Identity SDK

场景介绍

Identity SDK提供华为云身份认证服务的管理能力，支持工作负载身份、凭证提供者、访问令牌等管理功能。

原理优势

IdentityClient是身份认证服务的高级客户端。

文件位置：src/agentarts/sdk/services/identity/identity_client.py

from hw_agentrun_wrapper.services.identity import IdentityClient
client = IdentityClient(region="cn-southwest-2")

操作步骤

1. 创建工作负载身份

   workload = client.create_workload_identity(
       name="my-workload",
       description="我的工作负载"
   )
   print(f"Workload ID: {workload.id}")
   print(f"URN: {workload.urn}")

2. 创建访问令牌

   # 使用用户Token创建
   token = client.create_workload_access_token(
       workload_name="my-workload",
       user_token="user-oauth-token"
   )
   # 使用用户ID创建
   token = client.create_workload_access_token_for_user_id(
       workload_name="my-workload",
       user_id="user-123"
   )
   print(f"Access Token: {token.access_token}")
   print(f"Expires At: {token.expires_at}")

3. 配置凭证提供者管理。
   • API Key凭证提供者

     provider = client.create_api_key_credential_provider(
         name="my-api-key-provider",
         api_key="your-api-key"
     )
     print(f"Provider ID: {provider.id}")

   • OAuth2凭证提供者

     # GitHub OAuth2
     provider = client.create_oauth2_credential_provider(
         name="github-provider",
         vendor="github",
         client_id="your-client-id",
         client_secret="your-client-secret"
     )
     # Google OAuth2
     provider = client.create_oauth2_credential_provider(
         name="google-provider",
         vendor="google",
         client_id="your-client-id",
         client_secret="your-client-secret"
     )
     # Microsoft OAuth2
     provider = client.create_oauth2_credential_provider(
         name="microsoft-provider",
         vendor="microsoft",
         client_id="your-client-id",
         client_secret="your-client-secret"
     )

   • STS凭证提供者

     provider = client.create_sts_credential_provider(
         name="my-sts-provider",
         agency_urn="agency-urn:your-agency",
         tags=[{"key": "env", "value": "prod"}]
     )

4. 配置资源凭证获取。
   • 获取OAuth2 Token

     token = client.get_resource_oauth2_token(
         provider_name="github-provider",
         scopes=["user:email", "read:user"],
         agent_identity_token="agent-identity-token"
     )
     print(f"Token: {token.access_token}")

   • 获取API Key

     api_key = client.get_resource_api_key(
         provider_name="my-api-key-provider",
         workload_access_token="workload-token"
     )
     print(f"API Key: {api_key.key}")

   • 获取STS Token

     sts_token = client.get_resource_sts_token(
         provider_name="my-sts-provider",
         workload_access_token="workload-token",
         agency_session_name="session-name"
     )
     print(f"Access Key: {sts_token.access_key}")
     print(f"Secret Key: {sts_token.secret_key}")
     print(f"Security Token: {sts_token.security_token}")

5. 使用SDK提供装饰器以保护Agent端点。

   from agentarts.sdk.identity.auth import (
       require_access_token,
       require_api_key,
       require_sts_token
   )
   from agentarts.sdk import AgentArtsRuntimeApp, RequestContext
   app = AgentArtsRuntimeApp()
   # 需要访问令牌
   @app.entrypoint
   @require_access_token
   def protected_agent(payload, context):
       return {"message": "需要有效的访问令牌"}
   # 需要API Key
   @app.entrypoint
   @require_api_key
   def api_key_protected_agent(payload, context):
       return {"message": "需要有效的API Key"}
   # 需要STS Token
   @app.entrypoint
   @require_sts_token
   def sts_protected_agent(payload, context):
       return {"message": "需要有效的STS Token"}