Documentation
¶
Overview ¶
Package identity provides AWS caller identity retrieval and caching.
This package consolidates AWS identity-related functionality used by Atmos functions (YAML, HCL, etc.) and provides a clean, reusable interface for identity operations.
Key features:
- AWS config loading with support for auth context
- Caller identity retrieval via STS GetCallerIdentity
- Thread-safe caching of identity results per auth context
- Testable via Getter interface
Package identity is a generated GoMock package.
Index ¶
- func ClearIdentityCache()
- func LoadConfig(ctx context.Context, region string, roleArn string, ...) (aws.Config, error)
- func LoadConfigWithAuth(ctx context.Context, region string, roleArn string, ...) (aws.Config, error)
- func SetGetter(g Getter) func()
- type CallerIdentity
- type Getter
- type MockGetter
- type MockGetterMockRecorder
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ClearIdentityCache ¶
func ClearIdentityCache()
ClearIdentityCache clears the AWS identity cache. This is useful in tests or when credentials change during execution.
func LoadConfig ¶
func LoadConfig(ctx context.Context, region string, roleArn string, assumeRoleDuration time.Duration) (aws.Config, error)
LoadConfig loads AWS config using standard AWS SDK credential resolution. This is a wrapper around LoadConfigWithAuth for convenience. For code that needs Atmos auth support, use LoadConfigWithAuth instead.
func LoadConfigWithAuth ¶
func LoadConfigWithAuth( ctx context.Context, region string, roleArn string, assumeRoleDuration time.Duration, authContext *schema.AWSAuthContext, ) (aws.Config, error)
LoadConfigWithAuth loads AWS config, preferring auth context if available.
When authContext is provided, it uses the Atmos-managed credentials files and profile. Otherwise, it falls back to standard AWS SDK credential resolution.
Standard AWS SDK credential resolution order:
Environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN (optional, for temporary credentials)
Shared credentials file:
Typically at ~/.aws/credentials
Controlled by:
AWS_PROFILE (defaults to default)
AWS_SHARED_CREDENTIALS_FILE
Shared config file:
Typically at ~/.aws/config
Also supports named profiles and region settings
Amazon EC2 Instance Metadata Service (IMDS):
If running on EC2 or ECS
Uses IAM roles attached to the instance/task
Web Identity Token credentials:
When AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN are set (e.g., in EKS)
SSO credentials (if configured)
Custom credential sources:
Provided programmatically using config.WithCredentialsProvider(...)
Types ¶
type CallerIdentity ¶
type CallerIdentity struct {
Account string
Arn string
UserID string
Region string // The AWS region from the loaded config.
}
CallerIdentity holds the information returned by AWS STS GetCallerIdentity.
func GetCallerIdentity ¶
func GetCallerIdentity( ctx context.Context, region string, roleArn string, assumeRoleDuration time.Duration, authContext *schema.AWSAuthContext, ) (*CallerIdentity, error)
GetCallerIdentity retrieves AWS caller identity using STS GetCallerIdentity API. Returns account ID, ARN, user ID, and region. This function keeps AWS SDK STS imports contained within this package. For caching, use GetCallerIdentityCached instead.
func GetCallerIdentityCached ¶
func GetCallerIdentityCached( ctx context.Context, atmosConfig *schema.AtmosConfiguration, authContext *schema.AWSAuthContext, ) (*CallerIdentity, error)
GetCallerIdentityCached retrieves the AWS caller identity with caching. Results are cached per auth context to avoid repeated STS calls within the same CLI invocation.
type Getter ¶
type Getter interface {
// GetCallerIdentity retrieves the AWS caller identity for the current credentials.
// Returns the account ID, ARN, and user ID of the calling identity.
GetCallerIdentity(
ctx context.Context,
atmosConfig *schema.AtmosConfiguration,
authContext *schema.AWSAuthContext,
) (*CallerIdentity, error)
}
Getter provides an interface for retrieving AWS caller identity information. This interface enables dependency injection and testability.
type MockGetter ¶
type MockGetter struct {
// contains filtered or unexported fields
}
MockGetter is a mock of Getter interface.
func NewMockGetter ¶
func NewMockGetter(ctrl *gomock.Controller) *MockGetter
NewMockGetter creates a new mock instance.
func (*MockGetter) EXPECT ¶
func (m *MockGetter) EXPECT() *MockGetterMockRecorder
EXPECT returns an object that allows the caller to indicate expected use.
func (*MockGetter) GetCallerIdentity ¶
func (m *MockGetter) GetCallerIdentity(ctx context.Context, atmosConfig *schema.AtmosConfiguration, authContext *schema.AWSAuthContext) (*CallerIdentity, error)
GetCallerIdentity mocks base method.
type MockGetterMockRecorder ¶
type MockGetterMockRecorder struct {
// contains filtered or unexported fields
}
MockGetterMockRecorder is the mock recorder for MockGetter.
func (*MockGetterMockRecorder) GetCallerIdentity ¶
func (mr *MockGetterMockRecorder) GetCallerIdentity(ctx, atmosConfig, authContext any) *gomock.Call
GetCallerIdentity indicates an expected call of GetCallerIdentity.
Source Files