Class: Aws::Google

Inherits:

Object

Object
Aws::Google

show all

Includes:: CredentialProvider, RefreshingCredentials

Defined in:: lib/aws/google.rb,
lib/aws/google/version.rb,
lib/aws/google/credential_provider.rb

Overview

An auto-refreshing credential provider that works by assuming a role via STS::Client#assume_role_with_web_identity, using an ID token derived from a Google refresh token.

role_credentials = Aws::Google.new(
  role_arn: aws_role,
  google_client_id: client_id,
  google_client_secret: client_secret
)

ec2 = Aws::EC2::Client.new(credentials: role_credentials)

If you omit ‘:client` option, a new STS::Client object will be constructed.

Defined Under Namespace

Modules: CredentialProvider

Constant Summary collapse

VERSION =

'0.1.3'.freeze

Class Attribute Summary collapse

.config ⇒ Object

Returns the value of attribute config.

Instance Method Summary collapse

#initialize(options = {}) ⇒ Google constructor

A new instance of Google.

Constructor Details

#initialize(options = {}) ⇒ `Google`

Returns a new instance of Google.

Parameters:

options (Hash) (defaults to: {}) —

a customizable set of options

Options Hash (options):

:role_arn (required, String)
:policy (String)
:duration_seconds (Integer)
:external_id (String)
:client (STS::Client) —

STS::Client to use (default: create new client)
:profile (String) —

AWS Profile to store temporary credentials (default ‘default`)
:domain (String) —

G Suite domain for account-selection hint
:online (String) —

if ‘true` only a temporary access token will be provided, a long-lived refresh token will not be created and stored on the filesystem.
:port (String) —

port for local server to listen on to capture oauth browser redirect. Defaults to 1234. Set to nil or 0 to use an out-of-band authentication process.
:google_id (::Google::Auth::ClientId)

# File 'lib/aws/google.rb', line 44

def initialize(options = {})
  @oauth_attempted = false
  @assume_role_params = options.slice(
    *Aws::STS::Client.api.operation(:assume_role_with_web_identity).
      input.shape.member_names
  )

  @profile = options[:profile] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
  @google_id = ::Google::Auth::ClientId.new(
    options[:google_client_id],
    options[:google_client_secret]
  )
  @client = options[:client] || Aws::STS::Client.new(credentials: nil)
  @domain = options[:domain]
  @online = options[:online]
  @port = options[:port] || 1234

  # Use existing AWS credentials stored in the shared config if available.
  # If this is `nil` or expired, #refresh will be called on the first AWS API service call
  # to generate AWS credentials derived from Google authentication.
  @expiration = Aws.shared_config.get('expiration', profile: @profile) rescue nil
  @mutex = Mutex.new
  if near_expiration?
    refresh!
  else
    @credentials = Aws.shared_config.credentials(profile: @profile) rescue nil
  end
end

Class Attribute Details

.config ⇒ `Object`

Returns the value of attribute config.



29
30
31

# File 'lib/aws/google.rb', line 29

def config
  @config
end