lib/aws-sdk-core/credential_provider_chain.rb
# frozen_string_literal: true
module Aws
# @api private
class CredentialProviderChain
def initialize(config = nil)
@config = config
end
# @return [CredentialProvider, nil]
def resolve
providers.each do |method_name, options|
provider = send(method_name, options.merge(config: @config))
return provider if provider && provider.set?
end
nil
end
private
def providers
[
[:static_credentials, {}],
[:static_profile_assume_role_web_identity_credentials, {}],
[:static_profile_sso_credentials, {}],
[:static_profile_assume_role_credentials, {}],
[:static_profile_credentials, {}],
[:static_profile_process_credentials, {}],
[:env_credentials, {}],
[:assume_role_web_identity_credentials, {}],
[:sso_credentials, {}],
[:assume_role_credentials, {}],
[:shared_credentials, {}],
[:process_credentials, {}],
[:instance_profile_credentials, {
retries: @config ? @config.instance_profile_credentials_retries : 0,
http_open_timeout: @config ? @config.instance_profile_credentials_timeout : 1,
http_read_timeout: @config ? @config.instance_profile_credentials_timeout : 1
}]
]
end
def static_credentials(options)
if options[:config]
Credentials.new(
options[:config].access_key_id,
options[:config].secret_access_key,
options[:config].session_token
)
end
end
def static_profile_assume_role_web_identity_credentials(options)
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
Aws.shared_config.assume_role_web_identity_credentials_from_config(
profile: options[:config].profile,
region: options[:config].region
)
end
end
def static_profile_sso_credentials(options)
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
Aws.shared_config.sso_credentials_from_config(
profile: options[:config].profile
)
end
end
def static_profile_assume_role_credentials(options)
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
assume_role_with_profile(options, options[:config].profile)
end
end
def static_profile_credentials(options)
if options[:config] && options[:config].profile
SharedCredentials.new(profile_name: options[:config].profile)
end
rescue Errors::NoSuchProfileError
nil
end
def static_profile_process_credentials(options)
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
ProcessCredentials.new(process_provider) if process_provider
end
rescue Errors::NoSuchProfileError
nil
end
def env_credentials(_options)
key = %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
token = %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
Credentials.new(envar(key), envar(secret), envar(token))
end
def envar(keys)
keys.each do |key|
return ENV[key] if ENV.key?(key)
end
nil
end
def determine_profile_name(options)
(options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
end
def shared_credentials(options)
profile_name = determine_profile_name(options)
SharedCredentials.new(profile_name: profile_name)
rescue Errors::NoSuchProfileError
nil
end
def process_credentials(options)
profile_name = determine_profile_name(options)
if Aws.shared_config.config_enabled? &&
(process_provider = Aws.shared_config.credential_process(profile: profile_name))
ProcessCredentials.new(process_provider)
end
rescue Errors::NoSuchProfileError
nil
end
def sso_credentials(options)
profile_name = determine_profile_name(options)
if Aws.shared_config.config_enabled?
Aws.shared_config.sso_credentials_from_config(profile: profile_name)
end
rescue Errors::NoSuchProfileError
nil
end
def assume_role_credentials(options)
if Aws.shared_config.config_enabled?
assume_role_with_profile(options, determine_profile_name(options))
end
end
def assume_role_web_identity_credentials(options)
region = options[:config].region if options[:config]
if (role_arn = ENV['AWS_ROLE_ARN']) && (token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE'])
cfg = {
role_arn: role_arn,
web_identity_token_file: token_file,
role_session_name: ENV['AWS_ROLE_SESSION_NAME']
}
cfg[:region] = region if region
AssumeRoleWebIdentityCredentials.new(cfg)
elsif Aws.shared_config.config_enabled?
profile = options[:config].profile if options[:config]
Aws.shared_config.assume_role_web_identity_credentials_from_config(
profile: profile,
region: region
)
end
end
def instance_profile_credentials(options)
profile_name = determine_profile_name(options)
if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
ECSCredentials.new(options)
else
InstanceProfileCredentials.new(options.merge(profile: profile_name))
end
end
def assume_role_with_profile(options, profile_name)
assume_opts = {
profile: profile_name,
chain_config: @config
}
if options[:config] && options[:config].region
assume_opts[:region] = options[:config].region
end
Aws.shared_config.assume_role_credentials_from_config(assume_opts)
end
end
end