Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials/stscreds below:

stscreds package - github.com/aws/aws-sdk-go-v2/credentials/stscreds - Go Packages

Package stscreds are credential Providers to retrieve STS AWS credentials.

STS provides multiple ways to retrieve credentials which can be used when making future AWS service API operation calls.

The SDK will ensure that per instance of credentials.Credentials all requests to refresh the credentials will be synchronized. But, the SDK is unable to ensure synchronous usage of the AssumeRoleProvider if the value is shared between multiple Credentials or service clients.

To assume an IAM role using STS with the SDK you can create a new Credentials with the SDKs's stscreds package.

// Initial credentials loaded from SDK's default credential chain. Such as
// the environment, shared credentials (~/.aws/credentials), or EC2 Instance
// Role. These credentials will be used to to make the STS Assume Role API.
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
	panic(err)
}

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN.
stsSvc := sts.NewFromConfig(cfg)
creds := stscreds.NewAssumeRoleProvider(stsSvc, "myRoleArn")

cfg.Credentials = aws.NewCredentialsCache(creds)

// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)

To assume an IAM role with a MFA token you can either specify a custom MFA token provider or use the SDK's built in StdinTokenProvider that will prompt the user for a token code each time the credentials need to to be refreshed. Specifying a custom token provider allows you to control where the token code is retrieved from, and how it is refreshed.

With a custom token provider, the provider is responsible for refreshing the token code when called.

	cfg, err := config.LoadDefaultConfig(context.TODO())
	if err != nil {
		panic(err)
	}

 staticTokenProvider := func() (string, error) {
     return someTokenCode, nil
 }

	// Create the credentials from AssumeRoleProvider to assume the role
	// referenced by the "myRoleARN" ARN using the MFA token code provided.
	creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
		o.SerialNumber = aws.String("myTokenSerialNumber")
		o.TokenProvider = staticTokenProvider
	})

	cfg.Credentials = aws.NewCredentialsCache(creds)

	// Create service client value configured for credentials
	// from assumed role.
	svc := s3.NewFromConfig(cfg)

To assume an IAM role with MFA for longer running tasks where the credentials may need to be refreshed setting the TokenProvider field of AssumeRoleProvider will allow the credential provider to prompt for new MFA token code when the role's credentials need to be refreshed.

The StdinTokenProvider function is available to prompt on stdin to retrieve the MFA token code from the user. You can also implement custom prompts by satisfying the TokenProvider function signature.

Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will have undesirable results as the StdinTokenProvider will not be synchronized. A single Credentials with an AssumeRoleProvider can be shared safely.

cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
	panic(err)
}

// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN using the MFA token code provided.
creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
	o.SerialNumber = aws.String("myTokenSerialNumber")
	o.TokenProvider = stscreds.StdinTokenProvider
})

cfg.Credentials = aws.NewCredentialsCache(creds)

// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)

• Constants
• Variables
• func StdinTokenProvider() (string, error)
• type AssumeRoleAPIClient
• type AssumeRoleOptions
• type AssumeRoleProvider
• • func NewAssumeRoleProvider(client AssumeRoleAPIClient, roleARN string, optFns ...func(*AssumeRoleOptions)) *AssumeRoleProvider
• • func (p *AssumeRoleProvider) ProviderSources() []aws.CredentialSource
  • func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)
• type AssumeRoleWithWebIdentityAPIClient
• type IdentityTokenFile
• • func (j IdentityTokenFile) GetIdentityToken() ([]byte, error)
• type IdentityTokenRetriever
• type WebIdentityRoleOptions
• type WebIdentityRoleProvider
• • func NewWebIdentityRoleProvider(client AssumeRoleWithWebIdentityAPIClient, roleARN string, ...) *WebIdentityRoleProvider
• • func (p *WebIdentityRoleProvider) ProviderSources() []aws.CredentialSource
  • func (p *WebIdentityRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

ProviderName provides a name of AssumeRole provider

const (
	
	WebIdentityProviderName = "WebIdentityCredentials"
)

DefaultDuration is the default amount of time in minutes that the credentials will be valid for. This value is only used by AssumeRoleProvider for specifying the default expiry duration of an assume role.

Other providers such as WebIdentityRoleProvider do not use this value, and instead rely on STS API's default parameter handing to assign a default value.

StdinTokenProvider will prompt on stdout and read from stdin for a string value. An error is returned if reading from stdin fails.

Use this function go read MFA tokens from stdin. The function makes no attempt to make atomic prompts from stdin across multiple gorouties.

Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will have undesirable results as the StdinTokenProvider will not be synchronized. A single Credentials with an AssumeRoleProvider can be shared safely

Will wait forever until something is provided on the stdin.

AssumeRoleAPIClient is a client capable of the STS AssumeRole operation.

AssumeRoleOptions is the configurable options for AssumeRoleProvider

type AssumeRoleProvider struct {
	
}

AssumeRoleProvider retrieves temporary credentials from the STS service, and keeps track of their expiration time.

This credential provider will be used by the SDKs default credential change when shared configuration is enabled, and the shared config or shared credentials file configure assume role. See Session docs for how to do this.

AssumeRoleProvider does not provide any synchronization and it is not safe to share this value across multiple Credentials, Sessions, or service clients without also sharing the same Credentials instance.

NewAssumeRoleProvider constructs and returns a credentials provider that will retrieve credentials by assuming a IAM role using STS.

ProviderSources returns the credential chain that was used to construct this provider

Retrieve generates a new set of temporary credentials using STS.

AssumeRoleWithWebIdentityAPIClient is a client capable of the STS AssumeRoleWithWebIdentity operation.

IdentityTokenFile is for retrieving an identity token from the given file name

GetIdentityToken retrieves the JWT token from the file and returns the contents as a []byte

type IdentityTokenRetriever interface {
	GetIdentityToken() ([]byte, error)
}

IdentityTokenRetriever is an interface for retrieving a JWT

WebIdentityRoleOptions is a structure of configurable options for WebIdentityRoleProvider

type WebIdentityRoleProvider struct {
	
}

WebIdentityRoleProvider is used to retrieve credentials using an OIDC token.

NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the provided stsiface.ClientAPI

ProviderSources returns the credential chain that was used to construct this provider

Retrieve will attempt to assume a role from a token which is located at 'WebIdentityTokenFilePath' specified destination and if that is empty an error will be returned.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4