examples: add oss-python3-sdk

examples/rrsa/oss-python3-sdk/Dockerfile

@@ -0,0 +1,11 @@
+FROM python:3.11-buster
+# TARGETPLATFORM
+
+WORKDIR /app
+ENV PIP_INDEX_URL https://mirrors.aliyun.com/pypi/simple/
+
+COPY requirements.txt ./
+RUN pip install --upgrade pip && pip install -r requirements.txt
+COPY main.py ./
+
+CMD python main.py

examples/rrsa/oss-python3-sdk/README.md

@@ -0,0 +1,80 @@
+# oss-python3-sdk
+
+Using [OSS Python 3 SDK](https://github.com/aliyun/aliyun-oss-python-sdk) with RRSA Auth.
+
+```
+pip install 'alibabacloud_credentials>=0.3.1'
+```
+
+https://github.com/aliyun/credentials-python
+
+
+## Demo
+
+1. Enable RRSA:
+
+```
+export CLUSTER_ID=<cluster_id>
+ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+```
+
+2. Install ack-pod-identity-webhook:
+
+```
+ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+```
+
+3. Create an RAM Policy:
+
+```
+aliyun ram CreatePolicy --PolicyName oss-list-buckets --PolicyDocument '{
+  "Version": "1",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "oss:ListBuckets"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {}
+    }
+  ]
+}'
+```
+
+4. Associate an RAM Role to the service account and attach the policy to the role:
+
+```
+ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+    --namespace rrsa-demo-oss-python3-sdk \
+    --service-account demo-sa \
+    --role-name test-rrsa-demo \
+    --create-role-if-not-exist \
+    --attach-custom-policy oss-list-buckets
+```
+
+5. Deploy demo job:
+
+```
+ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > kubeconfig
+kubectl --kubeconfig ./kubeconfig apply -f deploy.yaml
+```
+
+6. Get logs:
+
+```
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-python3-sdk wait --for=condition=complete job/demo --timeout=240s
+kubectl --kubeconfig ./kubeconfig -n rrsa-demo-oss-python3-sdk logs job/demo
+```
+
+Outputs:
+
+```
+2023/05/19 10:58:55 test oss sdk using rrsa oidc token
+call oss.listBuckets via oidc token success:
+- test-***
+- cri-***
+
+```

examples/rrsa/oss-python3-sdk/deploy.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rrsa-demo-oss-python3-sdk
+  labels:
+    pod-identity.alibabacloud.com/injection: 'on'
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: demo-sa
+  namespace: rrsa-demo-oss-python3-sdk
+  annotations:
+    pod-identity.alibabacloud.com/role-name: test-rrsa-demo
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: demo
+  namespace: rrsa-demo-oss-python3-sdk
+spec:
+  template:
+    spec:
+      serviceAccountName: demo-sa
+      restartPolicy: Never
+      containers:
+        - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0-rrsa-example-oss-python3
+          imagePullPolicy: "Always"
+          name: test

examples/rrsa/oss-python3-sdk/main.py

@@ -0,0 +1,74 @@
+# coding: utf-8
+import os
+
+# alibabacloud-credentials>=0.3.1
+from alibabacloud_credentials.client import Client as CredClient
+from alibabacloud_credentials.models import Config as CredConfig
+
+import oss2
+from oss2.credentials import (
+    CredentialsProvider as OSSCredentialsProvider,
+    Credentials as OSSCredentials
+)
+
+ENV_ROLE_ARN = "ALIBABA_CLOUD_ROLE_ARN"
+ENV_OIDC_PROVIDER_ARN = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN"
+ENV_OIDC_TOKEN_FILE = "ALIBABA_CLOUD_OIDC_TOKEN_FILE"
+
+
+def test_oss_sdk(cred):
+    endpoint = 'http://oss-cn-hangzhou.aliyuncs.com'
+    provider = OSSOidcCredentialProvider(cred)
+    auth = oss2.ProviderAuth(provider)
+
+    service = oss2.Service(auth=auth, endpoint=endpoint)
+    resp = service.list_buckets()
+
+    print("call oss.listBuckets via oidc token success:")
+    for bucket in resp.buckets:
+        print('- {}'.format(bucket.name))
+
+
+def new_cred():
+    # https://www.alibabacloud.com/help/doc-detail/378661.html
+    cred = CredClient()
+    return cred
+
+
+def new_oidc_cred():
+    # https://www.alibabacloud.com/help/doc-detail/378661.html
+    config = CredConfig(
+        type='oidc_role_arn',
+        role_arn=os.environ[ENV_ROLE_ARN],
+        oidc_provider_arn=os.environ[ENV_OIDC_PROVIDER_ARN],
+        oidc_token_file_path=os.environ[ENV_OIDC_TOKEN_FILE],
+        role_session_name='auth-with-rrsa-oidc-token')
+    cred = CredClient(config)
+    return cred
+
+
+class OSSOidcCredentialProvider(OSSCredentialsProvider):
+    def __init__(self, cred):
+        self._cred = cred
+
+    def get_credentials(self):
+        access_key_id = self._cred.get_access_key_id()
+        access_key_secret = self._cred.get_access_key_secret()
+        security_token = self._cred.get_security_token()
+        return OSSCredentials(access_key_id=access_key_id, access_key_secret=access_key_secret,
+                              security_token=security_token)
+
+
+def main():
+    # 两种方法都可以
+    cred = new_cred()
+    # or
+    # cred = new_oidc_cred()
+
+    # test oss sdk (https://github.com/aliyun/aliyun-oss-python-sdk) use rrsa oidc token
+    print("\ntest oss sdk use rrsa oidc token")
+    test_oss_sdk(cred)
+
+
+if __name__ == '__main__':
+    main()

examples/rrsa/oss-python3-sdk/requirements.txt

@@ -0,0 +1,30 @@
+aiohttp==3.9.2
+aiosignal==1.2.0
+alibabacloud-credentials==0.3.1
+alibabacloud-endpoint-util==0.0.3
+alibabacloud-gateway-spi==0.0.1
+alibabacloud-openapi-util==0.2.1
+alibabacloud-tea==0.2.9
+alibabacloud-tea-openapi==0.3.7
+alibabacloud-tea-util==0.3.8
+alibabacloud-tea-xml==0.0.2
+aliyun-python-sdk-core==2.13.36
+aliyun-python-sdk-kms==2.16.0
+async-timeout==4.0.2
+attrs==22.2.0
+certifi==2023.7.22
+cffi==1.15.1
+charset-normalizer==2.1.1
+crcmod==1.7
+cryptography==42.0.4
+frozenlist==1.3.1
+idna==3.4
+jmespath==0.10.0
+multidict==6.0.4
+oss2==2.16.0
+pycparser==2.21
+pycryptodome==3.19.1
+requests==2.31.0
+six==1.16.0
+urllib3==1.26.18
+yarl==1.8.1

examples/rrsa/oss-python3-sdk/test.sh

@@ -0,0 +1,100 @@
+#!/usr/bin/env bash
+set -e
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null && pwd )"
+CLUSTER_ID="$1"
+KUBECONFIG_PATH="${SCRIPT_DIR}/kubeconfig"
+NAMESPACE="rrsa-demo-oss-python3-sdk"
+ROLE_NAME="oss-list-buckets"
+POLICY_NAME="test-cs-describe-clusters"
+
+trap cleanup EXIT
+
+function bar_tip() {
+  echo -e "\n=== $1 ===\n"
+}
+
+function enable_rrsa() {
+  bar_tip "enable RRSA"
+
+  ack-ram-tool rrsa enable --cluster-id "${CLUSTER_ID}"
+}
+
+function install_helper() {
+  bar_tip "install ack-pod-identity-webhook"
+
+  ack-ram-tool rrsa install-helper-addon --cluster-id "${CLUSTER_ID}"
+}
+
+function setup_role() {
+  bar_tip "setup ram role"
+
+  aliyun ram DeletePolicy --PolicyName ${POLICY_NAME} || true
+  aliyun ram CreatePolicy --PolicyName ${POLICY_NAME} --PolicyDocument '{
+  "Version": "1",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "oss:ListBuckets"
+      ],
+      "Resource": [
+        "*"
+      ],
+      "Condition": {}
+    }
+  ]
+}' || true
+
+  ack-ram-tool rrsa associate-role --cluster-id "${CLUSTER_ID}" \
+    --namespace "${NAMESPACE}" \
+    --service-account demo-sa \
+    --role-name ${ROLE_NAME} \
+    --create-role-if-not-exist \
+    --attach-custom-policy ${POLICY_NAME}
+}
+
+function deploy_demo() {
+  bar_tip "deploy demo"
+
+  ack-ram-tool credential-plugin get-kubeconfig --cluster-id "${CLUSTER_ID}" > ${KUBECONFIG_PATH}
+  kubectl --kubeconfig ${KUBECONFIG_PATH} delete -f "${SCRIPT_DIR}/deploy.yaml" || true
+  kubectl --kubeconfig ${KUBECONFIG_PATH} apply -f "${SCRIPT_DIR}/deploy.yaml"
+}
+
+function get_logs() {
+  bar_tip "wait demo and get logs"
+
+  kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" wait --for=condition=complete job/demo --timeout=240s
+  kubectl --kubeconfig ${KUBECONFIG_PATH} -n "${NAMESPACE}" logs job/demo
+}
+
+function cleanup() {
+  set +e
+  bar_tip "cleanup"
+
+  rm ${KUBECONFIG_PATH}
+  aliyun ram DetachPolicyFromRole --RoleName ${ROLE_NAME} --PolicyName ${POLICY_NAME} --PolicyType Custom || true
+
+  set -e
+}
+
+function main() {
+  if [[ "${CLUSTER_ID}none" == "none" ]]; then
+    echo "clusterId is missing. Usage: bash test.sh CLUSTER_ID"
+    exit 1
+  fi
+  if [[ "${SCRIPT_DIR}none" == "none" ]]; then
+    echo "get script dir failed"
+    exit 1
+  fi
+
+  enable_rrsa
+  install_helper
+  setup_role
+  sleep 60
+  deploy_demo
+  get_logs
+}
+
+main

examples/rrsa/python3-sdk/README.md

@@ -3,7 +3,7 @@
 Using [Alibaba Could Python 3 SDK](https://github.com/aliyun/alibabacloud-python-sdk) with RRSA Auth.
 
 ```
-pip install alibabacloud_credentials>=0.3.1
+pip install 'alibabacloud_credentials>=0.3.1'
 ```
 
 https://github.com/aliyun/credentials-python

examples/rrsa/python3-sdk/main.py

@@ -33,19 +33,6 @@ def test_open_api_sdk(cred):
     print('\n')
 
 
-def test_oss_sdk(cred):
-    endpoint = 'http://oss-cn-hangzhou.aliyuncs.com'
-    provider = OSSOidcCredentialProvider(cred)
-    auth = oss2.ProviderAuth(provider)
-
-    service = oss2.Service(auth=auth, endpoint=endpoint)
-    resp = service.list_buckets()
-
-    print("call oss.listBuckets via oidc token success:")
-    for bucket in resp.buckets:
-        print('- {}'.format(bucket.name))
-
-
 def new_cred():
     # https://www.alibabacloud.com/help/doc-detail/378661.html
     cred = CredClient()
@@ -64,18 +51,6 @@ def new_oidc_cred():
     return cred
 
 
-class OSSOidcCredentialProvider(OSSCredentialsProvider):
-    def __init__(self, cred):
-        self._cred = cred
-
-    def get_credentials(self):
-        access_key_id = self._cred.get_access_key_id()
-        access_key_secret = self._cred.get_access_key_secret()
-        security_token = self._cred.get_security_token()
-        return OSSCredentials(access_key_id=access_key_id, access_key_secret=access_key_secret,
-                              security_token=security_token)
-
-
 def main():
     # 两种方法都可以
     cred = new_cred()
@@ -86,11 +61,6 @@ def main():
     print("\ntest open api sdk use rrsa oidc token")
     test_open_api_sdk(cred)
 
-    # test oss sdk (https://github.com/aliyun/aliyun-oss-python-sdk) use rrsa oidc token
-    if os.getenv("TEST_OSS_SDK") == "true":
-        print("\ntest oss sdk use rrsa oidc token")
-        test_oss_sdk(cred)
-
 
 if __name__ == '__main__':
     main()