-
Notifications
You must be signed in to change notification settings - Fork 654
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
412 additions
and
406 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,12 @@ | ||
| /* | ||
| Package config provides utilities for loading configuration from multiple | ||
| sources that can be used to configure the SDK's API clients, and utilities. | ||
| The config package will load configuration from environment variables, AWS | ||
| shared configuration file (~/.aws/config), and AWS shared credentials file | ||
| (~/.aws/credentials). | ||
| Use the LoadDefaultConfig to load configuration from all the SDK's supported | ||
| sources, and resolve credentials using the SDK's default credential chain. | ||
| * TODO Additional documentation needed. | ||
| */ | ||
| // Package config provides utilities for loading configuration from multiple | ||
| // sources that can be used to configure the SDK's API clients, and utilities. | ||
| // | ||
| // The config package will load configuration from environment variables, AWS | ||
| // shared configuration file (~/.aws/config), and AWS shared credentials file | ||
| // (~/.aws/credentials). | ||
| // | ||
| // Use the LoadDefaultConfig to load configuration from all the SDK's supported | ||
| // sources, and resolve credentials using the SDK's default credential chain. | ||
| // | ||
| // * TODO Additional documentation needed. | ||
| package config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,60 +1,58 @@ | ||
| /* | ||
| Package ec2rolecreds provides the credentials provider implementation for | ||
| retrieving AWS credentials from Amazon EC2 Instance Roles via Amazon EC2 IMDS. | ||
| Concurrency and caching | ||
| The Provider is not safe to be used concurrently, and does not provide any | ||
| caching of credentials retrieved. You should wrap the Provider with a | ||
| `aws.CredentialsCache` to provide concurrency safety, and caching of | ||
| credentials. | ||
| Loading credentials with the SDK's AWS Config | ||
| The EC2 Instance role credentials provider will automatically be the resolved | ||
| credential provider int he credential chain if no other credential provider is | ||
| resolved first. | ||
| To explicitly instruct the SDK's credentials resolving to use the EC2 Instance | ||
| role for credentials, you specify a `credentials_source` property in the config | ||
| profile the SDK will load. | ||
| [default] | ||
| credential_source = Ec2InstanceMetadata | ||
| Loading credentials with the Provider directly | ||
| Another way to use the EC2 Instance role credentials provider is to create it | ||
| directly and assign it as the credentials provider for an API client. | ||
| The following example creates a credentials provider for a command, and wraps | ||
| it with the CredentialsCache before assigning the provider to the Amazon S3 API | ||
| client's Credentials option. | ||
| provider := ec2imds.New(ec2imds.Options{}) | ||
| // Create the service client value configured for credentials. | ||
| svc := s3.New(s3.Options{ | ||
| Credentials: &aws.CredentialsCache{Provider: provider}, | ||
| }) | ||
| If you need more control, you can set the configuration options on the | ||
| credentials provider using the ec2imds.Options type to configure the EC2 IMDS | ||
| API Client and ExpiryWindow of the retrieved credentials. | ||
| provider := ec2imds.New(ec2imds.Options{ | ||
| // See ec2imds.Options type's documentation for more options available. | ||
| Client: ec2imds.New(Options{ | ||
| HTTPClient: customHTTPClient, | ||
| }), | ||
| // Modify how soon credentials expire prior to their original expiry time. | ||
| ExpiryWindow: 5 * time.Minute, | ||
| }) | ||
| EC2 IMDS API Client | ||
| See the github.com/aws/aws-sdk-go-v2/ec2imds module for more details on | ||
| configuring the client, and options available. | ||
| */ | ||
| // Package ec2rolecreds provides the credentials provider implementation for | ||
| // retrieving AWS credentials from Amazon EC2 Instance Roles via Amazon EC2 IMDS. | ||
| // | ||
| // Concurrency and caching | ||
| // | ||
| // The Provider is not safe to be used concurrently, and does not provide any | ||
| // caching of credentials retrieved. You should wrap the Provider with a | ||
| // `aws.CredentialsCache` to provide concurrency safety, and caching of | ||
| // credentials. | ||
| // | ||
| // Loading credentials with the SDK's AWS Config | ||
| // | ||
| // The EC2 Instance role credentials provider will automatically be the resolved | ||
| // credential provider int he credential chain if no other credential provider is | ||
| // resolved first. | ||
| // | ||
| // To explicitly instruct the SDK's credentials resolving to use the EC2 Instance | ||
| // role for credentials, you specify a `credentials_source` property in the config | ||
| // profile the SDK will load. | ||
| // | ||
| // [default] | ||
| // credential_source = Ec2InstanceMetadata | ||
| // | ||
| // Loading credentials with the Provider directly | ||
| // | ||
| // Another way to use the EC2 Instance role credentials provider is to create it | ||
| // directly and assign it as the credentials provider for an API client. | ||
| // | ||
| // The following example creates a credentials provider for a command, and wraps | ||
| // it with the CredentialsCache before assigning the provider to the Amazon S3 API | ||
| // client's Credentials option. | ||
| // | ||
| // provider := ec2imds.New(ec2imds.Options{}) | ||
| // | ||
| // // Create the service client value configured for credentials. | ||
| // svc := s3.New(s3.Options{ | ||
| // Credentials: &aws.CredentialsCache{Provider: provider}, | ||
| // }) | ||
| // | ||
| // If you need more control, you can set the configuration options on the | ||
| // credentials provider using the ec2imds.Options type to configure the EC2 IMDS | ||
| // API Client and ExpiryWindow of the retrieved credentials. | ||
| // | ||
| // provider := ec2imds.New(ec2imds.Options{ | ||
| // // See ec2imds.Options type's documentation for more options available. | ||
| // Client: ec2imds.New(Options{ | ||
| // HTTPClient: customHTTPClient, | ||
| // }), | ||
| // | ||
| // // Modify how soon credentials expire prior to their original expiry time. | ||
| // ExpiryWindow: 5 * time.Minute, | ||
| // }) | ||
| // | ||
| // EC2 IMDS API Client | ||
| // | ||
| // See the github.com/aws/aws-sdk-go-v2/ec2imds module for more details on | ||
| // configuring the client, and options available. | ||
| package ec2rolecreds |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,94 +1,92 @@ | ||
| /* | ||
| Package processcreds is a credentials provider to retrieve credentials from a | ||
| external CLI invoked process. | ||
| WARNING: The following describes a method of sourcing credentials from an external | ||
| process. This can potentially be dangerous, so proceed with caution. Other | ||
| credential providers should be preferred if at all possible. If using this | ||
| option, you should make sure that the config file is as locked down as possible | ||
| using security best practices for your operating system. | ||
| Concurrency and caching | ||
| The Provider is not safe to be used concurrently, and does not provide any | ||
| caching of credentials retrieved. You should wrap the Provider with a | ||
| `aws.CredentialsCache` to provide concurrency safety, and caching of | ||
| credentials. | ||
| Loading credentials with the SDKs AWS Config | ||
| You can use credentials from a AWS shared config `credential_process` in a | ||
| variety of ways. | ||
| One way is to setup your shared config file, located in the default | ||
| location, with the `credential_process` key and the command you want to be | ||
| called. You also need to set the AWS_SDK_LOAD_CONFIG environment variable | ||
| (e.g., `export AWS_SDK_LOAD_CONFIG=1`) to use the shared config file. | ||
| [default] | ||
| credential_process = /command/to/call | ||
| Loading configuration using external will use the credential process to | ||
| retrieve credentials. NOTE: If there are credentials in the profile you are | ||
| using, the credential process will not be used. | ||
| // Initialize a session to load credentials. | ||
| cfg, _ := config.LoadDefaultConfig() | ||
| // Create S3 service client to use the credentials. | ||
| svc := s3.NewFromConfig(cfg) | ||
| Loading credentials with the Provider directly | ||
| Another way to use the credentials process provider is by using the | ||
| `NewProvider` constructor to create the provider and providing a it with a | ||
| command to be executed to retrieve credentials. | ||
| The following example creates a credentials provider for a command, and wraps | ||
| it with the CredentialsCache before assigning the provider to the Amazon S3 API | ||
| client's Credentials option. | ||
| // Create credentials using the Provider. | ||
| provider := processcreds.NewProvider("/path/to/command") | ||
| // Create the service client value configured for credentials. | ||
| svc := s3.New(s3.Options{ | ||
| Credentials: &aws.CredentialsCache{Provider: provider}, | ||
| }) | ||
| If you need more control, you can set any configurable options in the | ||
| credentials using one or more option functions. | ||
| provider := processcreds.NewProvider("/path/to/command", | ||
| func(o *processcreds.Options) { | ||
| // Override the provider's default timeout | ||
| o.Timeout = 2 * time.Minute | ||
| }) | ||
| You can also use your own `exec.Cmd` value by satisfying a value that satisfies | ||
| the `NewCommandBuilder` interface and use the `NewProviderCommand` constructor. | ||
| // Create an exec.Cmd | ||
| cmdBuilder := processcreds.NewCommandBuilderFunc( | ||
| func(ctx context.Context) (*exec.Cmd, error) { | ||
| cmd := exec.CommandContext(ctx, | ||
| "customCLICommand", | ||
| "-a", "argument", | ||
| ) | ||
| cmd.Env = []string{ | ||
| "ENV_VAR_FOO=value", | ||
| "ENV_VAR_BAR=other_value", | ||
| } | ||
| return cmd, nil | ||
| }, | ||
| ) | ||
| // Create credentials using your exec.Cmd and custom timeout | ||
| provider := processcreds.NewProviderCommand(cmdBuilder, | ||
| func(opt *processcreds.Provider) { | ||
| // optionally override the provider's default timeout | ||
| opt.Timeout = 1 * time.Second | ||
| }) | ||
| */ | ||
| // Package processcreds is a credentials provider to retrieve credentials from a | ||
| // external CLI invoked process. | ||
| // | ||
| // WARNING: The following describes a method of sourcing credentials from an external | ||
| // process. This can potentially be dangerous, so proceed with caution. Other | ||
| // credential providers should be preferred if at all possible. If using this | ||
| // option, you should make sure that the config file is as locked down as possible | ||
| // using security best practices for your operating system. | ||
| // | ||
| // Concurrency and caching | ||
| // | ||
| // The Provider is not safe to be used concurrently, and does not provide any | ||
| // caching of credentials retrieved. You should wrap the Provider with a | ||
| // `aws.CredentialsCache` to provide concurrency safety, and caching of | ||
| // credentials. | ||
| // | ||
| // Loading credentials with the SDKs AWS Config | ||
| // | ||
| // You can use credentials from a AWS shared config `credential_process` in a | ||
| // variety of ways. | ||
| // | ||
| // One way is to setup your shared config file, located in the default | ||
| // location, with the `credential_process` key and the command you want to be | ||
| // called. You also need to set the AWS_SDK_LOAD_CONFIG environment variable | ||
| // (e.g., `export AWS_SDK_LOAD_CONFIG=1`) to use the shared config file. | ||
| // | ||
| // [default] | ||
| // credential_process = /command/to/call | ||
| // | ||
| // Loading configuration using external will use the credential process to | ||
| // retrieve credentials. NOTE: If there are credentials in the profile you are | ||
| // using, the credential process will not be used. | ||
| // | ||
| // // Initialize a session to load credentials. | ||
| // cfg, _ := config.LoadDefaultConfig() | ||
| // | ||
| // // Create S3 service client to use the credentials. | ||
| // svc := s3.NewFromConfig(cfg) | ||
| // | ||
| // Loading credentials with the Provider directly | ||
| // | ||
| // Another way to use the credentials process provider is by using the | ||
| // `NewProvider` constructor to create the provider and providing a it with a | ||
| // command to be executed to retrieve credentials. | ||
| // | ||
| // The following example creates a credentials provider for a command, and wraps | ||
| // it with the CredentialsCache before assigning the provider to the Amazon S3 API | ||
| // client's Credentials option. | ||
| // | ||
| // // Create credentials using the Provider. | ||
| // provider := processcreds.NewProvider("/path/to/command") | ||
| // | ||
| // // Create the service client value configured for credentials. | ||
| // svc := s3.New(s3.Options{ | ||
| // Credentials: &aws.CredentialsCache{Provider: provider}, | ||
| // }) | ||
| // | ||
| // If you need more control, you can set any configurable options in the | ||
| // credentials using one or more option functions. | ||
| // | ||
| // provider := processcreds.NewProvider("/path/to/command", | ||
| // func(o *processcreds.Options) { | ||
| // // Override the provider's default timeout | ||
| // o.Timeout = 2 * time.Minute | ||
| // }) | ||
| // | ||
| // You can also use your own `exec.Cmd` value by satisfying a value that satisfies | ||
| // the `NewCommandBuilder` interface and use the `NewProviderCommand` constructor. | ||
| // | ||
| // // Create an exec.Cmd | ||
| // cmdBuilder := processcreds.NewCommandBuilderFunc( | ||
| // func(ctx context.Context) (*exec.Cmd, error) { | ||
| // cmd := exec.CommandContext(ctx, | ||
| // "customCLICommand", | ||
| // "-a", "argument", | ||
| // ) | ||
| // cmd.Env = []string{ | ||
| // "ENV_VAR_FOO=value", | ||
| // "ENV_VAR_BAR=other_value", | ||
| // } | ||
| // | ||
| // return cmd, nil | ||
| // }, | ||
| // ) | ||
| // | ||
| // // Create credentials using your exec.Cmd and custom timeout | ||
| // provider := processcreds.NewProviderCommand(cmdBuilder, | ||
| // func(opt *processcreds.Provider) { | ||
| // // optionally override the provider's default timeout | ||
| // opt.Timeout = 1 * time.Second | ||
| // }) | ||
| package processcreds |
Oops, something went wrong.