添加policy参数

yikefan · yikefan · commit 9fee7d7eb249 · 2025-09-23T17:15:31.000+08:00
diff --git a/SDK_Integration_zh.md b/SDK_Integration_zh.md
@@ -175,7 +175,8 @@ if __name__ == '__main__':
         host="sts.volcengineapi.com",  # 非必填，请求域名，默认sts.volcengineapi.com
         region="cn-beijing",  # 非必填，请求服务器区域地址，默认cn-north-1
         timeout=30,  # 非必填，请求超时时间，默认30秒
-        expired_buffer_seconds=60 #非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        expired_buffer_seconds=60, #非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        policy='{"Statement":[{"Effect":"Allow","Action":["vpc:CreateVpc"],"Resource":["*"],"Condition":{"StringEquals":{"volc:RequestedRegion":["cn-beijing"]}}}]}' # 非必填，授权策略，默认为空
     )
 
     # set default configuration
@@ -235,7 +236,8 @@ if __name__ == '__main__':
         host="sts.volcengineapi.com",  # 非必填，请求域名，默认sts.volcengineapi.com
         region="cn-beijing",  # 非必填，请求服务器区域地址，默认cn-beijing
         timeout=30,  # 非必填，请求超时时间，默认30秒
-        expired_buffer_seconds=60  # 非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        expired_buffer_seconds=60,  # 非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        policy='{"Statement":[{"Effect":"Allow","Action":["vpc:CreateVpc"],"Resource":["*"],"Condition":{"StringEquals":{"volc:RequestedRegion":["cn-beijing"]}}}]}' # 非必填，授权策略，默认为空
     )
 
     # set default configuration
@@ -296,7 +298,8 @@ if __name__ == '__main__':
         host="sts.volcengineapi.com",  # 非必填，请求域名，默认sts.volcengineapi.com
         region="cn-beijing",  # 非必填，请求服务器区域地址，默认cn-beijing
         timeout=30,  # 非必填，请求超时时间，默认30秒
-        expired_buffer_seconds=60  # 非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        expired_buffer_seconds=60,  # 非必填，session有效期前多久过期，剩余时间小于这个设置就要请求新的token了，默认60秒
+        policy='{"Statement":[{"Effect":"Allow","Action":["vpc:CreateVpc"],"Resource":["*"],"Condition":{"StringEquals":{"volc:RequestedRegion":["cn-beijing"]}}}]}' # 非必填，授权策略，默认为空
     )
 
     # set default configuration
diff --git a/volcenginesdkcore/auth/providers/sts_oidc_provider.py b/volcenginesdkcore/auth/providers/sts_oidc_provider.py
@@ -7,6 +7,7 @@
 
 from volcenginesdkcore import UniversalApi, UniversalInfo, ApiClient, Configuration
 from .provider import Provider, CredentialValue
+import json
 
 
 class AssumeRoleOidcCredentials:
@@ -20,7 +21,7 @@ def __init__(self, ak, sk, session_token, current_time, expired_time):
 
 class StsOidcCredentialProvider(Provider):
     def __init__(self, role_name, account_id, oidc_token, duration_seconds=3600, scheme='https',
-                 host='sts.volcengineapi.com', region='cn-beijing', timeout=30, expired_buffer_seconds=60):
+                 host='sts.volcengineapi.com', region='cn-beijing', timeout=30, expired_buffer_seconds=60, policy=None):
 
         self.role_name = role_name
         self.account_id = account_id
@@ -32,7 +33,8 @@ def __init__(self, role_name, account_id, oidc_token, duration_seconds=3600, sch
         self.host = host
         self.region = region
         self.scheme = scheme
-
+        if policy is not None:
+            self.policy = json.loads(policy)
         self.expired_time = None
         if expired_buffer_seconds > 600:
             raise ValueError('expired_buffer_seconds must be less than or equal to 600')
@@ -65,7 +67,8 @@ def _assume_role_oidc(self):
             'RoleTrn': 'trn:iam::' + self.account_id + ':role/' + self.role_name,
             'OIDCToken': self.oidc_token,
         }
-
+        if self.policy is not None:
+            params['Policy'] = self.policy
         configuration = type.__call__(Configuration)
 
         # configuration.ak = self.ak
diff --git a/volcenginesdkcore/auth/providers/sts_provider.py b/volcenginesdkcore/auth/providers/sts_provider.py
@@ -7,6 +7,7 @@
 
 from volcenginesdkcore import UniversalApi, UniversalInfo, ApiClient, Configuration
 from .provider import Provider, CredentialValue
+import json
 
 
 class AssumeRoleCredentials:
@@ -20,7 +21,7 @@ def __init__(self, ak, sk, session_token, current_time, expired_time):
 
 class StsCredentialProvider(Provider):
     def __init__(self, ak, sk, role_name, account_id, duration_seconds=3600, scheme='https',
-                 host='sts.volcengineapi.com', region='cn-north-1', timeout=30, expired_buffer_seconds=60):
+                 host='sts.volcengineapi.com', region='cn-north-1', timeout=30, expired_buffer_seconds=60, policy=None):
         self.ak = ak
         self.sk = sk
         self.role_name = role_name
@@ -32,7 +33,8 @@ def __init__(self, ak, sk, role_name, account_id, duration_seconds=3600, scheme=
         self.host = host
         self.region = region
         self.scheme = scheme
-
+        if policy is not None:
+            self.policy = json.loads(policy)
         self.expired_time = None
         if expired_buffer_seconds > 600:
             raise ValueError('expired_buffer_seconds must be less than or equal to 600')
@@ -64,6 +66,8 @@ def _assume_role(self):
             'RoleSessionName': uuid.uuid4().hex,
             'RoleTrn': 'trn:iam::' + self.account_id + ':role/' + self.role_name,
         }
+        if self.policy is not None:
+            params['Policy'] = self.policy
         configuration = type.__call__(Configuration)
         configuration.ak = self.ak
         configuration.sk = self.sk
diff --git a/volcenginesdkcore/auth/providers/sts_saml_provider.py b/volcenginesdkcore/auth/providers/sts_saml_provider.py
@@ -7,6 +7,7 @@
 
 from volcenginesdkcore import UniversalApi, UniversalInfo, ApiClient, Configuration
 from .provider import Provider, CredentialValue
+import json
 
 
 class AssumeRoleSamlCredentials:
@@ -20,7 +21,7 @@ def __init__(self, ak, sk, session_token, current_time, expired_time):
 
 class StsSamlCredentialProvider(Provider):
     def __init__(self, role_name, account_id, provider_name, saml_resp, duration_seconds=3600, scheme='https',
-                 host='sts.volcengineapi.com', region='cn-beijing', timeout=30, expired_buffer_seconds=60):
+                 host='sts.volcengineapi.com', region='cn-beijing', timeout=30, expired_buffer_seconds=60, policy=None):
         # self.ak = ak
         # self.sk = sk
         self.role_name = role_name
@@ -34,7 +35,8 @@ def __init__(self, role_name, account_id, provider_name, saml_resp, duration_sec
         self.host = host
         self.region = region
         self.scheme = scheme
-
+        if policy is not None:
+            self.policy = json.loads(policy)
         self.expired_time = None
         if expired_buffer_seconds > 600:
             raise ValueError('expired_buffer_seconds must be less than or equal to 600')
@@ -68,7 +70,8 @@ def _assume_role_saml(self):
             'SAMLProviderTrn': 'trn:iam::' + self.account_id + ':saml-provider/' + self.provider_name,
             'SAMLResp': self.saml_resp,
         }
-
+        if self.policy is not None:
+            params['Policy'] = self.policy
         configuration = type.__call__(Configuration)
 
         # configuration.ak = self.ak
