Class: Cerberus::AwsAssumeRoleCredentialsProvider

Inherits:
Object
  • Object
show all
Defined in:
lib/cerberus/aws_assumed_role_credentials_provider.rb

Overview

The AWS IAM role credentials provider

Tries to authenticate with Cerberus using the given IAM role

Constant Summary collapse

ROLE_AUTH_REL_URI =

relative URI to get encrypted auth data from Cerberus

"/v2/auth/iam-principal"
CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY =

reference into the decrypted auth data json we get from Cerberus

"client_token"
CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = 
"lease_duration"
CERBERUS_AUTH_DATA_POLICIES_KEY = 
"policies"
LOGGER = 
CerberusUtils::Log.instance

Instance Method Summary collapse

Constructor Details

#initialize(cerberus_url_resolver, iam_role_arn, region) ⇒ AwsAssumeRoleCredentialsProvider

Init AWS role provider - needs cerberus base url. Instance metadata service url is optional to make unit tests easier and so we can provide a hook to set this via config as needed



39
40
41
42
43
44
45
 
# File 'lib/cerberus/aws_assumed_role_credentials_provider.rb', line 39

def initialize(cerberus_url_resolver, iam_role_arn, region)
  @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver)
  @client_token = nil
  @cerberus_auth_info = get_assumed_role_info(iam_role_arn, region)

  LOGGER.debug("AwsAssumeRoleCredentialsProvider initialized with cerberus base url #{@cerberus_base_url}")
end

Instance Method Details

#get_client_tokenObject

Get credentials using AWS IAM role



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# File 'lib/cerberus/aws_assumed_role_credentials_provider.rb', line 50

def get_client_token

  if (@cerberus_auth_info.nil?)
    LOGGER.warn("Instance metadata URL is nil for role provider!")
    raise Cerberus::Exception::NoValueError
  end

  if (@client_token.nil?)
    @client_token = get_credentials_from_cerberus
  end

  # using two if statements here just to make the logging easier..
  # the above we expect on startup, expiration is an interesting event worth a debug log all its own
  if (@client_token.expired?)
    LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
    @client_token = get_credentials_from_cerberus
  end

  return @client_token.authToken

end