Bump 0.3.6

Author: yndu13

ChangeLog.md

@@ -1,3 +1,6 @@
+### 2024-10-28 Version 0.3.6
+* Support IMDS v2 default for ecs ram role.
+
 ### 2024-07-31 Version 0.3.5
 * Support region or endpoint for sts requests.
 * Support user agent for credentials requests.

README-CN.md

@@ -123,7 +123,15 @@ cred_type = cred.get_type()
 
 #### ECS RAM Role
 
-通过指定角色名称，让凭证自动申请维护 STS Token
+ECS和ECI实例均支持绑定实例RAM角色，当在实例中使用Credentials工具时，将自动获取实例绑定的RAM角色，并通过访问元数据服务获取RAM角色的STS Token，以完成凭据客户端的初始化。
+
+实例元数据服务器支持加固模式和普通模式两种访问方式，Credentials工具默认使用加固模式（IMDSv2）获取访问凭据。若使用加固模式时发生异常，您可以通过设置disable_imds_v1来执行不同的异常处理逻辑：
+
+- 当值为false（默认值）时，会使用普通模式继续获取访问凭据。
+
+- 当值为true时，表示只能使用加固模式获取访问凭据，会抛出异常。
+
+服务端是否支持IMDSv2，取决于您在服务器的配置。
 
 ```python
 from alibabacloud_credentials.client import Client
@@ -132,7 +140,7 @@ from alibabacloud_credentials.models import Config
 config = Config(
     type='ecs_ram_role',      # 凭证类型
     role_name='roleName',     # 账户RoleName，非必填，不填则自动获取，建议设置，可以减少请求
-    enable_imds_v2=True       # 开启 V2 安全访问，非必填，可以设置环境变量来开启：ALIBABA_CLOUD_ECS_IMDSV2_ENABLE=true
+    disable_imds_v1=True      # 选填，是否强制关闭IMDSv1，即必须使用IMDSv2加固模式，可以通过环境变量ALIBABA_CLOUD_IMDSV1_DISABLED设置
 )
 cred = Client(config)
 
@@ -252,7 +260,13 @@ response = client.get_async_job_result(request, runtime_options)
 
 3. 实例 RAM 角色
 
-    如果定义了环境变量 `ALIBABA_CLOUD_ECS_METADATA` 且不为空，程序会将该环境变量的值作为角色名称，请求 <http://100.100.100.200/latest/meta-data/ram/security-credentials/> 获取临时安全凭证。
+   若不存在优先级更高的凭据信息，Credentials工具将通过环境变量获取ALIBABA_CLOUD_ECS_METADATA（ECS实例RAM角色名称）的值。若该变量的值存在，程序将采用加固模式（IMDSv2）访问ECS的元数据服务（Meta Data Server），以获取ECS实例RAM角色的STS Token作为默认凭据信息。在使用加固模式时若发生异常，将使用普通模式兜底来获取访问凭据。您也可以通过设置环境变量ALIBABA_CLOUD_IMDSV1_DISABLED，执行不同的异常处理逻辑：
+
+   - 当值为false时，会使用普通模式继续获取访问凭据。
+
+   - 当值为true时，表示只能使用加固模式获取访问凭据，会抛出异常。
+
+   服务端是否支持IMDSv2，取决于您在服务器的配置。
 
 4. Credentials URI
 

README.md

@@ -123,7 +123,15 @@ cred_type = cred.get_type()
 
 #### ECS RAM Role
 
-By specifying the role name, the credential will be able to automatically request maintenance of STS Token.
+Both ECS and ECI instances support binding instance RAM roles. When the Credentials tool is used in an instance, the RAM role bound to the instance will be automatically obtained, and the STS Token of the RAM role will be obtained by accessing the metadata service to complete the initialization of the credential client.
+
+The instance metadata server supports two access modes: hardened mode and normal mode. The Credentials tool uses hardened mode (IMDSv2) by default to obtain access credentials. If an exception occurs when using hardened mode, you can set disable_imds_v1 to perform different exception handling logic:
+
+- When the value is false (default value), the normal mode will continue to be used to obtain access credentials.
+
+- When the value is true, it means that only hardened mode can be used to obtain access credentials, and an exception will be thrown.
+
+Whether the server supports IMDSv2 depends on your configuration on the server.
 
 ```python
 from alibabacloud_credentials.client import Client
@@ -132,7 +140,7 @@ from alibabacloud_credentials.models import Config
 config = Config(
     type='ecs_ram_role',      # credential type
     role_name='roleName',     # `role_name` is optional. It will be retrieved automatically if not set. It is highly recommended to set it up to reduce requests.
-    enable_imds_v2=True       # `enable_imds_v2` is optional and is recommended to be turned on. It can be replaced by setting environment variable: ALIBABA_CLOUD_ECS_IMDSV2_ENABLE
+    disable_imds_v1=True      # Optional, whether to forcibly disable IMDSv1, that is, to use IMDSv2 hardening mode, which can be set by the environment variable ALIBABA_CLOUD_IMDSV1_DISABLED
 )
 cred = Client(config)
 
@@ -250,7 +258,13 @@ The default credential provider chain looks for available credentials, with foll
 
 3. Instance RAM Role
 
-    If the environment variable `ALIBABA_CLOUD_ECS_METADATA` is defined and not empty, the program will take the value of the environment variable as the role name and request <http://100.100.100.200/latest/meta-data/ram/security-credentials/> to get the temporary Security credentials.
+   If there is no credential information with a higher priority, the Credentials tool will obtain the value of ALIBABA_CLOUD_ECS_METADATA (ECS instance RAM role name) through the environment variable. If the value of this variable exists, the program will use the hardened mode (IMDSv2) to access the metadata service (Meta Data Server) of ECS to obtain the STS Token of the ECS instance RAM role as the default credential information. If an exception occurs when using the hardened mode, the normal mode will be used as a fallback to obtain access credentials. You can also set the environment variable ALIBABA_CLOUD_IMDSV1_DISABLED to perform different exception handling logic:
+
+   - When the value is false, the normal mode will continue to obtain access credentials.
+
+   - When the value is true, it means that only the hardened mode can be used to obtain access credentials, and an exception will be thrown.
+
+   Whether the server supports IMDSv2 depends on your configuration on the server.
 
 4. Credentials URI
 

alibabacloud_credentials/__init__.py

@@ -1 +1 @@
-__version__ = "0.3.5"
+__version__ = "0.3.6"

setup.py

@@ -54,10 +54,12 @@
         'Intended Audience :: Developers',
         'License :: OSI Approved :: Apache Software License',
         'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3.6',
         'Programming Language :: Python :: 3.7',
         'Programming Language :: Python :: 3.8',
         'Programming Language :: Python :: 3.9',
+        'Programming Language :: Python :: 3.10',
+        'Programming Language :: Python :: 3.11',
+        'Programming Language :: Python :: 3.12',
         'Topic :: Software Development',
     )
 }