Documentation
¶
Overview ¶
Package aws is a lightweight implementation of the AWS API signature algorithms. Currently only the Version 4 algorithm is supported.
Index ¶
- func AmbientCreds() (id, secret, region, token string, err error)
- func Metadata(path string) (io.ReadCloser, error)
- func MetadataJSON(path string, into interface{}) error
- func MetadataString(path string) (string, error)
- func S3EndPoint(region string) string
- func WebIdentityCreds(client *http.Client) (id, secret, region, token string, expiration time.Time, err error)
- type DeriveFn
- type SigningKey
- func AmbientKey(service string, derive DeriveFn) (*SigningKey, error)
- func DecodeKey(d ion.Datum) (*SigningKey, error)
- func DefaultDerive(baseURI, id, secret, token, region, service string) (*SigningKey, error)
- func DeriveKey(baseURI, accessKey, secret, region, service string) *SigningKey
- func EC2Role(role, service string, derive DeriveFn) (*SigningKey, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AmbientCreds ¶
AmbientCreds tries to find the AWS credentials from:
- AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION/AWS_DEFAULT_REGION environment variables (AWS_REGION takes precedence over AWS_DEFAULT_REGION).
- The config files in $HOME/.aws/config and $HOME/.aws/credentials.
Additionally, AmbientKey respects the following environment variables:
- AWS_CONFIG_FILE for the config file path
- AWS_SHARED_CREDENTIALS_FILE for the credentials file path
- AWS_PROFILE for the name of the profile to search for in config files (otherwise "default")
NOTE: in general, it is a bad idea to use "Do-What-I-Mean" functionality to load security credentials, because it's easy to accidentally load the wrong thing. Consider whether there may be safer alternatives. In general this method is safer than the aws SDK's "NewSession" function but less safe than explicitly picking up secrets from where you expect to find them. Caveat emptor.
func Metadata ¶
func Metadata(path string) (io.ReadCloser, error)
Metadata fetches EC2 instance metadata from the given path and returns an io.ReadCloser containing the body of the metadata.
See also MetadataJSON and MetadataString.
func MetadataJSON ¶
MetadataJSON decodes the metadata from 'path' into the json object 'into'
func MetadataString ¶
MetadataString fetches the metdata from the provided path and returns it as a string.
func S3EndPoint ¶
S3EndPoint returns the endpoint of the object storage service.
func WebIdentityCreds ¶
func WebIdentityCreds(client *http.Client) (id, secret, region, token string, expiration time.Time, err error)
WebIdentityCreds tries to load the credentials from a web-identity. The web-identity token should be stored in a file whose path is exposed in the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. It will assume the role as specified in the AWS_ROLE_ARN environment variable.
Types ¶
type DeriveFn ¶
type DeriveFn func(baseURI, id, secret, token, region, service string) (*SigningKey, error)
DeriveFn is a function that can be used to derive a signing key from an endpoint, key ID, secret, region, and service.
The simplest implementation of DeriveFn is just a call to DeriveKey, but more complex DeriveFn implementations can tweak the scope (region and service).
See, for example, s3.DeriveForBucket.
type SigningKey ¶
type SigningKey struct {
BaseURI string // S3 base URI (empty is default AWS S3)
Region string // AWS Region
Service string // AWS Service
AccessKey string // AWS Access Key ID
Secret string // AWS Secret key
Token string // Token, if key is from STS
Derived time.Time // time token was derived
// contains filtered or unexported fields
}
SigningKey is a key that can be used to sign AWS service requests.
Keys expire daily, as they use the current time in the derivation, so they must be refreshed regularly.
func AmbientKey ¶
func AmbientKey(service string, derive DeriveFn) (*SigningKey, error)
AmbientKey tries to produce a signing key from the ambient filesystem, environment, etc. The key is derived using derive, unless it is nil, in which case DefaultDerive is used instead.
func DecodeKey ¶
func DecodeKey(d ion.Datum) (*SigningKey, error)
DecodeKey decodes a SigningKey encoded using (*SigningKey).Encode.
func DefaultDerive ¶
func DefaultDerive(baseURI, id, secret, token, region, service string) (*SigningKey, error)
DefaultDerive is the DeriveFn that simply calls DeriveKey and populates the session token if it is present.
func DeriveKey ¶
func DeriveKey(baseURI, accessKey, secret, region, service string) *SigningKey
DeriveKey derives a SigningKey that can be used to sign requests
func EC2Role ¶
func EC2Role(role, service string, derive DeriveFn) (*SigningKey, error)
EC2Role derives a signing key from the name of a role that is available through EC2 instance metadata.
'Role' should be the full path to the EC2 metadata, so it will typically begin with "iam/security-credentials/" followed by the name of the role.
func (*SigningKey) Encode ¶
func (s *SigningKey) Encode(st *ion.Symtab, dst *ion.Buffer)
Encode encodes s into dst.
func (*SigningKey) InRegion ¶
func (s *SigningKey) InRegion(region string) *SigningKey
func (*SigningKey) SignURL ¶
SignURL signs an HTTP request by creating a presigned URL string. The returned string is valid for only the specified duration.
func (*SigningKey) SignV4 ¶
func (s *SigningKey) SignV4(req *http.Request, body []byte)
SignV4 signs an http.Request using the AWS S3 V4 Authentication scheme.
The body of the request will be set to 'body' and the Authorization header will be populated with the necessary authorization contents. The X-Amz-Date header will also be set to an appropriate value.
BUGS: the encoded query string must have the query parameters in sorted order already. Query parameters with no arguments must include a bare trailing '=' so that they are canonicalized correctly.
Source Files
Directories