diff --git a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/endpoint.go b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/endpoint.go
index a6874e5f..7069b887 100644
--- a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/endpoint.go
+++ b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/endpoint.go
@@ -1,6 +1,9 @@
 package provider
 
-import "strings"
+import (
+	"os"
+	"strings"
+)
 
 const (
 	regionPlaceholder        = "{region}"
@@ -25,6 +28,9 @@ var stsEndpointsByRegion = map[string][2]string{
 }
 
 func GetSTSEndpoint(region string, vpcNetwork bool) string {
+	if v := os.Getenv(envStsEndpoint); v != "" {
+		return v
+	}
 	endpoints, exist := stsEndpointsByRegion[region]
 	if !exist {
 		endpoints = stsEndpointsByRegion["__default__"]
diff --git a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/env.go b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/env.go
index 6fb62305..7210140d 100644
--- a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/env.go
+++ b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/env.go
@@ -6,6 +6,9 @@ const (
 	envRoleArn         = "ALIBABA_CLOUD_ROLE_ARN"
 	envOidcProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN"
 	envOidcTokenFile   = "ALIBABA_CLOUD_OIDC_TOKEN_FILE"
+
+	envStsEndpoint   = "ALIBABA_CLOUD_STS_ENDPOINT"
+	envStsHttpScheme = "ALIBABA_CLOUD_STS_HTTP_SCHEME"
 )
 
 // https://github.com/aliyun/credentials-go
@@ -142,3 +145,11 @@ func getEnvsValue(keys []string) string {
 func getRoleSessionNameFromEnv() string {
 	return getEnvsValue(roleSessionNameEnvs)
 }
+
+func getStsEndpointFromEnv() string {
+	return getEnvsValue([]string{envStsEndpoint})
+}
+
+func getStsHttpSchemeFromEnv() string {
+	return getEnvsValue([]string{envStsHttpScheme})
+}
diff --git a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/oidc_provider.go b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/oidc_provider.go
index 531cce0e..8d0f0945 100644
--- a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/oidc_provider.go
+++ b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/oidc_provider.go
@@ -13,9 +13,6 @@ import (
 )
 
 const (
-	defaultSTSEndpoint = "sts.aliyuncs.com"
-	defaultSTSScheme   = "HTTPS"
-
 	defaultEnvRoleArn         = "ALIBABA_CLOUD_ROLE_ARN"
 	defaultEnvOIDCProviderArn = "ALIBABA_CLOUD_OIDC_PROVIDER_ARN"
 	defaultEnvOIDCTokenFile   = "ALIBABA_CLOUD_OIDC_TOKEN_FILE"
@@ -23,7 +20,11 @@ const (
 	defaultExpiryWindowForAssumeRole = time.Minute * 10
 )
 
-var defaultSessionName = "default-session-name"
+var (
+	defaultSessionName = "default-session-name"
+	defaultSTSEndpoint = "sts.aliyuncs.com"
+	defaultSTSScheme   = "HTTPS"
+)
 
 type OIDCProvider struct {
 	u *Updater
@@ -34,6 +35,9 @@ type OIDCProvider struct {
 	stsScheme   string
 	sessionName string
 
+	policy          string
+	durationSeconds string
+
 	roleArn         string
 	oidcProviderArn string
 	oidcTokenFile   string
@@ -46,6 +50,9 @@ type OIDCProviderOptions struct {
 	stsScheme   string
 	SessionName string
 
+	TokenDuration time.Duration
+	Policy        string
+
 	RoleArn            string
 	EnvRoleArn         string
 	OIDCProviderArn    string
@@ -66,6 +73,12 @@ func init() {
 	if sessionName != "" {
 		defaultSessionName = sessionName
 	}
+	if v := getStsEndpointFromEnv(); v != "" {
+		defaultSTSEndpoint = v
+	}
+	if v := getStsHttpSchemeFromEnv(); v != "" {
+		defaultSTSScheme = strings.ToUpper(v)
+	}
 }
 
 func NewOIDCProvider(opts OIDCProviderOptions) *OIDCProvider {
@@ -80,11 +93,17 @@ func NewOIDCProvider(opts OIDCProviderOptions) *OIDCProvider {
 		stsEndpoint:     opts.STSEndpoint,
 		stsScheme:       opts.stsScheme,
 		sessionName:     opts.SessionName,
+		policy:          opts.Policy,
 		roleArn:         opts.getRoleArn(),
 		oidcProviderArn: opts.getOIDCProviderArn(),
 		oidcTokenFile:   opts.getOIDCTokenFile(),
 		Logger:          opts.Logger,
 	}
+	if opts.TokenDuration >= time.Second*900 {
+		ds := int64(opts.TokenDuration.Seconds())
+		e.durationSeconds = fmt.Sprintf("%d", ds)
+	}
+
 	e.u = NewUpdater(e.getCredentials, UpdaterOptions{
 		ExpiryWindow:  opts.ExpiryWindow,
 		RefreshPeriod: opts.RefreshPeriod,
@@ -142,7 +161,12 @@ func (o *OIDCProvider) assumeRoleWithOIDC(ctx context.Context, roleArn, oidcProv
 	reqOpts.QueryParams["RoleArn"] = roleArn
 	reqOpts.QueryParams["OIDCProviderArn"] = oidcProviderArn
 	reqOpts.BodyParams["OIDCToken"] = token
-	//reqOpts.QueryParams["Policy"] = policy
+	if o.durationSeconds != "" {
+		reqOpts.QueryParams["DurationSeconds"] = o.durationSeconds
+	}
+	if o.policy != "" {
+		reqOpts.BodyParams["Policy"] = o.policy
+	}
 	reqOpts.QueryParams["RoleSessionName"] = o.sessionName
 	reqOpts.QueryParams["Version"] = "2015-04-01"
 	reqOpts.QueryParams["SignatureNonce"] = getUUID()
diff --git a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/rolearn_provider.go b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/rolearn_provider.go
index 0ae6ee64..733b03ad 100644
--- a/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/rolearn_provider.go
+++ b/vendor/github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/provider/rolearn_provider.go
@@ -19,6 +19,10 @@ type RoleArnProvider struct {
 	stsScheme   string
 	sessionName string
 
+	policy          string
+	externalId      string
+	durationSeconds string
+
 	roleArn string
 	cp      CredentialsProvider
 
@@ -30,6 +34,10 @@ type RoleArnProviderOptions struct {
 	stsScheme   string
 	SessionName string
 
+	TokenDuration time.Duration
+	Policy        string
+	ExternalId    string
+
 	Timeout   time.Duration
 	Transport http.RoundTripper
 
@@ -50,10 +58,17 @@ func NewRoleArnProvider(cp CredentialsProvider, roleArn string, opts RoleArnProv
 		stsEndpoint: opts.STSEndpoint,
 		stsScheme:   opts.stsScheme,
 		sessionName: opts.SessionName,
+		policy:      opts.Policy,
+		externalId:  opts.ExternalId,
 		roleArn:     roleArn,
 		cp:          cp,
 		Logger:      opts.Logger,
 	}
+	if opts.TokenDuration >= time.Second*900 {
+		ds := int64(opts.TokenDuration.Seconds())
+		e.durationSeconds = fmt.Sprintf("%d", ds)
+	}
+
 	e.u = NewUpdater(e.getCredentials, UpdaterOptions{
 		ExpiryWindow:  opts.ExpiryWindow,
 		RefreshPeriod: opts.RefreshPeriod,
@@ -93,14 +108,21 @@ func (r *RoleArnProvider) assumeRole(ctx context.Context, roleArn string) (*Cred
 	reqOpts := newCommonRequest()
 	reqOpts.Domain = r.stsEndpoint
 	reqOpts.Scheme = r.stsScheme
-	reqOpts.Method = "GET"
+	reqOpts.Method = "POST"
 	reqOpts.QueryParams["Timestamp"] = getTimeInFormatISO8601()
 	reqOpts.QueryParams["AccessKeyId"] = cred.AccessKeyId
 	reqOpts.QueryParams["Action"] = "AssumeRole"
 	reqOpts.QueryParams["Format"] = "JSON"
 	reqOpts.QueryParams["RoleArn"] = roleArn
-	//reqOpts.QueryParams["Policy"] = policy
-	//reqOpts.QueryParams["ExternalId"] = externalId
+	if r.durationSeconds != "" {
+		reqOpts.QueryParams["DurationSeconds"] = r.durationSeconds
+	}
+	if r.policy != "" {
+		reqOpts.BodyParams["Policy"] = r.policy
+	}
+	if r.externalId != "" {
+		reqOpts.QueryParams["ExternalId"] = r.externalId
+	}
 	reqOpts.QueryParams["RoleSessionName"] = r.sessionName
 	reqOpts.QueryParams["SignatureMethod"] = "HMAC-SHA1"
 	reqOpts.QueryParams["SignatureVersion"] = "1.0"