package alicloud import ( "errors" "fmt" "strings" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/providers" "github.com/hashicorp/vault-plugin-auth-alicloud/tools" "github.com/hashicorp/vault/api" ) type CLIHandler struct{} func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) { mount, ok := m["mount"] if !ok { mount = "alicloud" } role := m["role"] credentialChain := []providers.Provider{ providers.NewConfigurationCredentialProvider(&providers.Configuration{ AccessKeyID: m["access_key"], AccessKeySecret: m["secret_key"], AccessKeyStsToken: m["security_token"], }), providers.NewEnvCredentialProvider(), providers.NewInstanceMetadataProvider(), } creds, err := providers.NewChainProvider(credentialChain).Retrieve() if err != nil { return nil, err } loginData, err := tools.GenerateLoginData(role, creds, m["region"]) if err != nil { return nil, err } path := fmt.Sprintf("auth/%s/login", mount) secret, err := c.Logical().Write(path, loginData) if err != nil { return nil, err } if secret == nil { return nil, errors.New("empty response from credential provider") } return secret, nil } func (h *CLIHandler) Help() string { help := ` Usage: vault login -method=alicloud [CONFIG K=V...] The AliCloud auth method allows users to authenticate with AliCloud RAM credentials. The AliCloud RAM credentials may be specified explicitly via the command line: $ vault login -method=alicloud access_key=... secret_key=... security_token=... region=... Configuration: access_key= Explicit AliCloud access key ID secret_key= Explicit AliCloud secret access key security_token= Explicit AliCloud security token region= Explicit AliCloud region mount= Path where the AliCloud credential method is mounted. This is usually provided via the -path flag in the "vault login" command, but it can be specified here as well. If specified here, it takes precedence over the value for -path. The default value is "alicloud". role= Name of the role to request a token against ` return strings.TrimSpace(help) }