1.修改代码适配阿里云的服务器

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/assume_role_provider.go

@@ -0,0 +1,148 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+	"go.mongodb.org/mongo-driver/v2/internal/uuid"
+)
+
+const (
+	// assumeRoleProviderName provides a name of assume role provider
+	assumeRoleProviderName = "AssumeRoleProvider"
+
+	stsURI = `https://sts.amazonaws.com/?Action=AssumeRoleWithWebIdentity&RoleSessionName=%s&RoleArn=%s&WebIdentityToken=%s&Version=2011-06-15`
+)
+
+// An AssumeRoleProvider retrieves credentials for assume role with web identity.
+type AssumeRoleProvider struct {
+	AwsRoleArnEnv              EnvVar
+	AwsWebIdentityTokenFileEnv EnvVar
+	AwsRoleSessionNameEnv      EnvVar
+
+	httpClient *http.Client
+	expiration time.Time
+
+	// expiryWindow will allow the credentials to trigger refreshing prior to the credentials actually expiring.
+	// This is beneficial so expiring credentials do not cause request to fail unexpectedly due to exceptions.
+	//
+	// So a ExpiryWindow of 10s would cause calls to IsExpired() to return true
+	// 10 seconds before the credentials are actually expired.
+	expiryWindow time.Duration
+}
+
+// NewAssumeRoleProvider returns a pointer to an assume role provider.
+func NewAssumeRoleProvider(httpClient *http.Client, expiryWindow time.Duration) *AssumeRoleProvider {
+	return &AssumeRoleProvider{
+		// AwsRoleArnEnv is the environment variable for AWS_ROLE_ARN
+		AwsRoleArnEnv: EnvVar("AWS_ROLE_ARN"),
+		// AwsWebIdentityTokenFileEnv is the environment variable for AWS_WEB_IDENTITY_TOKEN_FILE
+		AwsWebIdentityTokenFileEnv: EnvVar("AWS_WEB_IDENTITY_TOKEN_FILE"),
+		// AwsRoleSessionNameEnv is the environment variable for AWS_ROLE_SESSION_NAME
+		AwsRoleSessionNameEnv: EnvVar("AWS_ROLE_SESSION_NAME"),
+		httpClient:            httpClient,
+		expiryWindow:          expiryWindow,
+	}
+}
+
+// RetrieveWithContext retrieves the keys from the AWS service.
+func (a *AssumeRoleProvider) RetrieveWithContext(ctx context.Context) (credentials.Value, error) {
+	const defaultHTTPTimeout = 10 * time.Second
+
+	v := credentials.Value{ProviderName: assumeRoleProviderName}
+
+	roleArn := a.AwsRoleArnEnv.Get()
+	tokenFile := a.AwsWebIdentityTokenFileEnv.Get()
+	if tokenFile == "" && roleArn == "" {
+		return v, errors.New("AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN are missing")
+	}
+	if tokenFile != "" && roleArn == "" {
+		return v, errors.New("AWS_WEB_IDENTITY_TOKEN_FILE is set, but AWS_ROLE_ARN is missing")
+	}
+	if tokenFile == "" && roleArn != "" {
+		return v, errors.New("AWS_ROLE_ARN is set, but AWS_WEB_IDENTITY_TOKEN_FILE is missing")
+	}
+	token, err := ioutil.ReadFile(tokenFile)
+	if err != nil {
+		return v, err
+	}
+
+	sessionName := a.AwsRoleSessionNameEnv.Get()
+	if sessionName == "" {
+		// Use a UUID if the RoleSessionName is not given.
+		id, err := uuid.New()
+		if err != nil {
+			return v, err
+		}
+		sessionName = id.String()
+	}
+
+	fullURI := fmt.Sprintf(stsURI, sessionName, roleArn, string(token))
+
+	req, err := http.NewRequest(http.MethodPost, fullURI, nil)
+	if err != nil {
+		return v, err
+	}
+	req.Header.Set("Accept", "application/json")
+
+	ctx, cancel := context.WithTimeout(ctx, defaultHTTPTimeout)
+	defer cancel()
+	resp, err := a.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return v, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return v, fmt.Errorf("response failure: %s", resp.Status)
+	}
+
+	var stsResp struct {
+		Response struct {
+			Result struct {
+				Credentials struct {
+					AccessKeyID     string  `json:"AccessKeyId"`
+					SecretAccessKey string  `json:"SecretAccessKey"`
+					Token           string  `json:"SessionToken"`
+					Expiration      float64 `json:"Expiration"`
+				} `json:"Credentials"`
+			} `json:"AssumeRoleWithWebIdentityResult"`
+		} `json:"AssumeRoleWithWebIdentityResponse"`
+	}
+
+	err = json.NewDecoder(resp.Body).Decode(&stsResp)
+	if err != nil {
+		return v, err
+	}
+	v.AccessKeyID = stsResp.Response.Result.Credentials.AccessKeyID
+	v.SecretAccessKey = stsResp.Response.Result.Credentials.SecretAccessKey
+	v.SessionToken = stsResp.Response.Result.Credentials.Token
+	if !v.HasKeys() {
+		return v, errors.New("failed to retrieve web identity keys")
+	}
+	sec := int64(stsResp.Response.Result.Credentials.Expiration)
+	a.expiration = time.Unix(sec, 0).Add(-a.expiryWindow)
+
+	return v, nil
+}
+
+// Retrieve retrieves the keys from the AWS service.
+func (a *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
+	return a.RetrieveWithContext(context.Background())
+}
+
+// IsExpired returns true if the credentials are expired.
+func (a *AssumeRoleProvider) IsExpired() bool {
+	return a.expiration.Before(time.Now())
+}

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/ec2_provider.go

@@ -0,0 +1,183 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+)
+
+const (
+	// ec2ProviderName provides a name of EC2 provider
+	ec2ProviderName = "EC2Provider"
+
+	awsEC2URI       = "http://169.254.169.254/"
+	awsEC2RolePath  = "latest/meta-data/iam/security-credentials/"
+	awsEC2TokenPath = "latest/api/token"
+
+	defaultHTTPTimeout = 10 * time.Second
+)
+
+// An EC2Provider retrieves credentials from EC2 metadata.
+type EC2Provider struct {
+	httpClient *http.Client
+	expiration time.Time
+
+	// expiryWindow will allow the credentials to trigger refreshing prior to the credentials actually expiring.
+	// This is beneficial so expiring credentials do not cause request to fail unexpectedly due to exceptions.
+	//
+	// So a ExpiryWindow of 10s would cause calls to IsExpired() to return true
+	// 10 seconds before the credentials are actually expired.
+	expiryWindow time.Duration
+}
+
+// NewEC2Provider returns a pointer to an EC2 credential provider.
+func NewEC2Provider(httpClient *http.Client, expiryWindow time.Duration) *EC2Provider {
+	return &EC2Provider{
+		httpClient:   httpClient,
+		expiryWindow: expiryWindow,
+	}
+}
+
+func (e *EC2Provider) getToken(ctx context.Context) (string, error) {
+	req, err := http.NewRequest(http.MethodPut, awsEC2URI+awsEC2TokenPath, nil)
+	if err != nil {
+		return "", err
+	}
+	const defaultEC2TTLSeconds = "30"
+	req.Header.Set("X-aws-ec2-metadata-token-ttl-seconds", defaultEC2TTLSeconds)
+
+	ctx, cancel := context.WithTimeout(ctx, defaultHTTPTimeout)
+	defer cancel()
+	resp, err := e.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("%s %s failed: %s", req.Method, req.URL.String(), resp.Status)
+	}
+
+	token, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	if len(token) == 0 {
+		return "", errors.New("unable to retrieve token from EC2 metadata")
+	}
+	return string(token), nil
+}
+
+func (e *EC2Provider) getRoleName(ctx context.Context, token string) (string, error) {
+	req, err := http.NewRequest(http.MethodGet, awsEC2URI+awsEC2RolePath, nil)
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("X-aws-ec2-metadata-token", token)
+
+	ctx, cancel := context.WithTimeout(ctx, defaultHTTPTimeout)
+	defer cancel()
+	resp, err := e.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("%s %s failed: %s", req.Method, req.URL.String(), resp.Status)
+	}
+
+	role, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return "", err
+	}
+	if len(role) == 0 {
+		return "", errors.New("unable to retrieve role_name from EC2 metadata")
+	}
+	return string(role), nil
+}
+
+func (e *EC2Provider) getCredentials(ctx context.Context, token string, role string) (credentials.Value, time.Time, error) {
+	v := credentials.Value{ProviderName: ec2ProviderName}
+
+	pathWithRole := awsEC2URI + awsEC2RolePath + role
+	req, err := http.NewRequest(http.MethodGet, pathWithRole, nil)
+	if err != nil {
+		return v, time.Time{}, err
+	}
+	req.Header.Set("X-aws-ec2-metadata-token", token)
+	ctx, cancel := context.WithTimeout(ctx, defaultHTTPTimeout)
+	defer cancel()
+	resp, err := e.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return v, time.Time{}, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return v, time.Time{}, fmt.Errorf("%s %s failed: %s", req.Method, req.URL.String(), resp.Status)
+	}
+
+	var ec2Resp struct {
+		AccessKeyID     string    `json:"AccessKeyId"`
+		SecretAccessKey string    `json:"SecretAccessKey"`
+		Token           string    `json:"Token"`
+		Expiration      time.Time `json:"Expiration"`
+	}
+
+	err = json.NewDecoder(resp.Body).Decode(&ec2Resp)
+	if err != nil {
+		return v, time.Time{}, err
+	}
+
+	v.AccessKeyID = ec2Resp.AccessKeyID
+	v.SecretAccessKey = ec2Resp.SecretAccessKey
+	v.SessionToken = ec2Resp.Token
+
+	return v, ec2Resp.Expiration, nil
+}
+
+// RetrieveWithContext retrieves the keys from the AWS service.
+func (e *EC2Provider) RetrieveWithContext(ctx context.Context) (credentials.Value, error) {
+	v := credentials.Value{ProviderName: ec2ProviderName}
+
+	token, err := e.getToken(ctx)
+	if err != nil {
+		return v, err
+	}
+
+	role, err := e.getRoleName(ctx, token)
+	if err != nil {
+		return v, err
+	}
+
+	v, exp, err := e.getCredentials(ctx, token, role)
+	if err != nil {
+		return v, err
+	}
+	if !v.HasKeys() {
+		return v, errors.New("failed to retrieve EC2 keys")
+	}
+	e.expiration = exp.Add(-e.expiryWindow)
+
+	return v, nil
+}
+
+// Retrieve retrieves the keys from the AWS service.
+func (e *EC2Provider) Retrieve() (credentials.Value, error) {
+	return e.RetrieveWithContext(context.Background())
+}
+
+// IsExpired returns true if the credentials are expired.
+func (e *EC2Provider) IsExpired() bool {
+	return e.expiration.Before(time.Now())
+}

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/ecs_provider.go

@@ -0,0 +1,112 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+)
+
+const (
+	// ecsProviderName provides a name of ECS provider
+	ecsProviderName = "ECSProvider"
+
+	awsRelativeURI = "http://169.254.170.2/"
+)
+
+// An ECSProvider retrieves credentials from ECS metadata.
+type ECSProvider struct {
+	AwsContainerCredentialsRelativeURIEnv EnvVar
+
+	httpClient *http.Client
+	expiration time.Time
+
+	// expiryWindow will allow the credentials to trigger refreshing prior to the credentials actually expiring.
+	// This is beneficial so expiring credentials do not cause request to fail unexpectedly due to exceptions.
+	//
+	// So a ExpiryWindow of 10s would cause calls to IsExpired() to return true
+	// 10 seconds before the credentials are actually expired.
+	expiryWindow time.Duration
+}
+
+// NewECSProvider returns a pointer to an ECS credential provider.
+func NewECSProvider(httpClient *http.Client, expiryWindow time.Duration) *ECSProvider {
+	return &ECSProvider{
+		// AwsContainerCredentialsRelativeURIEnv is the environment variable for AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+		AwsContainerCredentialsRelativeURIEnv: EnvVar("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"),
+		httpClient:                            httpClient,
+		expiryWindow:                          expiryWindow,
+	}
+}
+
+// RetrieveWithContext retrieves the keys from the AWS service.
+func (e *ECSProvider) RetrieveWithContext(ctx context.Context) (credentials.Value, error) {
+	const defaultHTTPTimeout = 10 * time.Second
+
+	v := credentials.Value{ProviderName: ecsProviderName}
+
+	relativeEcsURI := e.AwsContainerCredentialsRelativeURIEnv.Get()
+	if len(relativeEcsURI) == 0 {
+		return v, errors.New("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is missing")
+	}
+	fullURI := awsRelativeURI + relativeEcsURI
+
+	req, err := http.NewRequest(http.MethodGet, fullURI, nil)
+	if err != nil {
+		return v, err
+	}
+	req.Header.Set("Accept", "application/json")
+
+	ctx, cancel := context.WithTimeout(ctx, defaultHTTPTimeout)
+	defer cancel()
+	resp, err := e.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return v, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return v, fmt.Errorf("response failure: %s", resp.Status)
+	}
+
+	var ecsResp struct {
+		AccessKeyID     string    `json:"AccessKeyId"`
+		SecretAccessKey string    `json:"SecretAccessKey"`
+		Token           string    `json:"Token"`
+		Expiration      time.Time `json:"Expiration"`
+	}
+
+	err = json.NewDecoder(resp.Body).Decode(&ecsResp)
+	if err != nil {
+		return v, err
+	}
+
+	v.AccessKeyID = ecsResp.AccessKeyID
+	v.SecretAccessKey = ecsResp.SecretAccessKey
+	v.SessionToken = ecsResp.Token
+	if !v.HasKeys() {
+		return v, errors.New("failed to retrieve ECS keys")
+	}
+	e.expiration = ecsResp.Expiration.Add(-e.expiryWindow)
+
+	return v, nil
+}
+
+// Retrieve retrieves the keys from the AWS service.
+func (e *ECSProvider) Retrieve() (credentials.Value, error) {
+	return e.RetrieveWithContext(context.Background())
+}
+
+// IsExpired returns true if the credentials are expired.
+func (e *ECSProvider) IsExpired() bool {
+	return e.expiration.Before(time.Now())
+}

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/env_provider.go

@@ -0,0 +1,69 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"os"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+)
+
+// envProviderName provides a name of Env provider
+const envProviderName = "EnvProvider"
+
+// EnvVar is an environment variable
+type EnvVar string
+
+// Get retrieves the environment variable
+func (ev EnvVar) Get() string {
+	return os.Getenv(string(ev))
+}
+
+// A EnvProvider retrieves credentials from the environment variables of the
+// running process. Environment credentials never expire.
+type EnvProvider struct {
+	AwsAccessKeyIDEnv     EnvVar
+	AwsSecretAccessKeyEnv EnvVar
+	AwsSessionTokenEnv    EnvVar
+
+	retrieved bool
+}
+
+// NewEnvProvider returns a pointer to an ECS credential provider.
+func NewEnvProvider() *EnvProvider {
+	return &EnvProvider{
+		// AwsAccessKeyIDEnv is the environment variable for AWS_ACCESS_KEY_ID
+		AwsAccessKeyIDEnv: EnvVar("AWS_ACCESS_KEY_ID"),
+		// AwsSecretAccessKeyEnv is the environment variable for AWS_SECRET_ACCESS_KEY
+		AwsSecretAccessKeyEnv: EnvVar("AWS_SECRET_ACCESS_KEY"),
+		// AwsSessionTokenEnv is the environment variable for AWS_SESSION_TOKEN
+		AwsSessionTokenEnv: EnvVar("AWS_SESSION_TOKEN"),
+	}
+}
+
+// Retrieve retrieves the keys from the environment.
+func (e *EnvProvider) Retrieve() (credentials.Value, error) {
+	e.retrieved = false
+
+	v := credentials.Value{
+		AccessKeyID:     e.AwsAccessKeyIDEnv.Get(),
+		SecretAccessKey: e.AwsSecretAccessKeyEnv.Get(),
+		SessionToken:    e.AwsSessionTokenEnv.Get(),
+		ProviderName:    envProviderName,
+	}
+	err := verify(v)
+	if err == nil {
+		e.retrieved = true
+	}
+
+	return v, err
+}
+
+// IsExpired returns true if the credentials have not been retrieved.
+func (e *EnvProvider) IsExpired() bool {
+	return !e.retrieved
+}

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/imds_provider.go

@@ -0,0 +1,103 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+)
+
+const (
+	// AzureProviderName provides a name of Azure provider
+	AzureProviderName = "AzureProvider"
+
+	azureURI = "http://169.254.169.254/metadata/identity/oauth2/token"
+)
+
+// An AzureProvider retrieves credentials from Azure IMDS.
+type AzureProvider struct {
+	httpClient   *http.Client
+	expiration   time.Time
+	expiryWindow time.Duration
+}
+
+// NewAzureProvider returns a pointer to an Azure credential provider.
+func NewAzureProvider(httpClient *http.Client, expiryWindow time.Duration) *AzureProvider {
+	return &AzureProvider{
+		httpClient:   httpClient,
+		expiration:   time.Time{},
+		expiryWindow: expiryWindow,
+	}
+}
+
+// RetrieveWithContext retrieves the keys from the Azure service.
+func (a *AzureProvider) RetrieveWithContext(ctx context.Context) (credentials.Value, error) {
+	v := credentials.Value{ProviderName: AzureProviderName}
+	req, err := http.NewRequest(http.MethodGet, azureURI, nil)
+	if err != nil {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: %w", err)
+	}
+	q := make(url.Values)
+	q.Set("api-version", "2018-02-01")
+	q.Set("resource", "https://vault.azure.net")
+	req.URL.RawQuery = q.Encode()
+	req.Header.Set("Metadata", "true")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := a.httpClient.Do(req.WithContext(ctx))
+	if err != nil {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: %w", err)
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: error reading response body: %w", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: expected StatusCode 200, got StatusCode: %v. Response body: %s", resp.StatusCode, body)
+	}
+	var tokenResponse struct {
+		AccessToken string `json:"access_token"`
+		ExpiresIn   string `json:"expires_in"`
+	}
+	// Attempt to read body as JSON
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: error reading body JSON: %w (response body: %s)", err, body)
+	}
+	if tokenResponse.AccessToken == "" {
+		return v, fmt.Errorf("unable to retrieve Azure credentials: got unexpected empty accessToken from Azure Metadata Server. Response body: %s", body)
+	}
+	v.SessionToken = tokenResponse.AccessToken
+
+	expiresIn, err := time.ParseDuration(tokenResponse.ExpiresIn + "s")
+	if err != nil {
+		return v, err
+	}
+	if expiration := expiresIn - a.expiryWindow; expiration > 0 {
+		a.expiration = time.Now().Add(expiration)
+	}
+
+	return v, err
+}
+
+// Retrieve retrieves the keys from the Azure service.
+func (a *AzureProvider) Retrieve() (credentials.Value, error) {
+	return a.RetrieveWithContext(context.Background())
+}
+
+// IsExpired returns if the credentials have been retrieved.
+func (a *AzureProvider) IsExpired() bool {
+	return a.expiration.Before(time.Now())
+}

server/vendor/go.mongodb.org/mongo-driver/v2/internal/credproviders/static_provider.go

@@ -0,0 +1,58 @@
+// Copyright (C) MongoDB, Inc. 2023-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+package credproviders
+
+import (
+	"errors"
+
+	"go.mongodb.org/mongo-driver/v2/internal/aws/credentials"
+)
+
+// staticProviderName provides a name of Static provider
+const staticProviderName = "StaticProvider"
+
+// A StaticProvider is a set of credentials which are set programmatically,
+// and will never expire.
+type StaticProvider struct {
+	credentials.Value
+
+	verified bool
+	err      error
+}
+
+func verify(v credentials.Value) error {
+	if !v.HasKeys() {
+		return errors.New("failed to retrieve ACCESS_KEY_ID and SECRET_ACCESS_KEY")
+	}
+	if v.AccessKeyID != "" && v.SecretAccessKey == "" {
+		return errors.New("ACCESS_KEY_ID is set, but SECRET_ACCESS_KEY is missing")
+	}
+	if v.AccessKeyID == "" && v.SecretAccessKey != "" {
+		return errors.New("SECRET_ACCESS_KEY is set, but ACCESS_KEY_ID is missing")
+	}
+	if v.AccessKeyID == "" && v.SecretAccessKey == "" && v.SessionToken != "" {
+		return errors.New("AWS_SESSION_TOKEN is set, but ACCESS_KEY_ID and SECRET_ACCESS_KEY are missing")
+	}
+	return nil
+}
+
+// Retrieve returns the credentials or error if the credentials are invalid.
+func (s *StaticProvider) Retrieve() (credentials.Value, error) {
+	if !s.verified {
+		s.err = verify(s.Value)
+		s.ProviderName = staticProviderName
+		s.verified = true
+	}
+	return s.Value, s.err
+}
+
+// IsExpired returns if the credentials are expired.
+//
+// For StaticProvider, the credentials never expired.
+func (s *StaticProvider) IsExpired() bool {
+	return false
+}