新增兼容assumeRole + assumeRoleWithOidc + assumeRoleWithSaml的代码提交，以及具体调用方式在SDK.md

Author: 71J2M74-RWI\Admin

SDK_Integration_zh.md

@@ -5,6 +5,9 @@
 - [访问凭据](#访问凭据)
   - [AK、SK设置](#aksk设置)
   - [STS Token设置](#sts-token设置)
+  - [STS AssumeRole示例](#sts-assumerole示例)
+  - [STS AssumeRoleWithOidc示例](#sts-assumerolewithoidc示例)
+  - [STS AssumeRoleWithSaml示例](#sts-assumerolewithsaml示例)
 - [EndPoint配置](#endpoint配置)
   - [自定义Endpoint](#自定义endpoint)
   - [自定义RegionId](#自定义regionid)
@@ -133,8 +136,170 @@ try:
 except ApiException as e:
     pass
 ```
+## STS AssumeRole示例
 
+STS AssumeRole（Security Token Service）是火山引擎提供的临时访问凭证机制。开发者通过服务端调用 STS 接口获取临时凭证（临时 AK、SK 和 Token），有效期可配置，适用于安全要求较高的场景。
+<br>
+此接口使用IAM子账号角色进行 AssumeRole 操作后，获取到IAM子用户的信息后，发起真正的API请求，参考如下
+<br>
+连接地址：https://www.volcengine.com/docs/6257/86374
+> ⚠️ 注意事项
+>
+> 1. 最小权限： 仅授予调用方访问所需资源的最小权限，避免使用 * 通配符授予全资源、全操作权限。
+> 2. 设置合理的有效期: 请根据实际情况设置合理有效期，越短越安全，建议不要超过1小时。
+
+支持`configuration`级别全局配置和接口级别的运行时参数设置`RuntimeOption`;`RuntimeOption`设置会覆盖`configuration`全局配置。  
 
+**代码示例：**
+```python
+from __future__ import print_function
+import volcenginesdkcore
+import volcenginesdkvpc
+from volcenginesdkcore.rest import ApiException
+from volcenginesdkcore.auth.providers.sts_provider import StsCredentialProvider
+
+if __name__ == '__main__':
+    # 注意示例代码安全，代码泄漏会导致AK/SK泄漏，有极大的安全风险。
+    configuration = volcenginesdkcore.Configuration()
+    configuration.region = "cn-beijing"
+
+    # 这里是使用STS ASSUMEROLE角色的方式
+    configuration.credential_provider = StsCredentialProvider(
+        ak="Your ak",
+        sk="Your sk",
+        role_name="Your role name",
+        account_id="Your account id",
+        region="cn-beijing"
+    )
+
+    # set default configuration
+    volcenginesdkcore.Configuration.set_default(configuration)
+    # use global default configuration
+    api_instance = volcenginesdkvpc.VPCApi()
+    create_vpc_request = volcenginesdkvpc.CreateVpcRequest(
+        cidr_block="192.168.0.0/16",
+        dns_servers=["10.0.0.1", "10.1.1.2"],
+    )
+
+    try:
+        # 复制代码运行示例，请自行打印API返回值。
+        api_instance.create_vpc(create_vpc_request)
+    except ApiException as e:
+        # 复制代码运行示例，请自行打印API错误信息。
+        # print("Exception when calling api: %s\n" % e)
+        pass
+```
+
+## STS AssumeRoleWithOidc示例
+
+STS AssumeRoleOIDC（Security Token Service）是火山引擎提供的临时访问凭证机制。开发者通过oidc_token在服务端调用 STS 接口获取临时凭证（临时 AK、SK 和 Token），有效期可配置，适用于安全要求较高的场景。
+<br>
+此接口使用oidc身份提供商角色使用oidc_token进行 AssumeRoleWithOidc 操作后，获取到用户的信息后，发起真正的API请求，参考如下
+<br>
+连接地址：https://www.volcengine.com/docs/6257/1494877
+> ⚠️ 注意事项
+>
+> 1. 最小权限： 仅授予调用方访问所需资源的最小权限，避免使用 * 通配符授予全资源、全操作权限。
+> 2. 设置合理的有效期: 请根据实际情况设置合理有效期，越短越安全，建议不要超过1小时。
+
+支持`configuration`级别全局配置和接口级别的运行时参数设置`RuntimeOption`;`RuntimeOption`设置会覆盖`configuration`全局配置。  
+
+**代码示例：**
+```python
+# Example Code generated by Beijing Volcanoengine Technology.
+from __future__ import print_function
+import volcenginesdkcore
+import volcenginesdkvpc
+from volcenginesdkcore.rest import ApiException
+from volcenginesdkcore.auth.providers.sts_oidc_provider import StsOidcCredentialProvider
+
+if __name__ == '__main__':
+    # 注意示例代码安全，代码泄漏会导致AK/SK泄漏，有极大的安全风险。
+    configuration = volcenginesdkcore.Configuration()
+    configuration.region = "cn-beijing"
+
+    # 这里是使用STS ASSUMEROLE_OIDC角色的方式
+    configuration.credential_provider = StsOidcCredentialProvider(
+        role_name="your role name",
+        account_id="your account id",
+        oidc_token="your oidc token",
+        region="cn-beijing"
+    )
+
+    # set default configuration
+    volcenginesdkcore.Configuration.set_default(configuration)
+    # use global default configuration
+    api_instance = volcenginesdkvpc.VPCApi()
+    create_vpc_request = volcenginesdkvpc.CreateVpcRequest(
+        cidr_block="192.168.0.0/16",
+        dns_servers=["10.0.0.1", "10.1.1.2"],
+    )
+
+    try:
+        # 复制代码运行示例，请自行打印API返回值。
+        api_instance.create_vpc(create_vpc_request)
+    except ApiException as e:
+        # 复制代码运行示例，请自行打印API错误信息。
+        # print("Exception when calling api: %s\n" % e)
+        pass
+
+```
+
+## STS AssumeRoleWithSaml示例
+
+STS AssumeRoleWithSaml（Security Token Service）是火山引擎提供的临时访问凭证机制。开发者通过saml_token在服务端调用 STS 接口获取临时凭证（临时 AK、SK 和 Token），有效期可配置，适用于安全要求较高的场景。
+<br>
+此接口使用saml身份提供商角色使用saml_resp进行 AssumeRoleWithSaml 操作后，获取到用户的信息后，发起真正的API请求，参考如下
+<br>
+连接地址：https://www.volcengine.com/docs/6257/1631607
+> ⚠️ 注意事项
+>
+> 1. 最小权限： 仅授予调用方访问所需资源的最小权限，避免使用 * 通配符授予全资源、全操作权限。
+> 2. 设置合理的有效期: 请根据实际情况设置合理有效期，越短越安全，建议不要超过1小时。
+
+支持`configuration`级别全局配置和接口级别的运行时参数设置`RuntimeOption`;`RuntimeOption`设置会覆盖`configuration`全局配置。  
+
+**代码示例：**
+```python
+# Example Code generated by Beijing Volcanoengine Technology.
+from __future__ import print_function
+import volcenginesdkcore
+import volcenginesdkvpc
+from volcenginesdkcore.rest import ApiException
+from volcenginesdkcore.auth.providers.sts_saml_provider import StsSamlCredentialProvider
+
+if __name__ == '__main__':
+    # 注意示例代码安全，代码泄漏会导致AK/SK泄漏，有极大的安全风险。
+    configuration = volcenginesdkcore.Configuration()
+    configuration.region = "cn-beijing"
+
+    # 这里是使用STS ASSUMEROLE_SAML角色的方式
+    configuration.credential_provider = StsSamlCredentialProvider(
+        role_name="your role name",
+        provider_name="your provider name",
+        account_id="your account id",
+        saml_resp="your saml resp",
+        region="cn-beijing"
+    )
+
+    # set default configuration
+    volcenginesdkcore.Configuration.set_default(configuration)
+    # use global default configuration
+    api_instance = volcenginesdkvpc.VPCApi()
+    create_vpc_request = volcenginesdkvpc.CreateVpcRequest(
+        cidr_block="192.168.0.0/16",
+        dns_servers=["10.0.0.1", "10.1.1.2"],
+    )
+
+    try:
+        # 复制代码运行示例，请自行打印API返回值。
+        api_instance.create_vpc(create_vpc_request)
+    except ApiException as e:
+        # 复制代码运行示例，请自行打印API错误信息。
+        # print("Exception when calling api: %s\n" % e)
+        pass
+
+```
 
 # EndPoint配置
 

volcenginesdkcore/api_client.py

@@ -115,6 +115,14 @@ def __call_api(
         if self.cookie:
             header_params['Cookie'] = self.cookie
 
+        # 新增代码。处理assume_role和assume_role_oidc和assume_role_saml
+        if self.configuration.credential_provider is not None:
+            self.configuration.credential_provider.refresh()  # 这会调用 _assume_role_oidc() 方法获取临时凭证
+            credentials = self.configuration.credential_provider.retrieve()
+            self.configuration.ak = credentials.ak
+            self.configuration.sk = credentials.sk
+            self.configuration.session_token = credentials.session_token
+
         interceptor_context = InterceptorContext(request=Request(
             self.configuration,
             resource_path, method, path_params,

volcenginesdkcore/auth/__init__.py

@@ -1,2 +1,2 @@
 from .credential import Credential
-from .providers import StsCredentialProvider, StaticCredentialProvider
+from .providers import StsCredentialProvider, StsOidcCredentialProvider,StaticCredentialProvider

volcenginesdkcore/auth/providers/__init__.py

@@ -1,2 +1,4 @@
 from .static_provider import StaticCredentialProvider
 from .sts_provider import StsCredentialProvider
+from .sts_oidc_provider import StsOidcCredentialProvider
+from .sts_saml_provider import StsSamlCredentialProvider

volcenginesdkcore/auth/providers/sts_oidc_provider.py

@@ -0,0 +1,91 @@
+import threading
+import time
+import uuid
+from datetime import datetime
+
+import dateutil.parser
+
+from volcenginesdkcore import UniversalApi, UniversalInfo, ApiClient, Configuration
+from .provider import Provider, CredentialValue
+
+
+class AssumeRoleOidcCredentials:
+    def __init__(self, ak, sk, session_token, current_time, expired_time):
+        self.ak = ak
+        self.sk = sk
+        self.session_token = session_token
+        self.current_time = current_time
+        self.expired_time = expired_time
+
+
+class StsOidcCredentialProvider(Provider):
+    def __init__(self, role_name, oidc_token, account_id, duration_seconds=3600, scheme='https',
+                 host='sts.volcengineapi.com', region='cn-north-1', timeout=30, expired_buffer_seconds=60):
+
+        self.role_name = role_name
+        self.account_id = account_id
+        self.oidc_token = oidc_token
+
+        self.timeout = timeout
+        self.duration_seconds = duration_seconds
+
+        self.host = host
+        self.region = region
+        self.scheme = scheme
+
+        self.expired_time = None
+        if expired_buffer_seconds > 600:
+            raise ValueError('expired_buffer_seconds must be less than or equal to 600')
+        self.expired_buffer_seconds = expired_buffer_seconds
+
+        self.credentials = None
+
+        self._lock = threading.Lock()
+
+    def retrieve(self):
+        return self.credentials
+
+    def is_expired(self):
+        return (self.credentials is None or
+                (self.expired_time and self.expired_time < time.time() + self.expired_buffer_seconds))
+
+    def refresh(self):
+        with self._lock:
+            if self.is_expired():
+                self._assume_role_oidc()
+
+    def _assume_role_oidc(self):
+        params = {
+            'DurationSeconds': self.duration_seconds,
+            'RoleSessionName': uuid.uuid4().hex,
+            'RoleTrn': 'trn:iam::' + self.account_id + ':role/' + self.role_name,
+            'OIDCToken': self.oidc_token,
+        }
+
+        configuration = type.__call__(Configuration)
+
+        # configuration.ak = self.ak
+        # configuration.sk = self.sk
+        configuration.host = self.host
+        configuration.region = self.region
+        configuration.scheme = self.scheme
+        configuration.read_timeout = self.timeout
+        c = UniversalApi(ApiClient(configuration))
+        info = UniversalInfo(method='POST', service='sts', version='2018-01-01', action='AssumeRoleWithOIDC',
+                             content_type='application/x-www-form-urlencoded')
+
+        resp, status_code, resp_header = c.do_call_with_http_info(info=info, body=params)
+        if 'Credentials' not in resp:
+            raise RuntimeError('failed to retrieve credentials from sts' + str(resp_header))
+        resp_cred = resp['Credentials']
+
+        # Parse the ISO string
+        dt = dateutil.parser.parse(resp_cred['Expiration'])
+
+        # Convert to timestamp (seconds since epoch)
+        self.expired_time = (dt - datetime(1970, 1, 1, tzinfo=dateutil.tz.tzutc())).total_seconds()
+
+        self.credentials = CredentialValue(ak=resp_cred['AccessKeyId'],
+                                           sk=resp_cred['SecretAccessKey'],
+                                           session_token=resp_cred['SessionToken'],
+                                           provider_name='StsOidcCredentialProvider')

volcenginesdkcore/auth/providers/sts_provider.py

@@ -60,7 +60,7 @@ def _assume_role(self):
             'RoleSessionName': uuid.uuid4().hex,
             'RoleTrn': 'trn:iam::' + self.account_id + ':role/' + self.role_name,
         }
-        configuration = Configuration()
+        configuration = type.__call__(Configuration)
         configuration.ak = self.ak
         configuration.sk = self.sk
         configuration.host = self.host