feat(alibaba): add Alibaba Cloud provider (#9329)

Co-authored-by: pedrooot <pedromarting3@gmail.com>
Co-authored-by: HugoPBrito <hugopbrit@gmail.com>

docs/docs.json

@@ -198,6 +198,13 @@
                   "user-guide/providers/gcp/retry-configuration"
                 ]
               },
+              {
+                "group": "Alibaba Cloud",
+                "pages": [
+                  "user-guide/providers/alibabacloud/getting-started-alibabacloud",
+                  "user-guide/providers/alibabacloud/authentication"
+                ]
+              },
               {
                 "group": "Kubernetes",
                 "pages": [

docs/user-guide/providers/alibabacloud/authentication.mdx

@@ -0,0 +1,112 @@
+---
+title: 'Alibaba Cloud Authentication in Prowler'
+---
+
+Prowler requires Alibaba Cloud credentials to perform security checks. Authentication is supported via multiple methods, prioritized as follows:
+
+1. **Credentials URI**
+2. **OIDC Role Authentication**
+3. **ECS RAM Role**
+4. **RAM Role Assumption**
+5. **STS Temporary Credentials**
+6. **Permanent Access Keys**
+7. **Default Credential Chain**
+
+## Authentication Methods
+
+### Credentials URI (Recommended for Centralized Services)
+
+If `--credentials-uri` is provided (or `ALIBABA_CLOUD_CREDENTIALS_URI` environment variable), Prowler will retrieve credentials from the specified external URI endpoint. The URI must return credentials in the standard JSON format.
+
+```bash
+export ALIBABA_CLOUD_CREDENTIALS_URI="http://localhost:8080/credentials"
+prowler alibabacloud
+```
+
+### OIDC Role Authentication (Recommended for ACK/Kubernetes)
+
+If OIDC environment variables are set, Prowler will use OIDC authentication to assume the specified role. This is the most secure method for containerized applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled.
+
+Required environment variables:
+- `ALIBABA_CLOUD_ROLE_ARN`
+- `ALIBABA_CLOUD_OIDC_PROVIDER_ARN`
+- `ALIBABA_CLOUD_OIDC_TOKEN_FILE`
+
+```bash
+export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/YourRole"
+export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
+export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
+prowler alibabacloud
+```
+
+### ECS RAM Role (Recommended for ECS Instances)
+
+When running on an ECS instance with an attached RAM role, Prowler can obtain credentials from the ECS instance metadata service.
+
+```bash
+# Using CLI argument
+prowler alibabacloud --ecs-ram-role RoleName
+
+# Or using environment variable
+export ALIBABA_CLOUD_ECS_METADATA="RoleName"
+prowler alibabacloud
+```
+
+### RAM Role Assumption (Recommended for Cross-Account)
+
+For cross-account access, use RAM role assumption. You must provide the initial credentials (access keys) and the target role ARN.
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
+prowler alibabacloud
+```
+
+### STS Temporary Credentials
+
+If you already have temporary STS credentials, you can provide them via environment variables.
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-sts-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-sts-access-key-secret"
+export ALIBABA_CLOUD_SECURITY_TOKEN="your-sts-security-token"
+prowler alibabacloud
+```
+
+### Permanent Access Keys
+
+You can use standard permanent access keys via environment variables.
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+prowler alibabacloud
+```
+
+## Required Permissions
+
+The credentials used by Prowler should have the minimum required permissions to audit the resources. At a minimum, the following permissions are recommended:
+
+- `ram:GetUser`
+- `ram:ListUsers`
+- `ram:GetPasswordPolicy`
+- `ram:GetAccountSummary`
+- `ram:ListVirtualMFADevices`
+- `ram:ListGroups`
+- `ram:ListPolicies`
+- `ram:ListAccessKeys`
+- `ram:GetLoginProfile`
+- `ram:ListPoliciesForUser`
+- `ram:ListGroupsForUser`
+- `actiontrail:DescribeTrails`
+- `oss:GetBucketLogging`
+- `oss:GetBucketAcl`
+- `rds:DescribeDBInstances`
+- `rds:DescribeDBInstanceAttribute`
+- `ecs:DescribeInstances`
+- `vpc:DescribeVpcs`
+- `sls:ListProject`
+- `sls:ListAlerts`
+- `sls:ListLogStores`
+- `sls:GetLogStore`

docs/user-guide/providers/alibabacloud/getting-started-alibabacloud.mdx

@@ -0,0 +1,132 @@
+---
+title: 'Getting Started With Alibaba Cloud on Prowler'
+---
+
+## Prowler CLI
+
+### Configure Alibaba Cloud Credentials
+
+Prowler requires Alibaba Cloud credentials to perform security checks. Authentication is available through the following methods (in order of priority):
+
+1. **Credentials URI** (Recommended for centralized credential services)
+2. **OIDC Role Authentication** (Recommended for ACK/Kubernetes)
+3. **ECS RAM Role** (Recommended for ECS instances)
+4. **RAM Role Assumption** (Recommended for cross-account access)
+5. **STS Temporary Credentials**
+6. **Permanent Access Keys**
+7. **Default Credential Chain**
+
+<Warning>
+Prowler does not accept credentials through command-line arguments. Provide credentials through environment variables or the Alibaba Cloud credential chain.
+
+</Warning>
+
+#### Option 1: Environment Variables (Permanent Credentials)
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+prowler alibabacloud
+```
+
+#### Option 2: Environment Variables (STS Temporary Credentials)
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-sts-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-sts-access-key-secret"
+export ALIBABA_CLOUD_SECURITY_TOKEN="your-sts-security-token"
+prowler alibabacloud
+```
+
+#### Option 3: RAM Role Assumption (Environment Variables)
+
+```bash
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/ProwlerAuditRole"
+export ALIBABA_CLOUD_ROLE_SESSION_NAME="ProwlerAssessmentSession"  # Optional
+prowler alibabacloud
+```
+
+#### Option 4: RAM Role Assumption (CLI + Environment Variables)
+
+```bash
+# Set credentials via environment variables
+export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
+export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"
+# Specify role via CLI argument
+prowler alibabacloud --role-arn acs:ram::123456789012:role/ProwlerAuditRole --role-session-name ProwlerAssessmentSession
+```
+
+#### Option 5: ECS Instance Metadata (ECS RAM Role)
+
+```bash
+# When running on an ECS instance with an attached RAM role
+prowler alibabacloud --ecs-ram-role RoleName
+
+# Or using environment variable
+export ALIBABA_CLOUD_ECS_METADATA="RoleName"
+prowler alibabacloud
+```
+
+#### Option 6: OIDC Role Authentication (for ACK/Kubernetes)
+
+```bash
+# For applications running in ACK (Alibaba Container Service for Kubernetes) with RRSA enabled
+export ALIBABA_CLOUD_ROLE_ARN="acs:ram::123456789012:role/YourRole"
+export ALIBABA_CLOUD_OIDC_PROVIDER_ARN="acs:ram::123456789012:oidc-provider/ack-rrsa-provider"
+export ALIBABA_CLOUD_OIDC_TOKEN_FILE="/var/run/secrets/tokens/oidc-token"
+export ALIBABA_CLOUD_ROLE_SESSION_NAME="ProwlerOIDCSession"  # Optional
+prowler alibabacloud
+
+# Or using CLI argument
+prowler alibabacloud --oidc-role-arn acs:ram::123456789012:role/YourRole
+```
+
+#### Option 7: Credentials URI (External Credential Service)
+
+```bash
+# Retrieve credentials from an external URI endpoint
+export ALIBABA_CLOUD_CREDENTIALS_URI="http://localhost:8080/credentials"
+prowler alibabacloud
+
+# Or using CLI argument
+prowler alibabacloud --credentials-uri http://localhost:8080/credentials
+```
+
+#### Option 8: Default Credential Chain
+
+The SDK automatically checks credentials in the following order:
+1. Environment variables (`ALIBABA_CLOUD_*` or `ALIYUN_*`)
+2. OIDC authentication (if OIDC environment variables are set)
+3. Configuration file (`~/.aliyun/config.json`)
+4. ECS instance metadata (if running on ECS)
+5. Credentials URI (if `ALIBABA_CLOUD_CREDENTIALS_URI` is set)
+
+```bash
+prowler alibabacloud
+```
+
+### Specify Regions
+
+To run checks only in specific regions:
+
+```bash
+prowler alibabacloud --regions cn-hangzhou cn-shanghai
+```
+
+### Run Specific Checks
+
+To run specific checks:
+
+```bash
+prowler alibabacloud --checks ram_no_root_access_key ram_user_mfa_enabled_console_access
+```
+
+### Run Compliance Framework
+
+To run a specific compliance framework:
+
+```bash
+prowler alibabacloud --compliance cis_2.0_alibabacloud
+```