Class: Cerberus::AwsPrincipalCredentialsProvider

Inherits:

Object

Object
Cerberus::AwsPrincipalCredentialsProvider

show all

Defined in:: lib/cerberus/aws_principal_credentials_provider.rb

Overview

The AWS IAM principal credentials provider

Tries to authenticate with Cerberus using the IAM role of the EC2 instance

Constant Summary collapse

AWS_EC2_METADATA_URL = AWS metadata instance URL

"http://169.254.169.254/latest/meta-data"

REGION_REL_URI = relative URI to look up AZ in AWS metadata svc

"/placement/availability-zone"

EC2_INSTNACE_PROFILE_REL_URI = relative URI to look up IAM role in AWS metadata svc

"/iam/info"

EC2_INSTANCE_PROFILE_ARN_KEY = reference into the metadata data json we get to look up IAM role

'InstanceProfileArn'

IAM_ROLE_NAME_REL_URI = relative URI to look up IAM role in AWS metadata svc

"/iam/security-credentials/"

ROLE_ARN_ARRAY_INDEX_OF_ACCOUNT_NUM = magic number is the index into a split role ARN to grab the acccount ID

ROLE_ARN_ARRAY_INDEX_OF_ROLENAME = magic number is the index into a split role ARN to grab the role name

ROLE_AUTH_REL_URI = relative URI to get encrypted auth data from Cerberus

"/v2/auth/iam-principal"

CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY = reference into the decrypted auth data json we get from Cerberus

"client_token"

CERBERUS_AUTH_DATA_LEASE_DURATION_KEY =

"lease_duration"

CERBERUS_AUTH_DATA_POLICIES_KEY =

"policies"

LOGGER =

CerberusUtils::Log.instance

Instance Method Summary collapse

#get_client_token ⇒ Object

Get credentials using AWS IAM role.
#initialize(cerberus_url_resolver, region = nil, instance_metadata_url = AWS_EC2_METADATA_URL) ⇒ AwsPrincipalCredentialsProvider constructor

Init AWS principal provider - needs cerberus base url.

Constructor Details

#initialize(cerberus_url_resolver, region = nil, instance_metadata_url = AWS_EC2_METADATA_URL) ⇒ `AwsPrincipalCredentialsProvider`

Init AWS principal provider - needs cerberus base url

# File 'lib/cerberus/aws_principal_credentials_provider.rb', line 50

def initialize(cerberus_url_resolver, region = nil, instance_metadata_url = AWS_EC2_METADATA_URL)
  @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver)
  @client_token = nil
  @instance_metadata_url = instance_metadata_url
  @cerberus_auth_info = get_cerberus_auth_info(instance_metadata_url, region)

  LOGGER.debug("AwsPrincipalCredentialsProvider initialized with cerberus base url #{@cerberus_base_url}")
end

Instance Method Details

#get_client_token ⇒ `Object`

Get credentials using AWS IAM role

# File 'lib/cerberus/aws_principal_credentials_provider.rb', line 62

def get_client_token

  if (@cerberus_auth_info.nil?)
    raise Cerberus::Exception::NoValueError
  end

  if (@client_token.nil?)
    @client_token = get_credentials_from_cerberus
  end

  # using two if statements for nil v. expired makes logging easier..
  # the above we expect on startup, expiration is worth its own logging
  if (@client_token.expired?)
    LOGGER.debug("Existing client token has expired - refreshing from Cerberus...")
    @client_token = get_credentials_from_cerberus
  end

  return @client_token.authToken

end