cdh: 'get_secret' support EcsRamRole access for aliyun kms

Signed-off-by: 1570005763 <[email protected]>

confidential-data-hub/docs/kms-providers/alibaba.md

@@ -14,34 +14,60 @@ The `provider_settings` and `annotations` defined in [Sealed Secret](../SEALED_S
 
 #### annotations
 
+##### encryption/decryption
+
 | Name               | Usage                                                                |
 | ------------------ | -------------------------------------------------------------------- |
 | `iv`       	     | The initialization vector used in an encryption/decryption operation |
 
+##### get_secret
+
+| Name               | Usage                                                                |
+| ------------------ | -------------------------------------------------------------------- |
+| `version_stage`    | (Optional) If this parameter is specified, KMS returns the credentials value of the version that is marked as the specified status. |
+| `version_id`       | (Optional) If this parameter is specified, KMS returns the credentials value for the specified version number. |
+
 #### provider_settings
 
+`client_type` is used to specify the method of accessing KMS. Only 'client_key' is avaliable for encryption/decryption. While both 'client_key' and 'ecs_ram_role' are avaliable for get_secret.
+
+If `client_type` is set to 'client_key', provider_settings shall be as following:
+
 | Name               | Usage                                                                |
 | ------------------ | -------------------------------------------------------------------- |
+| `client_type`      | Used to specify the method of accessing KMS. ('client_key' is set here) |
 | `client_key_id`    | The ID of the client key used to access the KMS instance             |
 | `kms_instance_id`  | The KMS instance ID to be connected                                  |
 
+Else if `client_type` is set to 'ecs_ram_role', provider_settings shall be as following:
+
+| Name               | Usage                                                                |
+| ------------------ | -------------------------------------------------------------------- |
+| `client_type`      | Used to specify the method of accessing KMS. ('ecs_ram_role' is set here) |
+
 ### Credential files
 
-To connect to a KMS instance, a client key is needed. A client key is actually
+To connect to a KMS instance with `client_type` set to 'client_key', a client key is needed. A client key is actually
 [an json with encrypted inside](../../kms/src/plugins/aliyun/example_credential/clientKey_KAAP.f4c8____.json)
 private key. The name of the client key is always derived from the client key id. Suppose the
 client key ID is `xxx`, then the client key file has name `clientKey_xxx.json`. The key to encrypt
 the private key is derived from a password that is also saved in [a file](../../kms/src/plugins/aliyun/example_credential/password_KAAP.f4c8____.json).
 Suppose the client key ID is `xxx`, then the password file has name `password_xxx.json`.
-
-To connect to a KMS server, [a cert of the KMS server](../../kms/src/plugins/aliyun/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
+Besides, [a cert of the KMS server](../../kms/src/plugins/aliyun/example_credential/PrivateKmsCA_kst-shh64702cf2jvc_____.pem)
 is also needed. Suppose the kms instance id is `xxx`, then the cert of the KMS server has name `PrivateKmsCA_xxx.pem`.
 
-For more details please see the [developer document for aliyun](https://www.alibabacloud.com/help/en/key-management-service/latest/api-overview?spm=a2c63.l28256.0.0.bc4f4c6fB82yGa).
+For more details please see the [developer document for aliyun](https://www.alibabacloud.com/help/en/key-management-service/latest/api-overview).
+
+To connect to a KMS instance with `client_type` set to 'ecs_ram_role', a [ecsRamRole.json](../../kms/src/plugins/aliyun/example_credential/ecsRamRole.json) file is needed.
+In the json file, `ecs_ram_role_name` and `region_id` is set in order to get access to Dedicated KMS.
+Among them，`ecs_ram_role_name` refer to RAM role for ECS instances in a VPC network, where CDH runs. Can be set on Aliyun Console.
+And `region_id` refers to region id of Dedicated KMS, to which more details can be refered [here](https://www.alibabacloud.com/help/en/kms/product-overview/supported-regions).
+
+More details about accessing via EcsRamRole can be seen at [Access KMS from an ECS instance in a secure manner](https://www.alibabacloud.com/help/en/kms/use-cases/access-kms-from-an-ecs-instance-in-a-secure-manner).
 
 ## Behavior
 
-The client `AliyunKmsClient` supports both `Encrypter` and `Decrypter` api. When at the
+The client `AliyunKmsClient` supports `Encrypter`, `Decrypter`, and `Getter` api. When at the
 user side, the credential files can be directly given by the user.
 
 When in Tee, the credential files is supposed to be placed under `/run/confidential-containers/cdh/kms-credential/aliyun` directory.
@@ -124,6 +150,7 @@ And the output
     "iv": "Q/g...",
     "provider": "aliyun",
     "provider_settings": {
+        "client_type": "client_key",
         "client_key_id": "KAAP.e9...",
         "kms_instance_id": "kst-bj..."
     },

confidential-data-hub/kms/Cargo.toml

@@ -21,17 +21,19 @@ log.workspace = true
 openssl = { workspace = true, optional = true }
 p12 = { version = "0.6.3", optional = true }
 prost = { workspace = true, optional = true }
+rand.workspace = true
+reqwest = { version = "0.11", optional = true }
 resource_uri = { path = "../../attestation-agent/deps/resource_uri" }
 sha2 = { workspace = true, optional = true }
 serde.workspace = true
 serde_json.workspace = true
 sev = { path = "../../attestation-agent/deps/sev", optional = true }
 strum.workspace = true
-reqwest = { version = "0.11", optional = true }
 thiserror.workspace = true
 tokio = { workspace = true, features = ["fs"] }
 toml.workspace = true
 tonic = { workspace = true, optional = true }
+url.workspace = true
 uuid = { workspace = true, features = ["serde", "v4"], optional = true }
 yasna = { version = "0.5.2", optional = true }
 zeroize = { workspace = true, optional = true }

confidential-data-hub/kms/src/plugins/aliyun/annotations.rs

@@ -20,7 +20,7 @@ pub struct AliSecretAnnotations {
 
 /// Serialized [`crate::ProviderSettings`]
 #[derive(Clone, Debug, Serialize, Deserialize)]
-pub struct AliProviderSettings {
+pub struct AliClientKeyProviderSettings {
     pub client_key_id: String,
     pub kms_instance_id: String,
 }