aliyun · yndu13 · Feb 19, 2025 · Jan 9, 2025
diff --git a/.github/workflows/testPython.yml b/.github/workflows/testPython.yml
@@ -11,19 +11,19 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       matrix:
-        python-version: [ "3.7", "3.8", "3.9", "3.10", "3.11", "3.12" ]
+        python-version: [ "3.8", "3.9", "3.10", "3.11", "3.12" ]
       fail-fast: false
     steps:
     - uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
-      run: pip install alibabacloud-tea coverage pytest
+      run: pip install alibabacloud-tea coverage pytest alibabacloud_credentials_api APScheduler aiofiles
     - name: Setup OIDC
       run: npm install @actions/[email protected] @actions/http-client
     - name: Get Id Token

diff --git a/alibabacloud_credentials/client.py b/alibabacloud_credentials/client.py
@@ -1,6 +1,18 @@
 from functools import wraps
 
-from alibabacloud_credentials import credentials, providers, models
+from alibabacloud_credentials_api import ICredentialsProvider
+from alibabacloud_credentials import credentials
+from alibabacloud_credentials.exceptions import CredentialException
+from alibabacloud_credentials.models import Config, CredentialModel
+from alibabacloud_credentials.http import HttpOptions
+from alibabacloud_credentials.provider import (StaticAKCredentialsProvider,
+                                               StaticSTSCredentialsProvider,
+                                               RamRoleArnCredentialsProvider,
+                                               OIDCRoleArnCredentialsProvider,
+                                               RsaKeyPairCredentialsProvider,
+                                               EcsRamRoleCredentialsProvider,
+                                               URLCredentialsProvider,
+                                               DefaultCredentialsProvider)
 from alibabacloud_credentials.utils import auth_constant as ac
 from Tea.decorators import deprecated
 
@@ -16,24 +28,85 @@ def i(*args, **kwargs):
     return i
 
 
+class _CredentialsProviderWrap:
+
+    def __init__(self,
+                 *,
+                 type_name: str = None,
+                 provider: ICredentialsProvider = None):
+        self.type_name = type_name
+        self.provider = provider
+
+    def get_access_key_id(self) -> str:
+        credential = self.provider.get_credentials()
+        return credential.get_access_key_id()
+
+    async def get_access_key_id_async(self) -> str:
+        credential = await self.provider.get_credentials_async()
+        return credential.get_access_key_id()
+
+    def get_access_key_secret(self) -> str:
+        credential = self.provider.get_credentials()
+        return credential.get_access_key_secret()
+
+    async def get_access_key_secret_async(self) -> str:
+        credential = await self.provider.get_credentials_async()
+        return credential.get_access_key_secret()
+
+    def get_security_token(self):
+        credential = self.provider.get_credentials()
+        return credential.get_security_token()
+
+    async def get_security_token_async(self):
+        credential = await self.provider.get_credentials_async()
+        return credential.get_security_token()
+
+    def get_credential(self) -> CredentialModel:
+        credential = self.provider.get_credentials()
+        return CredentialModel(
+            access_key_id=credential.get_access_key_id(),
+            access_key_secret=credential.get_access_key_secret(),
+            security_token=credential.get_security_token(),
+            type=self.type_name,
+            provider_name=credential.get_provider_name(),
+        )
+
+    async def get_credential_async(self) -> CredentialModel:
+        credential = await self.provider.get_credentials_async()
+        return CredentialModel(
+            access_key_id=credential.get_access_key_id(),
+            access_key_secret=credential.get_access_key_secret(),
+            security_token=credential.get_security_token(),
+            type=self.type_name,
+            provider_name=credential.get_provider_name(),
+        )
+
+    def get_type(self) -> str:
+        return self.type_name
+
+
 class Client:
     cloud_credential = None
 
-    def __init__(self, config=None):
-        if config is None:
-            provider = providers.DefaultCredentialsProvider()
-            self.cloud_credential = provider.get_credentials()
-            return
-        self.cloud_credential = Client.get_credentials(config)
-
-    def get_credential(self) -> models.CredentialModel:
+    def __init__(self,
+                 config: Config = None,
+                 provider: ICredentialsProvider = None):
+        if provider is not None:
+            self.cloud_credential = _CredentialsProviderWrap(provider=provider)
+        elif config is None:
+            provider = DefaultCredentialsProvider()
+            self.cloud_credential = _CredentialsProviderWrap(type_name='default', provider=provider)
+        else:
+            self.cloud_credential = Client.get_credentials(config)
+
+    def get_credential(self) -> CredentialModel:
         """
         Get credential
         @return: the whole credential
         """
         return self.cloud_credential.get_credential()
 
-    async def get_credential_async(self) -> models.CredentialModel:
+    async def get_credential_async(self) -> CredentialModel:
         """
         Get credential
         @return: the whole credential
@@ -43,44 +116,99 @@ async def get_credential_async(self) -> models.CredentialModel:
     @staticmethod
     def get_credentials(config):
         if config.type == ac.ACCESS_KEY:
-            return credentials.AccessKeyCredential(config.access_key_id, config.access_key_secret)
+            provider = StaticAKCredentialsProvider(
+                access_key_id=config.access_key_id,
+                access_key_secret=config.access_key_secret,
+            )
+            return _CredentialsProviderWrap(type_name='access_key', provider=provider)
         elif config.type == ac.STS:
-            return credentials.StsCredential(config.access_key_id, config.access_key_secret, config.security_token)
+            provider = StaticSTSCredentialsProvider(
+                access_key_id=config.access_key_id,
+                access_key_secret=config.access_key_secret,
+                security_token=config.security_token,
+            )
+            return _CredentialsProviderWrap(type_name='sts', provider=provider)
         elif config.type == ac.BEARER:
             return credentials.BearerTokenCredential(config.bearer_token)
         elif config.type == ac.ECS_RAM_ROLE:
-            return credentials.EcsRamRoleCredential(
-                config.access_key_id,
-                config.access_key_secret,
-                config.security_token,
-                0,
-                providers.EcsRamRoleCredentialProvider(config=config)
+            provider = EcsRamRoleCredentialsProvider(
+                role_name=config.role_name,
+                disable_imds_v1=config.disable_imds_v1,
+                http_options=HttpOptions(
+                    read_timeout=config.timeout,
+                    connect_timeout=config.connect_timeout,
+                    proxy=config.proxy,
+                ),
             )
+            return _CredentialsProviderWrap(type_name='ecs_ram_role', provider=provider)
         elif config.type == ac.CREDENTIALS_URI:
-            return credentials.CredentialsURICredential(config.credentials_uri)
+            provider = URLCredentialsProvider(
+                uri=config.credentials_uri,
+                http_options=HttpOptions(
+                    read_timeout=config.timeout,
+                    connect_timeout=config.connect_timeout,
+                    proxy=config.proxy,
+                ),
+            )
+            return _CredentialsProviderWrap(type_name='credentials_uri', provider=provider)
         elif config.type == ac.RAM_ROLE_ARN:
-            return credentials.RamRoleArnCredential(
-                config.access_key_id,
-                config.access_key_secret,
-                config.security_token,
-                0,
-                providers.RamRoleArnCredentialProvider(config=config)
+            if config.security_token is not None and config.security_token != '':
+                previous_provider = StaticSTSCredentialsProvider(
+                    access_key_id=config.access_key_id,
+                    access_key_secret=config.access_key_secret,
+                    security_token=config.security_token,
+                )
+            else:
+                previous_provider = StaticAKCredentialsProvider(
+                    access_key_id=config.access_key_id,
+                    access_key_secret=config.access_key_secret,
+                )
+            provider = RamRoleArnCredentialsProvider(
+                credentials_provider=previous_provider,
+                role_arn=config.role_arn,
+                role_session_name=config.role_session_name,
+                duration_seconds=config.role_session_expiration,
+                policy=config.policy,
+                external_id=config.external_id,
+                sts_endpoint=config.sts_endpoint,
+                http_options=HttpOptions(
+                    read_timeout=config.timeout,
+                    connect_timeout=config.connect_timeout,
+                    proxy=config.proxy,
+                ),
             )
+            return _CredentialsProviderWrap(type_name='ram_role_arn', provider=provider)
         elif config.type == ac.RSA_KEY_PAIR:
-            return credentials.RsaKeyPairCredential(
-                config.access_key_id,
-                config.access_key_secret,
-                0,
-                providers.RsaKeyPairCredentialProvider(config=config)
+            provider = RsaKeyPairCredentialsProvider(
+                public_key_id=config.public_key_id,
+                private_key_file=config.private_key_file,
+                duration_seconds=config.role_session_expiration,
+                sts_endpoint=config.sts_endpoint,
+                http_options=HttpOptions(
+                    read_timeout=config.timeout,
+                    connect_timeout=config.connect_timeout,
+                    proxy=config.proxy,
+                ),
             )
+            return _CredentialsProviderWrap(type_name='rsa_key_pair', provider=provider)
         elif config.type == ac.OIDC_ROLE_ARN:
-            return credentials.OIDCRoleArnCredential(
-                config.access_key_id,
-                config.access_key_secret,
-                config.security_token,
-                0,
-                providers.OIDCRoleArnCredentialProvider(config=config))
-        return providers.DefaultCredentialsProvider().get_credentials()
+            provider = OIDCRoleArnCredentialsProvider(
+                role_arn=config.role_arn,
+                oidc_provider_arn=config.oidc_provider_arn,
+                oidc_token_file_path=config.oidc_token_file_path,
+                role_session_name=config.role_session_name,
+                duration_seconds=config.role_session_expiration,
+                policy=config.policy,
+                sts_endpoint=config.sts_endpoint,
+                http_options=HttpOptions(
+                    read_timeout=config.timeout,
+                    connect_timeout=config.connect_timeout,
+                    proxy=config.proxy,
+                ),
+            )
+            return _CredentialsProviderWrap(type_name='oidc_role_arn', provider=provider)
+        raise CredentialException(
+            'invalid type option, support: access_key, sts, bearer, ecs_ram_role, ram_role_arn, rsa_key_pair, oidc_role_arn, credentials_uri')
 
     @deprecated("Use 'get_credential().access_key_id' instead")
     def get_access_key_id(self):
@@ -109,7 +237,7 @@ async def get_security_token_async(self):
     @deprecated("Use 'get_credential().type' instead")
     @attribute_error_return_none
     def get_type(self):
-        return self.cloud_credential.credential_type
+        return self.cloud_credential.get_type()
 
     @deprecated("Use 'get_credential().bearer_token' instead")
     @attribute_error_return_none

diff --git a/alibabacloud_credentials/credentials.py b/alibabacloud_credentials/credentials.py
@@ -116,6 +116,9 @@ async def get_credential_async(self):
             type=ac.BEARER
         )
 
+    def get_type(self) -> str:
+        return self.credential_type
+
 
 class EcsRamRoleCredential(Credential, _AutomaticallyRefreshCredentials):
     """EcsRamRoleCredential"""

diff --git a/alibabacloud_credentials/http/__init__.py b/alibabacloud_credentials/http/__init__.py
@@ -0,0 +1,5 @@
+from ._options import HttpOptions
+
+__all__ = [
+    'HttpOptions'
+]
diff --git a/alibabacloud_credentials/http/_options.py b/alibabacloud_credentials/http/_options.py
@@ -0,0 +1,9 @@
+class HttpOptions:
+    def __init__(self,
+                 *,
+                 proxy: str = None,
+                 connect_timeout: int = None,
+                 read_timeout: int = None):
+        self.proxy = proxy
+        self.connect_timeout = connect_timeout
+        self.read_timeout = read_timeout