Class: Google::Auth::ExternalAccount::AwsCredentials
- Inherits:
-
Object
- Object
- Google::Auth::ExternalAccount::AwsCredentials
- Extended by:
- CredentialsLoader
- Includes:
- BaseCredentials, ExternalAccountUtils
- Defined in:
- lib/googleauth/external_account/aws_credentials.rb
Overview
This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and then exchanging the credentials for a short-lived Google Cloud access token.
Constant Summary collapse
- IMDSV2_TOKEN_EXPIRATION_IN_SECONDS =
Constant for imdsv2 session token expiration in seconds
300
Constants included from CredentialsLoader
CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH
Constants included from ExternalAccountUtils
ExternalAccountUtils::CLOUD_RESOURCE_MANAGER
Constants included from BaseCredentials
BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE
Constants included from BaseClient
Instance Attribute Summary collapse
-
#client_id ⇒ Object
readonly
Will always be nil, but method still gets used.
Attributes included from BaseCredentials
#access_token, #expires_at, #universe_domain
Attributes included from BaseClient
Instance Method Summary collapse
-
#initialize(options = {}) ⇒ AwsCredentials
constructor
A new instance of AwsCredentials.
-
#retrieve_subject_token! ⇒ string
Retrieves the subject token using the credential_source object.
Methods included from CredentialsLoader
from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds
Methods included from ExternalAccountUtils
#normalize_timestamp, #project_id, #project_number, #service_account_email
Methods included from BaseCredentials
#expires_within?, #fetch_access_token!, #is_workforce_pool?
Methods included from Helpers::Connection
Methods included from BaseClient
#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc
Constructor Details
#initialize(options = {}) ⇒ AwsCredentials
Returns a new instance of AwsCredentials.
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
# File 'lib/googleauth/external_account/aws_credentials.rb', line 37 def initialize = {} base_setup @audience = [:audience] @credential_source = [:credential_source] || {} @environment_id = @credential_source[:environment_id] @region_url = @credential_source[:region_url] @credential_verification_url = @credential_source[:url] @regional_cred_verification_url = @credential_source[:regional_cred_verification_url] @imdsv2_session_token_url = @credential_source[:imdsv2_session_token_url] # These will be lazily loaded when needed, or will raise an error if not provided @region = nil @request_signer = nil @imdsv2_session_token = nil @imdsv2_session_token_expiry = nil end |
Instance Attribute Details
#client_id ⇒ Object (readonly)
Will always be nil, but method still gets used.
35 36 37 |
# File 'lib/googleauth/external_account/aws_credentials.rb', line 35 def client_id @client_id end |
Instance Method Details
#retrieve_subject_token! ⇒ string
Retrieves the subject token using the credential_source object. The subject token is a serialized AWS GetCallerIdentity signed request.
The logic is summarized as:
Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server availability-zone if not found in the environment variable.
Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server security-credentials endpoint.
When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to be determined by # calling the security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name
Generate the signed request to AWS STS GetCallerIdentity action.
Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS.
78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
# File 'lib/googleauth/external_account/aws_credentials.rb', line 78 def retrieve_subject_token! if @request_signer.nil? @region = region @request_signer = AwsRequestSigner.new @region end request = { method: "POST", url: @regional_cred_verification_url.sub("{region}", @region) } = @request_signer.generate_signed_request fetch_security_credentials, request request_headers = [:headers] request_headers["x-goog-cloud-target-resource"] = @audience aws_signed_request = { headers: [], method: [:method], url: [:url] } aws_signed_request[:headers] = request_headers.keys.sort.map do |key| { key: key, value: request_headers[key] } end uri_escape aws_signed_request.to_json end |