Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Does SDK support to pick credentials from ~/.aliyun/config.json file Where credentials store for Aliyun CLI? #629

Open
ParthaI opened this issue May 30, 2024 · 14 comments

Comments

@ParthaI
Copy link

ParthaI commented May 30, 2024

Dere team,

  • In our project, we are implementing the authentication module using profile.
  • According to the Aliyun CLI, it stores the credentials in ~/.aliyun/config.json.
  • Running aliyun configure stores the credentials as described here: Aliyun CLI README.
  • It does not create any separate credential files other than ~/.aliyun/config.json.
  • However, the SDK picks the credentials from the default file path ~/.alibabacloud/credentials, and the credential file format is different.
  • In my case, I don't have any credential files like ~/.alibabacloud/credentials, but I can still run the CLI command successfully and get the expected results.

Is there a way for the Alibaba Cloud SDK to authenticate by providing the profile name, so it picks the credentials from ~/.aliyun/config.json?

An early suggestion would be greatly appreciated.

Thanks!

@ParthaI ParthaI changed the title Dose SDK support to pick credentials from ~/.aliyun/config.json file Where credentials store for Aliyun CLI? Does SDK support to pick credentials from ~/.aliyun/config.json file Where credentials store for Aliyun CLI? May 30, 2024
@ParthaI
Copy link
Author

ParthaI commented Jun 3, 2024

Dear Team,

Is there any update regarding the above message?

@JacksonTian
Copy link
Contributor

Currently, the SDK's credentials not fit the CLI's profile well. We are planning to improve it in short term.

@ParthaI
Copy link
Author

ParthaI commented Jun 3, 2024

Thanks for the information. Is there any ETA to add the support for CLI's profile?

@JacksonTian
Copy link
Contributor

Before 7.1.

@JacksonTian
Copy link
Contributor

Dear @ParthaI ,

We provide a CLIProfileCredentialsProvider to support your use case. You can use it like this:

// create cli credentials provider
provider := NewCLIProfileCredentialsProviderBuilder().Build()
// init client with config and credentials provider
config := sdk.NewConfig().WithScheme("HTTPS")
client, err := sts.NewClientWithOptions("cn-hangzhou", config, provider)

@ParthaI
Copy link
Author

ParthaI commented Aug 19, 2024

Thank you @JacksonTian, I will give it a try and let you know.

@ParthaI
Copy link
Author

ParthaI commented Sep 24, 2024

Hi @JacksonTian,

Apologies for the delayed response. I can confirm that the profile authentication suggestion you provided is working well.

It would be great to add support for the StsToken profile mode, as the CLI already supports it. For reference: https://github.com/aliyun/aliyun-cli/blob/master/README.md.

In the SDK, there is already support for creating a client with StsToken.

However, when executing code with the StsToken mode, I encountered the error: Error: alicloud: unsupported profile mode 'StsToken'.

@ParthaI
Copy link
Author

ParthaI commented Sep 24, 2024

Hello @JacksonTian,

Further to our work with profile authentication, we are now encountering timeout errors such as:

  • Error: rpc error: code = DeadlineExceeded desc = alicloud: exceeded allowed timeout
  • Error: alicloud: [SDK.TimeoutError] The request timed out 4 times (4 retries), should we consider increasing the threshold? Connect timeout. Please set a valid ConnectTimeout.

Despite setting the request timeout to 60 seconds, we are still facing these issues.

Here is the relevant configuration:

config := GetConfig(d.Connection)
defaultRegion := GetDefaultRegion(d.Connection)
defaultConfig := sdk.NewConfig() // initialize with default config

if config.AutoRetry != nil { 
    defaultConfig = defaultConfig.WithAutoRetry(*config.AutoRetry) // Value set as true
}
if config.MaxRetryTime != nil {
    defaultConfig = defaultConfig.WithMaxRetryTime(*config.MaxRetryTime) // Set to 9
}
if config.Timeout != nil {
    defaultConfig = defaultConfig.WithTimeout(time.Duration(*config.Timeout) * time.Second) // 60 seconds
}

Do you have any suggestions on how to resolve this issue? Any advice would be greatly appreciated.

Thanks!

@JacksonTian
Copy link
Contributor

JacksonTian commented Sep 24, 2024

Hi @JacksonTian,

Apologies for the delayed response. I can confirm that the profile authentication suggestion you provided is working well.

It would be great to add support for the StsToken profile mode, as the CLI already supports it. For reference: https://github.com/aliyun/aliyun-cli/blob/master/README.md.

In the SDK, there is already support for creating a client with StsToken.

However, when executing code with the StsToken mode, I encountered the error: Error: alicloud: unsupported profile mode 'StsToken'.

I am not recommend to support the short-term credentials in long-term configuration files. So in the new credentials provider, we didn't support it.

@JacksonTian
Copy link
Contributor

Hello @JacksonTian,

Further to our work with profile authentication, we are now encountering timeout errors such as:

  • Error: rpc error: code = DeadlineExceeded desc = alicloud: exceeded allowed timeout
  • Error: alicloud: [SDK.TimeoutError] The request timed out 4 times (4 retries), should we consider increasing the threshold? Connect timeout. Please set a valid ConnectTimeout.

Despite setting the request timeout to 60 seconds, we are still facing these issues.

Here is the relevant configuration:

config := GetConfig(d.Connection)
defaultRegion := GetDefaultRegion(d.Connection)
defaultConfig := sdk.NewConfig() // initialize with default config

if config.AutoRetry != nil { 
    defaultConfig = defaultConfig.WithAutoRetry(*config.AutoRetry) // Value set as true
}
if config.MaxRetryTime != nil {
    defaultConfig = defaultConfig.WithMaxRetryTime(*config.MaxRetryTime) // Set to 9
}
if config.Timeout != nil {
    defaultConfig = defaultConfig.WithTimeout(time.Duration(*config.Timeout) * time.Second) // 60 seconds
}

Do you have any suggestions on how to resolve this issue? Any advice would be greatly appreciated.

Thanks!

Could you provide more stack for the timeout error?

@ParthaI
Copy link
Author

ParthaI commented Sep 24, 2024

Below is a sample Go code to reproduce the error:

package main

import (
	"fmt"
	"log"
	"time"

	"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
	"github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
)

func main() {
	regions := []string{"us-east-1", "ap-south-1", "cn-hangzhou"}

	for _, region := range regions {
		log.Println("Listing keys in region: " + region)
		
		// Load credentials using the CLI profile named "default"
		creds := credentials.NewCLIProfileCredentialsProviderBuilder().
			WithProfileName("default").Build()

		log.Printf("Credential Provider: %v", creds.GetProviderName())

		// SDK configuration with automatic retry enabled
		config := sdk.NewConfig()
		config.AutoRetry = true
		config.Timeout = 30 * time.Second
		config.MaxRetryTime = 9
		config.Scheme = "HTTPS"

		// Create a new KMS client with the loaded credentials
		vc, err := kms.NewClientWithOptions(region, config, creds)
		if err != nil {
			log.Fatalf("Error creating KMS client: %v", err)
		}

		// Create a request to list KMS keys
		request := kms.CreateListKeysRequest()
		request.Scheme = "https"

		// Make the API call to list keys
		res, err := vc.ListKeys(request)
		if err != nil {
			log.Fatalf("Error listing keys: %v", err)
		}

		// Print out the key names
		for _, key := range res.Keys.Key {
			fmt.Println("KeyName:", key.KeyId)
		}
	}
}

I'm encountering the error only for the region ap-south-1, while the other regions work fine. I haven't identified the root cause yet, but here's the specific error message I'm receiving:

2024/09/24 16:45:27 Error listing keys: [SDK.TimeoutError] The request timed out 10 times (10 retries). Perhaps we should raise the threshold? Connect timeout. Please set a valid ConnectTimeout.
caused by:
Post "https://kms.ap-south-1.aliyuncs.com/?AccessKeyId=xxxxxxxxxxx&Action=ListKeys&Format=JSON&RegionId=ap-south-1&Signature=p1VNCbNQY2zCKRHgUFOOnn2fXEU%3D&SignatureMethod=HMAC-SHA1&SignatureNonce=cd3ed545cc9eec5970f16a83c7e30ed0&SignatureType=&SignatureVersion=1.0&Timestamp=2024-09-24T11%3A15%3A22Z&Version=2016-01-20": dial tcp 147.139.2.5:443: i/o timeout
exit status 1

@JacksonTian
Copy link
Contributor

The error message shows network issue that access KMS kms.ap-south-1 service failed from your region. Where are you called to KMS.

@JacksonTian
Copy link
Contributor

Our default connect timeout is 5 seconds. You can custom it like following code:

client.SetConnectTimeout(5 * time.Second)            // Set client ConnectTimeout to 5 second.

@ParthaI
Copy link
Author

ParthaI commented Oct 1, 2024

The error message shows network issue that access KMS kms.ap-south-1 service failed from your region. Where are you called to KMS.

I have a stable network, I am encountering this error specifically in the ap-south-1 region. Do you have any insight into why I might be experiencing this time-out error for this region? It’s not limited to KMS, but seems to affect all resources in ap-south-1.

Our default connect timeout is 5 seconds. You can custom it like following code:
client.SetConnectTimeout(5 * time.Second) // Set client ConnectTimeout to 5 second.

I also tried setting it with client.SetConnectTimeout(60 * time.Second), but unfortunately, it didn't resolve the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants