Class: Cerberus::AwsRoleCredentialsProvider

Inherits:
Object
  • Object
show all
Defined in:
lib/cerberus/aws_role_credentials_provider.rb

Overview

The AWS IAM role credentials provider

Constant Summary collapse

INSTANCE_METADATA_SVC_BASE_URL =

AWS metadata instance URL

"http://169.254.169.254/latest/meta-data"
REGION_REL_URI =

relative URI to look up AZ in AWS metadata svc

"/placement/availability-zone"
IAM_ROLE_INFO_REL_URI =

relative URI to look up IAM role in AWS metadata svc

"/iam/info"
IAM_ROLE_ARN_KEY =

reference into the metadata data json we get to look up IAM role

'InstanceProfileArn'
ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM =

magic number is the index into a split role ARN to grab the acccount ID

4
ROLE_ARN_ARRAY_INDEX_OF_ROLENAME =

magic number is the index into a split role ARN to grab the role name

1
ROLE_AUTH_REL_URI =

relative URI to get encrypted auth data from Cerberus

"/v1/auth/iam-role"
CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY =

reference into the decrypted auth data json we get from Cerberus

"client_token"
CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = 
"lease_duration"
CERBERUS_AUTH_DATA_POLICIES_KEY = 
"policies"
LOGGER = 
CerberusClient::Log.instance

Instance Method Summary collapse

Constructor Details

#initialize(vaultBaseUrl, instanceMdSvcBaseUrl = nil, roleName = nil, roleRegion = nil, roleAccountId = nil) ⇒ AwsRoleCredentialsProvider

Init AWS role provider - needs vault base url. Instance metadata service url is optional to make unit tests easier and so we can provide a hook to set this via config as needed



45
46
47
48
49
50
51
 
# File 'lib/cerberus/aws_role_credentials_provider.rb', line 45

def initialize(vaultBaseUrl, instanceMdSvcBaseUrl = nil, roleName = nil, roleRegion = nil, roleAccountId = nil)
  @vaultBaseUrl = vaultBaseUrl
  @clientToken = nil
  @role = get_role_info(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)

  LOGGER.debug("AwsRoleCredentialsProvider initialized with vault base url #{@vaultBaseUrl}")
end

Instance Method Details

#getClientTokenObject

Get credentials using AWS IAM role



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
# File 'lib/cerberus/aws_role_credentials_provider.rb', line 56

def getClientToken

  if (@role.nil?)
    raise Cerberus::Exception::NoValueError
  end

  if (@clientToken.nil?)
    @clientToken = getCredentialsFromCerberus
  end

  # using two if statements here just to make the logging easier..
  # the above we expect on startup, expiration is an interesting event worth a debug log all its own
  if (@clientToken.expired?)
    LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
    @clientToken = getCredentialsFromCerberus
  end

  return @clientToken.authToken

end

#have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId) ⇒ Boolean

Policy: if we do not have an instance MD service URL and we can’t assume a role, then this instance of the provider cannot use a role to provide credentials. Primarily used for testing.

Returns:

  • (Boolean) 


88
89
90
 
# File 'lib/cerberus/aws_role_credentials_provider.rb', line 88

def have_access_to_role?(instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)
  (!instanceMdSvcBaseUrl.nil? || should_assume_role?(roleName, roleRegion, roleAccountId))
end

#should_assume_role?(roleAccountId, roleName, roleRegion) ⇒ Boolean

Policy: if we are given these three pieces of data, we will assume a role to do auth

Returns:

  • (Boolean) 


80
81
82
 
# File 'lib/cerberus/aws_role_credentials_provider.rb', line 80

def should_assume_role?(roleAccountId, roleName, roleRegion)
  !(roleName.nil? || roleAccountId.nil? || roleRegion.nil?)
end