Class: Cerberus::AwsAssumeRoleCredentialsProvider
- Inherits:
-
Object
- Object
- Cerberus::AwsAssumeRoleCredentialsProvider
- Defined in:
- lib/cerberus/aws_assumed_role_credentials_provider.rb
Overview
The AWS IAM role credentials provider
Tries to authenticate with Cerberus using the given IAM role
Constant Summary collapse
- ROLE_AUTH_REL_URI =
relative URI to get encrypted auth data from Cerberus
"/v2/auth/iam-principal"
- CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY =
reference into the decrypted auth data json we get from Cerberus
"client_token"
- CERBERUS_AUTH_DATA_LEASE_DURATION_KEY =
"lease_duration"
- CERBERUS_AUTH_DATA_POLICIES_KEY =
"policies"
- LOGGER =
CerberusUtils::Log.instance
Instance Method Summary collapse
-
#get_client_token ⇒ Object
Get credentials using AWS IAM role.
-
#initialize(cerberus_url_resolver, iam_role_arn, region) ⇒ AwsAssumeRoleCredentialsProvider
constructor
Init AWS role provider - needs cerberus base url.
Constructor Details
#initialize(cerberus_url_resolver, iam_role_arn, region) ⇒ AwsAssumeRoleCredentialsProvider
Init AWS role provider - needs cerberus base url. Instance metadata service url is optional to make unit tests easier and so we can provide a hook to set this via config as needed
39 40 41 42 43 44 45 |
# File 'lib/cerberus/aws_assumed_role_credentials_provider.rb', line 39 def initialize(cerberus_url_resolver, iam_role_arn, region) @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver) @client_token = nil @cerberus_auth_info = get_assumed_role_info(iam_role_arn, region) LOGGER.debug("AwsAssumeRoleCredentialsProvider initialized with cerberus base url #{@cerberus_base_url}") end |
Instance Method Details
#get_client_token ⇒ Object
Get credentials using AWS IAM role
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 |
# File 'lib/cerberus/aws_assumed_role_credentials_provider.rb', line 50 def get_client_token if (@cerberus_auth_info.nil?) LOGGER.warn("Instance metadata URL is nil for role provider!") raise Cerberus::Exception::NoValueError end if (@client_token.nil?) @client_token = get_credentials_from_cerberus end # using two if statements here just to make the logging easier.. # the above we expect on startup, expiration is an interesting event worth a debug log all its own if (@client_token.expired?) LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...") @client_token = get_credentials_from_cerberus end return @client_token.authToken end |