add policy to limit the policy of token

integration/base.go

@@ -111,6 +111,35 @@ func createAttachPolicyToUser() error {
 	return nil
 }
 
+func createAttachPolicyToRole() error {
+	listRequest := ram.CreateListPoliciesForRoleRequest()
+	listRequest.RoleName = rolename
+	listRequest.Scheme = "HTTPS"
+	client, err := ram.NewClientWithAccessKey(os.Getenv("REGION_ID"), os.Getenv("ACCESS_KEY_ID"), os.Getenv("ACCESS_KEY_SECRET"))
+	if err != nil {
+		return err
+	}
+	listResponse, err := client.ListPoliciesForRole(listRequest)
+	if err != nil {
+		return err
+	}
+	for _, policy := range listResponse.Policies.Policy {
+		if policy.PolicyName == "AdministratorAccess" {
+			return nil
+		}
+	}
+	createRequest := ram.CreateAttachPolicyToRoleRequest()
+	createRequest.Scheme = "HTTPS"
+	createRequest.PolicyName = "AdministratorAccess"
+	createRequest.RoleName = rolename
+	createRequest.PolicyType = "System"
+	_, err = client.AttachPolicyToRole(createRequest)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func createAccessKey() (string, string, error) {
 	client, err := ram.NewClientWithAccessKey(os.Getenv("REGION_ID"), os.Getenv("ACCESS_KEY_ID"), os.Getenv("ACCESS_KEY_SECRET"))
 	if err != nil {

integration/core_test.go

@@ -137,3 +137,47 @@ func Test_DescribeClusterDetailWithCommonRequestWithROAWithHTTPS(t *testing.T) {
 	assert.NotNil(t, err)
 	assert.Contains(t, err.Error(), "Request url is invalid")
 }
+
+func Test_CreateInstanceWithCommonRequestWithPolicy(t *testing.T) {
+	err := createAttachPolicyToRole()
+	assert.Nil(t, err)
+
+	subaccesskeyid, subaccesskeysecret, err := createAccessKey()
+	assert.Nil(t, err)
+	client, err := sdk.NewClientWithRamRoleArnAndPolicy(os.Getenv("REGION_ID"), subaccesskeyid, subaccesskeysecret, rolearn, "alice_test", "")
+	assert.Nil(t, err)
+	request := requests.NewCommonRequest()
+	request.Method = "POST"
+	request.Product = "Ecs"
+	request.Domain = "ecs.aliyuncs.com"
+	request.Version = "2014-05-26"
+	request.SetScheme("HTTPS")
+	request.ApiName = "CreateInstance"
+	request.QueryParams["ImageId"] = "win2008r2_64_ent_sp1_en-us_40G_alibase_20170915.vhd"
+	request.QueryParams["InstanceType"] = "ecs.g5.large"
+	request.TransToAcsRequest()
+	_, err = client.ProcessCommonRequest(request)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "This resource type is not supported; please try other resource types.")
+
+	policy := `{
+    "Version": "1",
+    "Statement": [
+        {
+            "Action": "rds:*",
+            "Resource": "*",
+            "Effect": "Allow"
+        },
+        {
+            "Action": "dms:LoginDatabase",
+            "Resource": "acs:rds:*:*:*",
+            "Effect": "Allow"
+        }
+    ]
+}`
+	client, err = sdk.NewClientWithRamRoleArnAndPolicy(os.Getenv("REGION_ID"), subaccesskeyid, subaccesskeysecret, rolearn, "alice_test", policy)
+	assert.Nil(t, err)
+	_, err = client.ProcessCommonRequest(request)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "User not authorized to operate on the specified resource, or this API doesn't support RAM.")
+}

sdk/auth/credentials/sts_role_arn_credential.go

@@ -15,6 +15,7 @@ type RamRoleArnCredential struct {
 	RoleArn               string
 	RoleSessionName       string
 	RoleSessionExpiration int
+	Policy                string
 }
 
 // Deprecated: Use RamRoleArnCredential in this package instead.
@@ -47,3 +48,14 @@ func NewRamRoleArnCredential(accessKeyId, accessKeySecret, roleArn, roleSessionN
 		RoleSessionExpiration: roleSessionExpiration,
 	}
 }
+
+func NewRamRoleArnWithPolicyCredential(accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string, roleSessionExpiration int) *RamRoleArnCredential {
+	return &RamRoleArnCredential{
+		AccessKeyId:           accessKeyId,
+		AccessKeySecret:       accessKeySecret,
+		RoleArn:               roleArn,
+		RoleSessionName:       roleSessionName,
+		RoleSessionExpiration: roleSessionExpiration,
+		Policy:                policy,
+	}
+}

sdk/auth/credentials/sts_role_arn_credential_test.go

@@ -25,4 +25,11 @@ func TestRoleArnCredential(t *testing.T) {
 	assert.Equal(t, "roleArn", r.RoleArn)
 	assert.Equal(t, "roleSessionName", r.RoleSessionName)
 	assert.Equal(t, 3600, r.RoleSessionExpiration)
+	p := NewRamRoleArnWithPolicyCredential("accessKeyId", "accessKeySecret", "roleArn", "roleSessionName", "test", 3600)
+	assert.Equal(t, "accessKeyId", p.AccessKeyId)
+	assert.Equal(t, "accessKeySecret", p.AccessKeySecret)
+	assert.Equal(t, "roleArn", p.RoleArn)
+	assert.Equal(t, "test", p.Policy)
+	assert.Equal(t, "roleSessionName", p.RoleSessionName)
+	assert.Equal(t, 3600, p.RoleSessionExpiration)
 }

sdk/auth/signers/signer_ram_role_arn.go

@@ -119,6 +119,9 @@ func (signer *RamRoleArnSigner) buildCommonRequest() (request *requests.CommonRe
 	request.ApiName = "AssumeRole"
 	request.Scheme = requests.HTTPS
 	request.QueryParams["RoleArn"] = signer.credential.RoleArn
+	if signer.credential.Policy != "" {
+		request.QueryParams["Policy"] = signer.credential.Policy
+	}
 	request.QueryParams["RoleSessionName"] = signer.credential.RoleSessionName
 	request.QueryParams["DurationSeconds"] = strconv.Itoa(signer.credentialExpiration)
 	return

sdk/auth/signers/signer_ram_role_arn_test.go

@@ -176,7 +176,7 @@ func Test_RamRoleArn_GetAccessKeyIdAndSign(t *testing.T) {
 }
 
 func Test_RamRoleArn_GetExtraParam_Fail(t *testing.T) {
-	c := credentials.NewRamRoleArnCredential("accessKeyId", "accessKeySecret", "roleArn", "roleSessionName", 3600)
+	c := credentials.NewRamRoleArnWithPolicyCredential("accessKeyId", "accessKeySecret", "roleArn", "roleSessionName", "policy", 3600)
 	// mock 200 response and valid json and valid result
 	s, err := NewRamRoleArnSigner(c, func(*requests.CommonRequest, interface{}) (response *responses.CommonResponse, err error) {
 		res := responses.NewCommonResponse()

sdk/client.go

@@ -136,6 +136,18 @@ func (client *Client) InitWithRamRoleArn(regionId, accessKeyId, accessKeySecret,
 	return client.InitWithOptions(regionId, config, credential)
 }
 
+func (client *Client) InitWithRamRoleArnAndPolicy(regionId, accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string) (err error) {
+	config := client.InitClientConfig()
+	credential := &credentials.RamRoleArnCredential{
+		AccessKeyId:     accessKeyId,
+		AccessKeySecret: accessKeySecret,
+		RoleArn:         roleArn,
+		RoleSessionName: roleSessionName,
+		Policy:          policy,
+	}
+	return client.InitWithOptions(regionId, config, credential)
+}
+
 func (client *Client) InitWithRsaKeyPair(regionId, publicKeyId, privateKey string, sessionExpiration int) (err error) {
 	config := client.InitClientConfig()
 	credential := &credentials.RsaKeyPairCredential{
@@ -392,6 +404,12 @@ func NewClientWithRamRoleArn(regionId string, accessKeyId, accessKeySecret, role
 	return
 }
 
+func NewClientWithRamRoleArnAndPolicy(regionId string, accessKeyId, accessKeySecret, roleArn, roleSessionName, policy string) (client *Client, err error) {
+	client = &Client{}
+	err = client.InitWithRamRoleArnAndPolicy(regionId, accessKeyId, accessKeySecret, roleArn, roleSessionName, policy)
+	return
+}
+
 func NewClientWithEcsRamRole(regionId string, roleName string) (client *Client, err error) {
 	client = &Client{}
 	err = client.InitWithEcsRamRole(regionId, roleName)

sdk/client_test.go

@@ -81,6 +81,12 @@ func Test_NewClientWithOptions(t *testing.T) {
 	assert.NotNil(t, client)
 }
 
+func Test_NewClientWithPolicy(t *testing.T) {
+	client, err := NewClientWithRamRoleArnAndPolicy("regionid", "acesskeyid", "accesskeysecret", "roleArn", "sessionName", "policy")
+	assert.Nil(t, err)
+	assert.NotNil(t, client)
+}
+
 func Test_NewClientWithAccessKey(t *testing.T) {
 	client, err := NewClientWithAccessKey("regionid", "acesskeyid", "accesskeysecret")
 	assert.Nil(t, err)