Documentation
¶
Index ¶
- func NewWebIdentityRoleProvider(cfg AwsWebIdentityConfig, getSubjectToken func() (string, error)) (aws.CredentialsProvider, error)
- type AssumeRoleConfig
- type AwsTemporaryCredentials
- type AwsWebIdentityConfig
- type Transport
- func NewAwsSignTransport(underlyingTransport http.RoundTripper, id, secret, token string, ...) (Transport, error)
- func NewAwsSignTransportWithCredentials(underlyingTransport http.RoundTripper, id, secret, token string, ...) (Transport, error)
- func NewAwsSignTransportWithProvider(underlyingTransport http.RoundTripper, provider aws.CredentialsProvider, ...) (Transport, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewWebIdentityRoleProvider ¶
func NewWebIdentityRoleProvider( cfg AwsWebIdentityConfig, getSubjectToken func() (string, error), ) (aws.CredentialsProvider, error)
NewWebIdentityRoleProvider builds an auto-refreshing AWS credentials provider that exchanges a foreign OIDC token at STS for temporary role credentials. The returned provider is wrapped in aws.NewCredentialsCache, so callers get caching with expiry-aware refresh out of the box.
Types ¶
type AssumeRoleConfig ¶
type AssumeRoleConfig struct {
BaseAccessKeyID string
BaseSecretAccessKey string
BaseSessionToken string
RoleARN string
RoleSessionName string
ExternalID string
Region string
DurationSeconds int32
// Endpoint optionally overrides the STS endpoint. Primarily useful for
// testing against a mock, or for non-default partitions / private endpoints.
Endpoint string
// HTTPClient optionally supplies the HTTP client used for the STS call.
HTTPClient aws.HTTPClient
}
AssumeRoleConfig describes an STS AssumeRole exchange: the base (long-lived) credentials that authenticate the AssumeRole call, the target role, and a set of optional refinements.
type AwsTemporaryCredentials ¶
type AwsTemporaryCredentials struct {
AccessKeyID string
SecretAccessKey string
SessionToken string
}
AwsTemporaryCredentials holds the short-lived credentials returned by an STS AssumeRole call.
func AssumeRole ¶
func AssumeRole(ctx context.Context, cfg AssumeRoleConfig) (AwsTemporaryCredentials, error)
AssumeRole exchanges base credentials for temporary credentials scoped to the supplied role, via the AWS STS AssumeRole API. The returned credentials are suitable for NewAwsSignTransportWithCredentials.
type AwsWebIdentityConfig ¶
type AwsWebIdentityConfig struct {
RoleARN string
RoleSessionName string
DurationSeconds int32
Region string
// Endpoint optionally overrides the STS endpoint (testing, private endpoints,
// non-default partitions).
Endpoint string
// HTTPClient optionally supplies the HTTP client used by STS.
HTTPClient aws.HTTPClient
}
AwsWebIdentityConfig describes an STS AssumeRoleWithWebIdentity exchange: the target role, optional refinements, and the STS endpoint/transport.
type Transport ¶
func NewAwsSignTransport ¶
func NewAwsSignTransport( underlyingTransport http.RoundTripper, id, secret, token string, options ...func(*v4.SignerOptions), ) (Transport, error)
func NewAwsSignTransportWithCredentials ¶
func NewAwsSignTransportWithCredentials( underlyingTransport http.RoundTripper, id, secret, token string, options ...func(*v4.SignerOptions), ) (Transport, error)
NewAwsSignTransportWithCredentials builds a signing transport from an explicit (id, secret, token) triple, using all three verbatim. Unlike NewAwsSignTransport it never falls back to AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY when a session token is present, which is required for assumed-role credentials whose id and secret are themselves temporary and do not live in the environment.
func NewAwsSignTransportWithProvider ¶
func NewAwsSignTransportWithProvider( underlyingTransport http.RoundTripper, provider aws.CredentialsProvider, options ...func(*v4.SignerOptions), ) (Transport, error)
NewAwsSignTransportWithProvider builds a signing transport from any aws.CredentialsProvider. Pair this with a refreshing provider (e.g. one wrapped by aws.NewCredentialsCache around stscreds.WebIdentityRoleProvider) to get transparent credential refresh on each request.
Source Files