Class: Google::Auth::ExternalAccount::AwsCredentials

Inherits:
Object
  • Object
show all
Extended by:
CredentialsLoader
Includes:
BaseCredentials, ExternalAccountUtils
Defined in:
lib/googleauth/external_account/aws_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary collapse

IMDSV2_TOKEN_EXPIRATION_IN_SECONDS =

Constant for imdsv2 session token expiration in seconds

300

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary collapse

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Attributes included from BaseClient

#logger

Instance Method Summary collapse

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ AwsCredentials

Returns a new instance of AwsCredentials.



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/googleauth/external_account/aws_credentials.rb', line 37

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @environment_id = @credential_source[:environment_id]
  @region_url = @credential_source[:region_url]
  @credential_verification_url = @credential_source[:url]
  @regional_cred_verification_url = @credential_source[:regional_cred_verification_url]
  @imdsv2_session_token_url = @credential_source[:imdsv2_session_token_url]

  # These will be lazily loaded when needed, or will raise an error if not provided
  @region = nil
  @request_signer = nil
  @imdsv2_session_token = nil
  @imdsv2_session_token_expiry = nil
end

Instance Attribute Details

#client_idObject (readonly)

Will always be nil, but method still gets used.



35
36
37
# File 'lib/googleauth/external_account/aws_credentials.rb', line 35

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token!string

Retrieves the subject token using the credential_source object. The subject token is a serialized AWS GetCallerIdentity signed request.

The logic is summarized as:

Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server availability-zone if not found in the environment variable.

Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server security-credentials endpoint.

When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to be determined by # calling the security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name

Generate the signed request to AWS STS GetCallerIdentity action.

Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS.

Returns:

  • (string)

    The retrieved subject token.



78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# File 'lib/googleauth/external_account/aws_credentials.rb', line 78

def retrieve_subject_token!
  if @request_signer.nil?
    @region = region
    @request_signer = AwsRequestSigner.new @region
  end

  request = {
    method: "POST",
    url: @regional_cred_verification_url.sub("{region}", @region)
  }

  request_options = @request_signer.generate_signed_request fetch_security_credentials, request

  request_headers = request_options[:headers]
  request_headers["x-goog-cloud-target-resource"] = @audience

  aws_signed_request = {
    headers: [],
    method: request_options[:method],
    url: request_options[:url]
  }

  aws_signed_request[:headers] = request_headers.keys.sort.map do |key|
    { key: key, value: request_headers[key] }
  end

  uri_escape aws_signed_request.to_json
end