session

package
v1.35.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 21, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

Package session provides configuration for the SDK's service clients. Sessions can be shared across service clients that share the same base configuration.

Sessions are safe to use concurrently as long as the Session is not being modified. Sessions should be cached when possible, because creating a new Session will load all configuration values from the environment, and config files each time the Session is created. Sharing the Session value across all of your service clients will ensure the configuration is loaded the fewest number of times possible.

Sessions options from Shared Config

By default NewSession will only load credentials from the shared credentials file (~/.aws/credentials). If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the Session will be created from the configuration values from the shared config (~/.aws/config) and shared credentials (~/.aws/credentials) files. Using the NewSessionWithOptions with SharedConfigState set to SharedConfigEnable will create the session as if the AWS_SDK_LOAD_CONFIG environment variable was set.

Credential and config loading order

The Session will attempt to load configuration and credentials from the environment, configuration files, and other credential sources. The order configuration is loaded in is:

  • Environment Variables
  • Shared Credentials file
  • Shared Configuration file (if SharedConfig is enabled)
  • EC2 Instance Metadata (credentials only)

The Environment variables for credentials will have precedence over shared config even if SharedConfig is enabled. To override this behavior, and use shared config credentials instead specify the session.Options.Profile, (e.g. when using credential_source=Environment to assume a role).

  sess, err := session.NewSessionWithOptions(session.Options{
	  Profile: "myProfile",
  })

Creating Sessions

Creating a Session without additional options will load credentials region, and profile loaded from the environment and shared config automatically. See, "Environment Variables" section for information on environment variables used by Session.

// Create Session
sess, err := session.NewSession()

When creating Sessions optional aws.Config values can be passed in that will override the default, or loaded, config values the Session is being created with. This allows you to provide additional, or case based, configuration as needed.

// Create a Session with a custom region
sess, err := session.NewSession(&aws.Config{
	Region: aws.String("us-west-2"),
})

Use NewSessionWithOptions to provide additional configuration driving how the Session's configuration will be loaded. Such as, specifying shared config profile, or override the shared config state, (AWS_SDK_LOAD_CONFIG).

// Equivalent to session.NewSession()
sess, err := session.NewSessionWithOptions(session.Options{
	// Options
})

sess, err := session.NewSessionWithOptions(session.Options{
	// Specify profile to load for the session's config
	Profile: "profile_name",

	// Provide SDK Config options, such as Region.
	Config: aws.Config{
		Region: aws.String("us-west-2"),
	},

	// Force enable Shared Config support
	SharedConfigState: session.SharedConfigEnable,
})

Adding Handlers

You can add handlers to a session to decorate API operation, (e.g. adding HTTP headers). All clients that use the Session receive a copy of the Session's handlers. For example, the following request handler added to the Session logs every requests made.

// Create a session, and add additional handlers for all service
// clients created with the Session to inherit. Adds logging handler.
sess := session.Must(session.NewSession())

sess.Handlers.Send.PushFront(func(r *request.Request) {
	// Log every request made and its payload
	logger.Printf("Request: %s/%s, Params: %s",
		r.ClientInfo.ServiceName, r.Operation, r.Params)
})

Shared Config Fields

By default the SDK will only load the shared credentials file's (~/.aws/credentials) credentials values, and all other config is provided by the environment variables, SDK defaults, and user provided aws.Config values.

If the AWS_SDK_LOAD_CONFIG environment variable is set, or SharedConfigEnable option is used to create the Session the full shared config values will be loaded. This includes credentials, region, and support for assume role. In addition the Session will load its configuration from both the shared config file (~/.aws/config) and shared credentials file (~/.aws/credentials). Both files have the same format.

If both config files are present the configuration from both files will be read. The Session will be created from configuration values from the shared credentials file (~/.aws/credentials) over those in the shared config file (~/.aws/config).

Credentials are the values the SDK uses to authenticating requests with AWS Services. When specified in a file, both aws_access_key_id and aws_secret_access_key must be provided together in the same file to be considered valid. They will be ignored if both are not present. aws_session_token is an optional field that can be provided in addition to the other two fields.

aws_access_key_id = AKID
aws_secret_access_key = SECRET
aws_session_token = TOKEN

; region only supported if SharedConfigEnabled.
region = us-east-1

Assume Role configuration

The role_arn field allows you to configure the SDK to assume an IAM role using a set of credentials from another source. Such as when paired with static credentials, "profile_source", "credential_process", or "credential_source" fields. If "role_arn" is provided, a source of credentials must also be specified, such as "source_profile", "credential_source", or "credential_process".

role_arn = arn:aws:iam::<account_number>:role/<role_name>
source_profile = profile_with_creds
external_id = 1234
mfa_serial = <serial or mfa arn>
role_session_name = session_name

The SDK supports assuming a role with MFA token. If "mfa_serial" is set, you must also set the Session Option.AssumeRoleTokenProvider. The Session will fail to load if the AssumeRoleTokenProvider is not specified.

sess := session.Must(session.NewSessionWithOptions(session.Options{
    AssumeRoleTokenProvider: stscreds.StdinTokenProvider,
}))

To setup Assume Role outside of a session see the stscreds.AssumeRoleProvider documentation.

Environment Variables

When a Session is created several environment variables can be set to adjust how the SDK functions, and what configuration data it loads when creating Sessions. All environment values are optional, but some values like credentials require multiple of the values to set or the partial values will be ignored. All environment variable values are strings unless otherwise noted.

Environment configuration values. If set both Access Key ID and Secret Access Key must be provided. Session Token and optionally also be provided, but is not required.

# Access Key ID
AWS_ACCESS_KEY_ID=AKID
AWS_ACCESS_KEY=AKID # only read if AWS_ACCESS_KEY_ID is not set.

# Secret Access Key
AWS_SECRET_ACCESS_KEY=SECRET
AWS_SECRET_KEY=SECRET=SECRET # only read if AWS_SECRET_ACCESS_KEY is not set.

# Session Token
AWS_SESSION_TOKEN=TOKEN

Region value will instruct the SDK where to make service API requests to. If is not provided in the environment the region must be provided before a service client request is made.

AWS_REGION=us-east-1

# AWS_DEFAULT_REGION is only read if AWS_SDK_LOAD_CONFIG is also set,
# and AWS_REGION is not also set.
AWS_DEFAULT_REGION=us-east-1

Profile name the SDK should load use when loading shared config from the configuration files. If not provided "default" will be used as the profile name.

AWS_PROFILE=my_profile

# AWS_DEFAULT_PROFILE is only read if AWS_SDK_LOAD_CONFIG is also set,
# and AWS_PROFILE is not also set.
AWS_DEFAULT_PROFILE=my_profile

SDK load config instructs the SDK to load the shared config in addition to shared credentials. This also expands the configuration loaded so the shared credentials will have parity with the shared config file. This also enables Region and Profile support for the AWS_DEFAULT_REGION and AWS_DEFAULT_PROFILE env values as well.

AWS_SDK_LOAD_CONFIG=1

Shared credentials file path can be set to instruct the SDK to use an alternative file for the shared credentials. If not set the file will be loaded from $HOME/.aws/credentials on Linux/Unix based systems, and %USERPROFILE%\.aws\credentials on Windows.

AWS_SHARED_CREDENTIALS_FILE=$HOME/my_shared_credentials

Shared config file path can be set to instruct the SDK to use an alternative file for the shared config. If not set the file will be loaded from $HOME/.aws/config on Linux/Unix based systems, and %USERPROFILE%\.aws\config on Windows.

AWS_CONFIG_FILE=$HOME/my_shared_config

Path to a custom Credentials Authority (CA) bundle PEM file that the SDK will use instead of the default system's root CA bundle. Use this only if you want to replace the CA bundle the SDK uses for TLS requests.

AWS_CA_BUNDLE=$HOME/my_custom_ca_bundle

Enabling this option will attempt to merge the Transport into the SDK's HTTP client. If the client's Transport is not a http.Transport an error will be returned. If the Transport's TLS config is set this option will cause the SDK to overwrite the Transport's TLS config's RootCAs value. If the CA bundle file contains multiple certificates all of them will be loaded.

The Session option CustomCABundle is also available when creating sessions to also enable this feature. CustomCABundle session option field has priority over the AWS_CA_BUNDLE environment variable, and will be used if both are set.

Setting a custom HTTPClient in the aws.Config options will override this setting. To use this option and custom HTTP client, the HTTP client needs to be provided when creating the session. Not the service client.

The endpoint of the EC2 IMDS client can be configured via the environment variable, AWS_EC2_METADATA_SERVICE_ENDPOINT when creating the client with a Session. See Options.EC2IMDSEndpoint for more details.

AWS_EC2_METADATA_SERVICE_ENDPOINT=http://169.254.169.254

If using an URL with an IPv6 address literal, the IPv6 address component must be enclosed in square brackets.

AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1]

The custom EC2 IMDS endpoint can also be specified via the Session options.

sess, err := session.NewSessionWithOptions(session.Options{
    EC2IMDSEndpoint: "http://[::1]",
})

Index

Constants

View Source
const (

	// DefaultSharedConfigProfile is the default profile to be used when
	// loading configuration from the config files if another profile name
	// is not provided.
	DefaultSharedConfigProfile = `default`
)
View Source
const EnvProviderName = "EnvConfigCredentials"

EnvProviderName provides a name of the provider when config is loaded from environment.

View Source
const (
	// ErrCodeSharedConfig represents an error that occurs in the shared
	// configuration logic
	ErrCodeSharedConfig = "SharedConfigErr"
)

Variables

View Source
var ErrSharedConfigECSContainerEnvVarEmpty = awserr.New(ErrCodeSharedConfig, "EcsContainer was specified as the credential_source, but 'AWS_CONTAINER_CREDENTIALS_RELATIVE_URI' was not set", nil)

ErrSharedConfigECSContainerEnvVarEmpty will be returned if the environment variables are empty and Environment was set as the credential source

View Source
var ErrSharedConfigInvalidCredSource = awserr.New(ErrCodeSharedConfig, "credential source values must be EcsContainer, Ec2InstanceMetadata, or Environment", nil)

ErrSharedConfigInvalidCredSource will be returned if an invalid credential source was provided

View Source
var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only source profile or credential source can be specified, not both", nil)

ErrSharedConfigSourceCollision will be returned if a section contains both source_profile and credential_source

View Source
var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil)

WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but 'AWS_ROLE_ARN' was not set.

View Source
var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil)

WebIdentityEmptyTokenFilePathErr will occur if 'AWS_ROLE_ARN' was set but 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set.

Functions

This section is empty.

Types

type AssumeRoleTokenProviderNotSetError

type AssumeRoleTokenProviderNotSetError struct{}

AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the MFAToken option is not set when shared config is configured load assume a role with an MFA token.

func (AssumeRoleTokenProviderNotSetError) Code

Code is the short id of the error.

func (AssumeRoleTokenProviderNotSetError) Error

Error satisfies the error interface.

func (AssumeRoleTokenProviderNotSetError) Message

Message is the description of the error

func (AssumeRoleTokenProviderNotSetError) OrigErr

OrigErr is the underlying error that caused the failure.

type CredentialRequiresARNError

type CredentialRequiresARNError struct {
	// type of credentials that were configured.
	Type string

	// Profile name the credentials were in.
	Profile string
}

CredentialRequiresARNError provides the error for shared config credentials that are incorrectly configured in the shared config or credentials file.

func (CredentialRequiresARNError) Code

Code is the short id of the error.

func (CredentialRequiresARNError) Error

Error satisfies the error interface.

func (CredentialRequiresARNError) Message

func (e CredentialRequiresARNError) Message() string

Message is the description of the error

func (CredentialRequiresARNError) OrigErr

func (e CredentialRequiresARNError) OrigErr() error

OrigErr is the underlying error that caused the failure.

type Options

type Options struct {
	// Provides config values for the SDK to use when creating service clients
	// and making API requests to services. Any value set in with this field
	// will override the associated value provided by the SDK defaults,
	// environment or config files where relevant.
	//
	// If not set, configuration values from from SDK defaults, environment,
	// config will be used.
	Config aws.Config

	// Overrides the config profile the Session should be created from. If not
	// set the value of the environment variable will be loaded (AWS_PROFILE,
	// or AWS_DEFAULT_PROFILE if the Shared Config is enabled).
	//
	// If not set and environment variables are not set the "default"
	// (DefaultSharedConfigProfile) will be used as the profile to load the
	// session config from.
	Profile string

	// Instructs how the Session will be created based on the AWS_SDK_LOAD_CONFIG
	// environment variable. By default a Session will be created using the
	// value provided by the AWS_SDK_LOAD_CONFIG environment variable.
	//
	// Setting this value to SharedConfigEnable or SharedConfigDisable
	// will allow you to override the AWS_SDK_LOAD_CONFIG environment variable
	// and enable or disable the shared config functionality.
	SharedConfigState SharedConfigState

	// Ordered list of files the session will load configuration from.
	// It will override environment variable AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE.
	SharedConfigFiles []string

	// When the SDK's shared config is configured to assume a role with MFA
	// this option is required in order to provide the mechanism that will
	// retrieve the MFA token. There is no default value for this field. If
	// it is not set an error will be returned when creating the session.
	//
	// This token provider will be called when ever the assumed role's
	// credentials need to be refreshed. Within the context of service clients
	// all sharing the same session the SDK will ensure calls to the token
	// provider are atomic. When sharing a token provider across multiple
	// sessions additional synchronization logic is needed to ensure the
	// token providers do not introduce race conditions. It is recommend to
	// share the session where possible.
	//
	// stscreds.StdinTokenProvider is a basic implementation that will prompt
	// from stdin for the MFA token code.
	//
	// This field is only used if the shared configuration is enabled, and
	// the config enables assume role wit MFA via the mfa_serial field.
	AssumeRoleTokenProvider func() (string, error)

	// When the SDK's shared config is configured to assume a role this option
	// may be provided to set the expiry duration of the STS credentials.
	// Defaults to 15 minutes if not set as documented in the
	// stscreds.AssumeRoleProvider.
	AssumeRoleDuration time.Duration

	// Reader for a custom Credentials Authority (CA) bundle in PEM format that
	// the SDK will use instead of the default system's root CA bundle. Use this
	// only if you want to replace the CA bundle the SDK uses for TLS requests.
	//
	// Enabling this option will attempt to merge the Transport into the SDK's HTTP
	// client. If the client's Transport is not a http.Transport an error will be
	// returned. If the Transport's TLS config is set this option will cause the SDK
	// to overwrite the Transport's TLS config's  RootCAs value. If the CA
	// bundle reader contains multiple certificates all of them will be loaded.
	//
	// The Session option CustomCABundle is also available when creating sessions
	// to also enable this feature. CustomCABundle session option field has priority
	// over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
	CustomCABundle io.Reader

	// The handlers that the session and all API clients will be created with.
	// This must be a complete set of handlers. Use the defaults.Handlers()
	// function to initialize this value before changing the handlers to be
	// used by the SDK.
	Handlers request.Handlers

	// Allows specifying a custom endpoint to be used by the EC2 IMDS client
	// when making requests to the EC2 IMDS API. The must endpoint value must
	// include protocol prefix.
	//
	// If unset, will the EC2 IMDS client will use its default endpoint.
	//
	// Can also be specified via the environment variable,
	// AWS_EC2_METADATA_SERVICE_ENDPOINT.
	//
	//   AWS_EC2_METADATA_SERVICE_ENDPOINT=http://169.254.169.254
	//
	// If using an URL with an IPv6 address literal, the IPv6 address
	// component must be enclosed in square brackets.
	//
	//   AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1]
	EC2IMDSEndpoint string
}

Options provides the means to control how a Session is created and what configuration values will be loaded.

type Session

type Session struct {
	Config   *aws.Config
	Handlers request.Handlers
	// contains filtered or unexported fields
}

A Session provides a central location to create service clients from and store configurations and request handlers for those services.

Sessions are safe to create service clients concurrently, but it is not safe to mutate the Session concurrently.

The Session satisfies the service client's client.ConfigProvider.

func Must

func Must(sess *Session, err error) *Session

Must is a helper function to ensure the Session is valid and there was no error when calling a NewSession function.

This helper is intended to be used in variable initialization to load the Session and configuration at startup. Such as:

var sess = session.Must(session.NewSession())

func New deprecated

func New(cfgs ...*aws.Config) *Session

New creates a new instance of the handlers merging in the provided configs on top of the SDK's default configurations. Once the Session is created it can be mutated to modify the Config or Handlers. The Session is safe to be read concurrently, but it should not be written to concurrently.

If the AWS_SDK_LOAD_CONFIG environment is set to a truthy value, the New method could now encounter an error when loading the configuration. When The environment variable is set, and an error occurs, New will return a session that will fail all requests reporting the error that occurred while loading the session. Use NewSession to get the error when creating the session.

If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded, in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file.

Deprecated: Use NewSession functions to create sessions instead. NewSession has the same functionality as New except an error can be returned when the func is called instead of waiting to receive an error until a request is made.

func NewSession

func NewSession(cfgs ...*aws.Config) (*Session, error)

NewSession returns a new Session created from SDK defaults, config files, environment, and user provided config files. Once the Session is created it can be mutated to modify the Config or Handlers. The Session is safe to be read concurrently, but it should not be written to concurrently.

If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file. Enabling the Shared Config will also allow the Session to be built with retrieving credentials with AssumeRole set in the config.

See the NewSessionWithOptions func for information on how to override or control through code how the Session will be created, such as specifying the config profile, and controlling if shared config is enabled or not.

func NewSessionWithOptions

func NewSessionWithOptions(opts Options) (*Session, error)

NewSessionWithOptions returns a new Session created from SDK defaults, config files, environment, and user provided config files. This func uses the Options values to configure how the Session is created.

If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file. Enabling the Shared Config will also allow the Session to be built with retrieving credentials with AssumeRole set in the config.

// Equivalent to session.New
sess := session.Must(session.NewSessionWithOptions(session.Options{}))

// Specify profile to load for the session's config
sess := session.Must(session.NewSessionWithOptions(session.Options{
     Profile: "profile_name",
}))

// Specify profile for config and region for requests
sess := session.Must(session.NewSessionWithOptions(session.Options{
     Config: aws.Config{Region: aws.String("us-east-1")},
     Profile: "profile_name",
}))

// Force enable Shared Config support
sess := session.Must(session.NewSessionWithOptions(session.Options{
    SharedConfigState: session.SharedConfigEnable,
}))

func (*Session) ClientConfig

func (s *Session) ClientConfig(service string, cfgs ...*aws.Config) client.Config

ClientConfig satisfies the client.ConfigProvider interface and is used to configure the service client instances. Passing the Session to the service client's constructor (New) will use this method to configure the client.

func (*Session) ClientConfigNoResolveEndpoint

func (s *Session) ClientConfigNoResolveEndpoint(cfgs ...*aws.Config) client.Config

ClientConfigNoResolveEndpoint is the same as ClientConfig with the exception that the EndpointResolver will not be used to resolve the endpoint. The only endpoint set must come from the aws.Config.Endpoint field.

func (*Session) Copy

func (s *Session) Copy(cfgs ...*aws.Config) *Session

Copy creates and returns a copy of the current Session, copying the config and handlers. If any additional configs are provided they will be merged on top of the Session's copied config.

// Create a copy of the current Session, configured for the us-west-2 region.
sess.Copy(&aws.Config{Region: aws.String("us-west-2")})

type SharedConfigAssumeRoleError

type SharedConfigAssumeRoleError struct {
	RoleARN       string
	SourceProfile string
}

SharedConfigAssumeRoleError is an error for the shared config when the profile contains assume role information, but that information is invalid or not complete.

func (SharedConfigAssumeRoleError) Code

Code is the short id of the error.

func (SharedConfigAssumeRoleError) Error

Error satisfies the error interface.

func (SharedConfigAssumeRoleError) Message

func (e SharedConfigAssumeRoleError) Message() string

Message is the description of the error

func (SharedConfigAssumeRoleError) OrigErr

func (e SharedConfigAssumeRoleError) OrigErr() error

OrigErr is the underlying error that caused the failure.

type SharedConfigLoadError

type SharedConfigLoadError struct {
	Filename string
	Err      error
}

SharedConfigLoadError is an error for the shared config file failed to load.

func (SharedConfigLoadError) Code

func (e SharedConfigLoadError) Code() string

Code is the short id of the error.

func (SharedConfigLoadError) Error

func (e SharedConfigLoadError) Error() string

Error satisfies the error interface.

func (SharedConfigLoadError) Message

func (e SharedConfigLoadError) Message() string

Message is the description of the error

func (SharedConfigLoadError) OrigErr

func (e SharedConfigLoadError) OrigErr() error

OrigErr is the underlying error that caused the failure.

type SharedConfigProfileNotExistsError

type SharedConfigProfileNotExistsError struct {
	Profile string
	Err     error
}

SharedConfigProfileNotExistsError is an error for the shared config when the profile was not find in the config file.

func (SharedConfigProfileNotExistsError) Code

Code is the short id of the error.

func (SharedConfigProfileNotExistsError) Error

Error satisfies the error interface.

func (SharedConfigProfileNotExistsError) Message

Message is the description of the error

func (SharedConfigProfileNotExistsError) OrigErr

OrigErr is the underlying error that caused the failure.

type SharedConfigState

type SharedConfigState int

SharedConfigState provides the ability to optionally override the state of the session's creation based on the shared config being enabled or disabled.

const (
	// SharedConfigStateFromEnv does not override any state of the
	// AWS_SDK_LOAD_CONFIG env var. It is the default value of the
	// SharedConfigState type.
	SharedConfigStateFromEnv SharedConfigState = iota

	// SharedConfigDisable overrides the AWS_SDK_LOAD_CONFIG env var value
	// and disables the shared config functionality.
	SharedConfigDisable

	// SharedConfigEnable overrides the AWS_SDK_LOAD_CONFIG env var value
	// and enables the shared config functionality.
	SharedConfigEnable
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL