Size: 17.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4fa9ebcf75329ec70fc22a99ea37db4b912da3e0b8966916d8c4fb9ee4bd0ce9
|
|
| MD5 |
2ad8bf730d791337c84a6eb5c310b391
|
|
| BLAKE2b-256 |
4c2cd1202087241240b1fc71ea30265eac1cabc9b95e92973349f55baaa6a055
|
Provenance
The following attestation bundles were made for cloud_idaas_akless_alibabacloud_adapter-0.0.1b0.tar.gz:
Publisher:
publish.yml on cloud-idaas/idaas-python-akless-alibabacloud-adapter
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cloud_idaas_akless_alibabacloud_adapter-0.0.1b0.tar.gz -
Subject digest:
4fa9ebcf75329ec70fc22a99ea37db4b912da3e0b8966916d8c4fb9ee4bd0ce9 - Sigstore transparency entry: 1317151079
- Sigstore integration time:
-
Permalink:
cloud-idaas/idaas-python-akless-alibabacloud-adapter@2e7d69120e9a6bc90e4ea91ccb68400eaf0f4cbf -
Branch / Tag:
refs/tags/v0.0.1b0 - Owner: https://github.com/cloud-idaas
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2e7d69120e9a6bc90e4ea91ccb68400eaf0f4cbf -
Trigger Event:
push
-
Statement type:
File details
Details for the file cloud_idaas_akless_alibabacloud_adapter-0.0.1b0-py3-none-any.whl.
File metadata
- Download URL: cloud_idaas_akless_alibabacloud_adapter-0.0.1b0-py3-none-any.whl
- Upload date:
- Size: 16.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b870bb761f264f07d4f22218491ebd07402c6f5b7a2d0bbbc5437b3a2dd236a9
|
|
| MD5 |
21c3b9f5ce9dc1c78540f4bc4b961669
|
|
| BLAKE2b-256 |
a965f13fd3cdac891b06595f49a26d0e5af039540e28d4f7bf0eb2a2a9db7668
|
Provenance
The following attestation bundles were made for cloud_idaas_akless_alibabacloud_adapter-0.0.1b0-py3-none-any.whl:
Publisher:
publish.yml on cloud-idaas/idaas-python-akless-alibabacloud-adapter
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
cloud_idaas_akless_alibabacloud_adapter-0.0.1b0-py3-none-any.whl -
Subject digest:
b870bb761f264f07d4f22218491ebd07402c6f5b7a2d0bbbc5437b3a2dd236a9 - Sigstore transparency entry: 1317151092
- Sigstore integration time:
-
Permalink:
cloud-idaas/idaas-python-akless-alibabacloud-adapter@2e7d69120e9a6bc90e4ea91ccb68400eaf0f4cbf -
Branch / Tag:
refs/tags/v0.0.1b0 - Owner: https://github.com/cloud-idaas
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2e7d69120e9a6bc90e4ea91ccb68400eaf0f4cbf -
Trigger Event:
push
-
Statement type:
