Class: Aws::AssumeRoleCredentials

Inherits:

Object

• Object
• Aws::AssumeRoleCredentials

Includes:

CredentialProvider, RefreshingCredentials

Defined in:

lib/aws-sdk-core/assume_role_credentials.rb

Overview

An auto-refreshing credential provider that assumes a role via STS::Client#assume_role.

role_credentials = Aws::AssumeRoleCredentials.new(
  client: Aws::STS::Client.new(sts_options),
  role_arn: "linked::account::arn",
  role_session_name: "session-name"
)
ec2 = Aws::EC2::Client.new(credentials: role_credentials)

If you omit ‘:client` option, a new STS::Client object will be constructed with additional options that were provided.

See Also:

• STS::Client#assume_role

Constant Summary

Constants included from RefreshingCredentials

RefreshingCredentials::ASYNC_EXPIRATION_LENGTH, RefreshingCredentials::CLIENT_EXCLUDE_OPTIONS, RefreshingCredentials::SYNC_EXPIRATION_LENGTH

Instance Attribute Summary

• #assume_role_params ⇒ Hash readonly
• #client ⇒ STS::Client readonly

Attributes included from CredentialProvider

#credentials, #expiration, #metrics

Class Method Summary

• .assume_role_options ⇒ Object private

Instance Method Summary

• #initialize(options = {}) ⇒ AssumeRoleCredentials constructor

  A new instance of AssumeRoleCredentials.

Methods included from RefreshingCredentials

#credentials, #refresh!

Methods included from CredentialProvider

#set?

Constructor Details

#initialize(options = {}) ⇒ AssumeRoleCredentials

Returns a new instance of AssumeRoleCredentials.

Examples:

Tokens can be refreshed using a Proc.

before_refresh = Proc.new do |assume_role_credentials|
  assume_role_credentials.assume_role_params['token_code'] = update_token
end

Parameters:

• options (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (options):

• :role_arn (required, String)
• :role_session_name (required, String)
• :policy (String)
• :duration_seconds (Integer)
• :external_id (String)
• :client (STS::Client)
• :before_refresh (Proc) —

  A Proc called before credentials are refreshed. Useful for updating tokens. ‘:before_refresh` is called when AWS credentials are required and need to be refreshed. See the example in this doc.

# File 'lib/aws-sdk-core/assume_role_credentials.rb', line 41

def initialize(options = {})
  client_opts = {}
  @assume_role_params = {}
  options.each_pair do |key, value|
    if self.class.assume_role_options.include?(key)
      @assume_role_params[key] = value
    elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
      client_opts[key] = value
    end
  end
  @client = client_opts[:client] || STS::Client.new(client_opts)
  @async_refresh = true
  @metrics = ['CREDENTIALS_STS_ASSUME_ROLE']
  super
end

Instance Attribute Details

#assume_role_params ⇒ Hash (readonly)

Returns:

• (Hash)

# File 'lib/aws-sdk-core/assume_role_credentials.rb', line 61

def assume_role_params
  @assume_role_params
end

#client ⇒ STS::Client (readonly)

Returns:

• (STS::Client)

# File 'lib/aws-sdk-core/assume_role_credentials.rb', line 58

def client
  @client
end

Class Method Details

.assume_role_options ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/assume_role_credentials.rb', line 85

def assume_role_options
  @aro ||= begin
    input = STS::Client.api.operation(:assume_role).input
    Set.new(input.shape.member_names)
  end
end