kubernetes-sigs
diff --git a/‎Makefile‎
Lines changed: 3 additions & 1 deletion b/‎Makefile‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎go.mod‎
Lines changed: 6 additions & 0 deletions b/‎go.mod‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 9 additions & 0 deletions b/‎go.sum‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎main.go‎
Lines changed: 16 additions & 2 deletions b/‎main.go‎
Lines changed: 16 additions & 2 deletions
diff --git a/‎pkg/cloud/metadata/metadata.go‎
Lines changed: 14 additions & 1 deletion b/‎pkg/cloud/metadata/metadata.go‎
Lines changed: 14 additions & 1 deletion
diff --git a/‎pkg/cloud/metadata/metadata_test.go‎
Lines changed: 24 additions & 6 deletions b/‎pkg/cloud/metadata/metadata_test.go‎
Lines changed: 24 additions & 6 deletions
diff --git a/‎pkg/cloud/metadata/openapi.go‎
Lines changed: 3 additions & 18 deletions b/‎pkg/cloud/metadata/openapi.go‎
Lines changed: 3 additions & 18 deletions
diff --git a/‎pkg/cloud/metadata/openapi_test.go‎
Lines changed: 1 addition & 22 deletions b/‎pkg/cloud/metadata/openapi_test.go‎
Lines changed: 1 addition & 22 deletions
diff --git a/‎pkg/cloud/metadata/sts.go‎
Lines changed: 60 additions & 0 deletions b/‎pkg/cloud/metadata/sts.go‎
Lines changed: 60 additions & 0 deletions
@@ -73,7 +73,9 @@ build:
 	./build/build-all-multi.sh
 
 pkg/cloud/ecsmock.go: pkg/cloud/ecsinterface.go
-	mockgen -source pkg/cloud/ecsinterface.go -destination $@ -package cloud
+	go tool mockgen -source pkg/cloud/ecsinterface.go -destination $@ -package cloud
+pkg/cloud/stsmock.go: pkg/cloud/stsinterface.go
+	go tool mockgen -source pkg/cloud/stsinterface.go -destination $@ -package cloud
 
 PROTOC=protoc
 pkg/disk/proto/disk.pb.go pkg/disk/proto/disk_ttrpc.pb.go: pkg/disk/disk.proto
 
@@ -2,12 +2,15 @@ module github.com/kubernetes-sigs/alibaba-cloud-csi-driver
 
 go 1.24
 
+tool github.com/golang/mock/mockgen
+
 require (
 	github.com/alibabacloud-go/darabonba-openapi v0.1.16
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.12
 	github.com/alibabacloud-go/eflo-controller-20221215/v2 v2.7.0
 	github.com/alibabacloud-go/ens-20171110/v3 v3.0.2
 	github.com/alibabacloud-go/nas-20170626/v4 v4.1.2
+	github.com/alibabacloud-go/sts-20150401/v2 v2.0.4
 	github.com/alibabacloud-go/tea v1.3.12
 	github.com/aliyun/alibaba-cloud-sdk-go v1.63.107
 	github.com/aliyun/credentials-go v1.4.5
@@ -85,10 +88,13 @@ require (
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
 	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/term v0.34.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 
@@ -31,6 +31,7 @@ github.com/alibabacloud-go/darabonba-map v0.0.2 h1:qvPnGB4+dJbJIxOOfawxzF3hzMnIp
 github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
 github.com/alibabacloud-go/darabonba-openapi v0.1.16 h1:f6ZspWKTBurQzyLpZKMVxO51HAePY8aedicwuX3+E20=
 github.com/alibabacloud-go/darabonba-openapi v0.1.16/go.mod h1:ZjyqRbbZOaUBSh7keeH8VQN/BzCPvxCQwMuJGDdbmXQ=
+github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.11/go.mod h1:wHxkgZT1ClZdcwEVP/pDgYK/9HucsnCfMipmJgCz4xY=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.11/go.mod h1:ue0+WkdPxpCB2JP3iaG4Iawayxp72kyT5uDbozQKaW8=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.12 h1:e2yCrhtWd6Qcsy4he2OL+jIAU+93Lx9OcLlPRoFLT1w=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.12/go.mod h1:f2wDpbM7hK9SvLIH09zSKVU1TsyemUNOqErMscMMl7c=
@@ -56,6 +57,8 @@ github.com/alibabacloud-go/openapi-util v0.0.11/go.mod h1:sQuElr4ywwFRlCCberQwKR
 github.com/alibabacloud-go/openapi-util v0.1.0/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=
 github.com/alibabacloud-go/openapi-util v0.1.1 h1:ujGErJjG8ncRW6XtBBMphzHTvCxn4DjrVw4m04HsS28=
 github.com/alibabacloud-go/openapi-util v0.1.1/go.mod h1:/UehBSE2cf1gYT43GV4E+RxTdLRzURImCYY0aRmlXpw=
+github.com/alibabacloud-go/sts-20150401/v2 v2.0.4 h1:LCw5Wq/oGhCT1DxM3KGzEAeeJjPcKpWTnhs+ZIG3RYE=
+github.com/alibabacloud-go/sts-20150401/v2 v2.0.4/go.mod h1:IUTzgO9AhR6xm/wKnHPZYVsOr1GMRuPK6KFXYP3BrM8=
 github.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg=
 github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
 github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
@@ -73,6 +76,7 @@ github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eU
 github.com/alibabacloud-go/tea-utils/v2 v2.0.6/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7 h1:WDx5qW3Xa5ZgJ1c8NfqJkF6w+AU5wB8835UdhPr6Ax0=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
+github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCEtyBy9+DPF6GgEu8=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107 h1:qagvUyrgOnBIlVRQWOyCZGVKUIYbMBdGdJ104vBpRFU=
 github.com/aliyun/alibaba-cloud-sdk-go v1.63.107/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
@@ -90,6 +94,7 @@ github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2y
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/clbanning/mxj/v2 v2.5.5/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
 github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=
 github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -421,6 +426,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -472,6 +479,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 
@@ -27,9 +27,13 @@ import (
 	"sync"
 	"time"
 
+	sts20150401 "github.com/alibabacloud-go/sts-20150401/v2/client"
+	alicred_old "github.com/aliyun/credentials-go/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/agent"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/bmcpfs"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud/metadata"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/disk"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/ens"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/features"
@@ -157,8 +161,18 @@ func main() {
 
 	ac := utils.GetAccessControl()
 	ecsClient := utils.NewEcsClient(ac)
-	stsClient := utils.NewStsClient(ac)
-	meta.EnableOpenAPI(ecsClient, stsClient)
+	meta.EnableOpenAPI(ecsClient)
+
+	provider, err := credentials.NewProvider()
+	if err != nil {
+		klog.ErrorS(err, "failed to get credential for metadata, will not enable OpenAPI")
+	} else {
+		cred := alicred_old.FromCredentialsProvider(provider.GetProviderName(), provider)
+		stsClient := func(regionID string) (cloud.STSInterface, error) {
+			return sts20150401.NewClient(utils.GetStsConfig(regionID).SetCredential(cred))
+		}
+		meta.EnableSts(stsClient)
+	}
 
 	for i, driverName := range driverNames {
 		if !strings.Contains(driverName, TypePluginSuffix) && driverName != ExtenderAgent {
 
@@ -173,7 +173,7 @@ func (m *Metadata) EnableKubernetes(client kubernetes.Interface) {
 	})
 }
 
-func (m *Metadata) EnableOpenAPI(ecsClient cloud.ECSInterface, stsClient cloud.STSInterface) {
+func (m *Metadata) EnableOpenAPI(ecsClient cloud.ECSInterface) {
 	mPre := Metadata{
 		// use the previous providers to get region id and instance id,
 		// do not recurse into ourselves
@@ -182,6 +182,19 @@ func (m *Metadata) EnableOpenAPI(ecsClient cloud.ECSInterface, stsClient cloud.S
 	m.providers = append(m.providers, &lazyInitProvider{
 		fetcher: &OpenAPIFetcher{
 			ecsClient: ecsClient,
+			mPre:      &mPre,
+		},
+	})
+}
+
+func (m *Metadata) EnableSts(stsClient func(regionID string) (cloud.STSInterface, error)) {
+	mPre := Metadata{
+		// use the previous providers to get region id and instance id,
+		// do not recurse into ourselves
+		providers: m.providers,
+	}
+	m.providers = append(m.providers, &lazyInitProvider{
+		fetcher: &StsFetcher{
 			stsClient: stsClient,
 			mPre:      &mPre,
 		},
 
@@ -113,19 +113,16 @@ func TestCreateOpenAPI(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
 			var ecsClient cloud.ECSInterface
-			var stsClient cloud.STSInterface
 			if c.available {
 				ecsClient = testEcsClient(ctrl)
-				stsClient = testStsClient(ctrl)
 			} else {
 				ecsClient = cloud.NewMockECSInterface(ctrl)
-				stsClient = cloud.NewMockSTSInterface(ctrl)
 			}
 
 			m := NewMetadata()
 			m.providers = append(m.providers, FakeProvider{Values: c.values})
 
-			m.EnableOpenAPI(ecsClient, stsClient)
+			m.EnableOpenAPI(ecsClient)
 			zone, err := m.Get(ZoneID)
 			if c.available {
 				assert.Equal(t, "cn-beijing-k", zone)
@@ -142,13 +139,34 @@ func TestCreateOpenAPIFromEnv(t *testing.T) {
 	t.Setenv("KUBE_NODE_NAME", "i-2zec1slzwdzrwmvlr4w2")
 	ctrl := gomock.NewController(t)
 	ecsClient := testEcsClient(ctrl)
-	stsClient := testStsClient(ctrl)
 
 	m := NewMetadata()
-	m.EnableOpenAPI(ecsClient, stsClient)
+	m.EnableOpenAPI(ecsClient)
 	assert.Equal(t, "cn-beijing-k", MustGet(m, ZoneID))
 }
 
+func TestCreateSts(t *testing.T) {
+	t.Setenv("REGION_ID", "cn-beijing")
+	ctrl := gomock.NewController(t)
+	stsClient := testStsClientFactory(ctrl)
+
+	m := NewMetadata()
+	m.EnableSts(stsClient)
+	assert.Equal(t, "112233445566", MustGet(m, AccountID))
+}
+
+func TestCreateStsNoRegionID(t *testing.T) {
+	ctrl := gomock.NewController(t)
+	stsClient := testStsClientFactory(ctrl)
+
+	m := NewMetadata()
+	m.EnableSts(stsClient)
+	_, err := m.Get(999) // anything else
+	assert.ErrorIs(t, err, ErrUnknownMetadataKey)
+	_, err = m.Get(AccountID)
+	assert.ErrorIs(t, err, ErrUnknownMetadataKey)
+}
+
 func fakeMetadata(t *testing.T) *Metadata {
 	trans := httpmock.NewMockTransport()
 	trans.RegisterResponder("PUT", imds.ECSTokenEndpoint, httpmock.NewStringResponder(200, "fake_metadata_token"))
 
@@ -7,16 +7,14 @@ import (
 	"strings"
 
 	"github.com/aliyun/alibaba-cloud-sdk-go/services/ecs"
-	"github.com/aliyun/alibaba-cloud-sdk-go/services/sts"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud"
 )
 
 type OpenAPIMetadata struct {
 	instance *ecs.Instance
-	identity *sts.GetCallerIdentityResponse
 }
 
-func NewOpenAPIMetadata(c cloud.ECSInterface, s cloud.STSInterface, regionId, instanceId string) (*OpenAPIMetadata, error) {
+func NewOpenAPIMetadata(c cloud.ECSInterface, regionId, instanceId string) (*OpenAPIMetadata, error) {
 	instanceRequest := ecs.CreateDescribeInstancesRequest()
 
 	instanceRequest.RegionId = regionId
@@ -33,15 +31,7 @@ func NewOpenAPIMetadata(c cloud.ECSInterface, s cloud.STSInterface, regionId, in
 	if len(instanceResponse.Instances.Instance) != 1 {
 		return nil, fmt.Errorf("instance not found: %s", instanceId)
 	}
-
-	identityRequest := sts.CreateGetCallerIdentityRequest()
-	identityRequest.Scheme = "https"
-	identityResponse, err := s.GetCallerIdentity(identityRequest)
-	if err == nil {
-		return &OpenAPIMetadata{instance: &instanceResponse.Instances.Instance[0], identity: identityResponse}, nil
-	}
-
-	return &OpenAPIMetadata{instance: &instanceResponse.Instances.Instance[0], identity: nil}, nil
+	return &OpenAPIMetadata{instance: &instanceResponse.Instances.Instance[0]}, nil
 }
 
 func (m *OpenAPIMetadata) Get(key MetadataKey) (string, error) {
@@ -52,17 +42,12 @@ func (m *OpenAPIMetadata) Get(key MetadataKey) (string, error) {
 		return m.instance.InstanceId, nil
 	case InstanceType:
 		return m.instance.InstanceType, nil
-	case AccountID:
-		if m.identity != nil {
-			return m.identity.AccountId, nil
-		}
 	}
 	return "", ErrUnknownMetadataKey
 }
 
 type OpenAPIFetcher struct {
 	ecsClient cloud.ECSInterface
-	stsClient cloud.STSInterface
 	mPre      MetadataProvider
 }
 
@@ -91,7 +76,7 @@ func (f *OpenAPIFetcher) FetchFor(key MetadataKey) (MetadataProvider, error) {
 	if err != nil {
 		return nil, fmt.Errorf("instance ID is not available: %w", err)
 	}
-	p, err := NewOpenAPIMetadata(f.ecsClient, f.stsClient, regionId, instanceId)
+	p, err := NewOpenAPIMetadata(f.ecsClient, regionId, instanceId)
 	if err != nil {
 		return nil, err
 	}
 
@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	"github.com/aliyun/alibaba-cloud-sdk-go/services/ecs"
-	"github.com/aliyun/alibaba-cloud-sdk-go/services/sts"
 	"github.com/golang/mock/gomock"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud"
 	"github.com/stretchr/testify/assert"
@@ -54,34 +53,14 @@ func testEcsClient(ctrl *gomock.Controller) cloud.ECSInterface {
 	return ecsClient
 }
 
-const getCallerIdentityRespJson = `{
-	"IdentityType": "Account",
-	"AccountId": "112233445566",
-	"RequestId": "5051F631-1599-5DBD-9C0A-3DD86092DA9D",
-	"PrincipalId": "112233445566",
-	"UserId": "112233445566",
-	"Arn": "acs:ram::112233445566:root"
-}`
-
-func testStsClient(ctrl *gomock.Controller) cloud.STSInterface {
-	res := sts.CreateGetCallerIdentityResponse()
-	cloud.UnmarshalAcsResponse([]byte(getCallerIdentityRespJson), res)
-
-	stsClient := cloud.NewMockSTSInterface(ctrl)
-	stsClient.EXPECT().GetCallerIdentity(gomock.Any()).Return(res, nil)
-	return stsClient
-}
-
 func TestGetOpenAPI(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	ecsClient := testEcsClient(ctrl)
-	stsClient := testStsClient(ctrl)
 
-	m, err := NewOpenAPIMetadata(ecsClient, stsClient, "cn-beijing", "i-2zec1slzwdzrwmvlr4w2")
+	m, err := NewOpenAPIMetadata(ecsClient, "cn-beijing", "i-2zec1slzwdzrwmvlr4w2")
 	assert.NoError(t, err)
 
 	assert.Equal(t, "cn-beijing-k", MustGet(m, ZoneID))
 	assert.Equal(t, "ecs.g7.xlarge", MustGet(m, InstanceType))
 	assert.Equal(t, "i-2zec1slzwdzrwmvlr4w2", MustGet(m, InstanceID))
-	assert.Equal(t, "112233445566", MustGet(m, AccountID))
 }
@@ -0,0 +1,60 @@
+package metadata
+
+import (
+	"fmt"
+
+	sts20150401 "github.com/alibabacloud-go/sts-20150401/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud"
+	"k8s.io/klog/v2"
+)
+
+type StsMetadata struct {
+	identity *sts20150401.GetCallerIdentityResponseBody
+}
+
+func NewStsMetadata(s cloud.STSInterface) (*StsMetadata, error) {
+	resp, err := s.GetCallerIdentity()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get caller identity: %w", err)
+	}
+	klog.V(2).Info("GetCallerIdentity OK", "requestID", tea.StringValue(resp.Body.RequestId))
+	return &StsMetadata{identity: resp.Body}, nil
+}
+
+func (m *StsMetadata) Get(key MetadataKey) (string, error) {
+	switch key {
+	case AccountID:
+		if m.identity.AccountId != nil {
+			return *m.identity.AccountId, nil
+		}
+	}
+	return "", ErrUnknownMetadataKey
+}
+
+type StsFetcher struct {
+	stsClient func(regionID string) (cloud.STSInterface, error)
+	mPre      MetadataProvider
+}
+
+func (f *StsFetcher) FetchFor(key MetadataKey) (MetadataProvider, error) {
+	switch key {
+	case AccountID:
+	default:
+		return nil, ErrUnknownMetadataKey
+	}
+
+	regionId, err := f.mPre.Get(RegionID)
+	if err != nil {
+		return nil, fmt.Errorf("region ID is not available: %w", err)
+	}
+	client, err := f.stsClient(regionId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create STS client: %w", err)
+	}
+	p, err := NewStsMetadata(client)
+	if err != nil {
+		return nil, err
+	}
+	return newImmutableProvider(p, "Sts"), nil
+}