Summary
AssumeRoleWithOidcCredentialProvider currently resolves its core OIDC inputs from Context::env_vars() at credential-loading time.
That design is inconvenient for embedders that want to inject configuration explicitly instead of relying on process-wide or synthesized environment variables.
Problem
At the moment, the provider reads the following values from env at runtime:
ALIBABA_CLOUD_ROLE_ARNALIBABA_CLOUD_OIDC_PROVIDER_ARNALIBABA_CLOUD_OIDC_TOKEN_FILE- optionally
ALIBABA_CLOUD_ROLE_SESSION_NAME
- optionally
ALIBABA_CLOUD_STS_ENDPOINT
This has a few downsides:
- library integrations need to construct a fake or overlayed env source
- configuration is split between typed builder state and env state
- the provider is harder to reason about and test in embedded scenarios
Expected
The provider should support a fully explicit configuration path that does not depend on runtime env lookup for required fields.
The exact API shape is up to the maintainers, but the important part is:
- embedders can provide all required OIDC configuration directly
- env-based loading can remain as a convenience path
- runtime env injection is no longer the only way to use this provider with structured config
Context
OpenDAL currently works around this by copying OSS config values into StaticEnv before building the reqsign context. That workaround is not needed for AWS or GCS anymore, but OSS still needs it because this provider remains env-driven.
Summary
AssumeRoleWithOidcCredentialProvidercurrently resolves its core OIDC inputs fromContext::env_vars()at credential-loading time.That design is inconvenient for embedders that want to inject configuration explicitly instead of relying on process-wide or synthesized environment variables.
Problem
At the moment, the provider reads the following values from env at runtime:
ALIBABA_CLOUD_ROLE_ARNALIBABA_CLOUD_OIDC_PROVIDER_ARNALIBABA_CLOUD_OIDC_TOKEN_FILEALIBABA_CLOUD_ROLE_SESSION_NAMEALIBABA_CLOUD_STS_ENDPOINTThis has a few downsides:
Expected
The provider should support a fully explicit configuration path that does not depend on runtime env lookup for required fields.
The exact API shape is up to the maintainers, but the important part is:
Context
OpenDAL currently works around this by copying OSS config values into
StaticEnvbefore building thereqsigncontext. That workaround is not needed for AWS or GCS anymore, but OSS still needs it because this provider remains env-driven.