Class: Aws::AssumeRoleWebIdentityCredentials

Inherits:

Object

Object
Aws::AssumeRoleWebIdentityCredentials

show all

Includes:: CredentialProvider, RefreshingCredentials

Defined in:: lib/aws-sdk-core/assume_role_web_identity_credentials.rb

Overview

An auto-refreshing credential provider that works by assuming a role via STS::Client#assume_role_with_web_identity.

role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
  client: Aws::STS::Client.new(...),
  role_arn: "linked::account::arn",
  web_identity_token_file: "/path/to/token/file",
  role_session_name: "session-name"
  ...
)
For full list of parameters accepted
@see Aws::STS::Client#assume_role_with_web_identity

If you omit ‘:client` option, a new STS::Client object will be constructed.

Instance Attribute Summary collapse

#client ⇒ STS::Client readonly

Attributes included from CredentialProvider

#credentials

Class Method Summary collapse

.assume_role_web_identity_options ⇒ Object private

Instance Method Summary collapse

#initialize(options = {}) ⇒ AssumeRoleWebIdentityCredentials constructor

A new instance of AssumeRoleWebIdentityCredentials.

Methods included from RefreshingCredentials

#credentials, #expiration, #refresh!

Methods included from CredentialProvider

#set?

Constructor Details

#initialize(options = {}) ⇒ `AssumeRoleWebIdentityCredentials`

Returns a new instance of AssumeRoleWebIdentityCredentials.

Parameters:

options (Hash) (defaults to: {})

Options Hash (options):

:role_arn (required, String) —

the IAM role to be assumed
:web_identity_token_file (required, String) —

absolute path to the file on disk containing OIDC token
:role_session_name (String) —

the IAM session name used to distinguish session, when not provided, base64 encoded UUID is generated as the session name
:client (STS::Client)

# File 'lib/aws-sdk-core/assume_role_web_identity_credentials.rb', line 42

def initialize(options = {})
  client_opts = {}
  @assume_role_web_identity_params = {}
  @token_file = options.delete(:web_identity_token_file)
  options.each_pair do |key, value|
    if self.class.assume_role_web_identity_options.include?(key)
      @assume_role_web_identity_params[key] = value
    else
      client_opts[key] = value
    end
  end

  unless @assume_role_web_identity_params[:role_session_name]
    # not provided, generate encoded UUID as session name
    @assume_role_web_identity_params[:role_session_name] = _session_name
  end
  @client = client_opts[:client] || STS::Client.new(client_opts.merge(credentials: false))
  super
end

Instance Attribute Details

#client ⇒ `STS::Client` (readonly)

Returns:

(STS::Client)



63
64
65

# File 'lib/aws-sdk-core/assume_role_web_identity_credentials.rb', line 63

def client
  @client
end

Class Method Details

.assume_role_web_identity_options ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/assume_role_web_identity_credentials.rb', line 95

def assume_role_web_identity_options
  @arwio ||= begin
    input = STS::Client.api.operation(:assume_role_with_web_identity).input
    Set.new(input.shape.member_names)
  end
end