stscreds

package
v1.1.16 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 6, 2016 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package stscreds are credential Providers to retrieve STS AWS credentials.

STS provides multiple ways to retrieve credentials which can be used when making future AWS service API operation calls.

Index

Constants

View Source
const ProviderName = "AssumeRoleProvider"

ProviderName provides a name of AssumeRole provider

Variables

View Source
var DefaultDuration = time.Duration(15) * time.Minute

DefaultDuration is the default amount of time in minutes that the credentials will be valid for.

Functions

func NewCredentials

func NewCredentials(c client.ConfigProvider, roleARN string, options ...func(*AssumeRoleProvider)) *credentials.Credentials

NewCredentials returns a pointer to a new Credentials object wrapping the AssumeRoleProvider. The credentials will expire every 15 minutes and the role will be named after a nanosecond timestamp of this operation.

Takes a Config provider to create the STS client. The ConfigProvider is satisfied by the session.Session type.

func NewCredentialsWithClient added in v0.10.0

func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(*AssumeRoleProvider)) *credentials.Credentials

NewCredentialsWithClient returns a pointer to a new Credentials object wrapping the AssumeRoleProvider. The credentials will expire every 15 minutes and the role will be named after a nanosecond timestamp of this operation.

Takes an AssumeRoler which can be satisfiede by the STS client.

Types

type AssumeRoleProvider

type AssumeRoleProvider struct {
	credentials.Expiry

	// STS client to make assume role request with.
	Client AssumeRoler

	// Role to be assumed.
	RoleARN string

	// Session name, if you wish to reuse the credentials elsewhere.
	RoleSessionName string

	// Expiry duration of the STS credentials. Defaults to 15 minutes if not set.
	Duration time.Duration

	// Optional ExternalID to pass along, defaults to nil if not set.
	ExternalID *string

	// The policy plain text must be 2048 bytes or shorter. However, an internal
	// conversion compresses it into a packed binary format with a separate limit.
	// The PackedPolicySize response element indicates by percentage how close to
	// the upper size limit the policy is, with 100% equaling the maximum allowed
	// size.
	Policy *string

	// The identification number of the MFA device that is associated with the user
	// who is making the AssumeRole call. Specify this value if the trust policy
	// of the role being assumed includes a condition that requires MFA authentication.
	// The value is either the serial number for a hardware device (such as GAHT12345678)
	// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
	SerialNumber *string

	// The value provided by the MFA device, if the trust policy of the role being
	// assumed requires MFA (that is, if the policy includes a condition that tests
	// for MFA). If the role being assumed requires MFA and if the TokenCode value
	// is missing or expired, the AssumeRole call returns an "access denied" error.
	TokenCode *string

	// ExpiryWindow will allow the credentials to trigger refreshing prior to
	// the credentials actually expiring. This is beneficial so race conditions
	// with expiring credentials do not cause request to fail unexpectedly
	// due to ExpiredTokenException exceptions.
	//
	// So a ExpiryWindow of 10s would cause calls to IsExpired() to return true
	// 10 seconds before the credentials are actually expired.
	//
	// If ExpiryWindow is 0 or less it will be ignored.
	ExpiryWindow time.Duration
}

AssumeRoleProvider retrieves temporary credentials from the STS service, and keeps track of their expiration time. This provider must be used explicitly, as it is not included in the credentials chain.

func (*AssumeRoleProvider) Retrieve

func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error)

Retrieve generates a new set of temporary credentials using STS.

type AssumeRoler

type AssumeRoler interface {
	AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
}

AssumeRoler represents the minimal subset of the STS client API used by this provider.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL