Class: Mongo::Auth::Aws::CredentialsRetriever Private
- Inherits:
-
Object
- Object
- Mongo::Auth::Aws::CredentialsRetriever
- Defined in:
- lib/mongo/auth/aws/credentials_retriever.rb
Overview
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Retrieves AWS credentials from a variety of sources.
This class provides for AWS credentials retrieval from:
-
the passed user (which receives the credentials passed to the client via URI options and Ruby options)
-
AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN environment variables (commonly used by AWS SDKs and various tools, as well as AWS Lambda)
-
EC2 metadata endpoint
-
ECS metadata endpoint
The sources listed above are consulted in the order specified. The first source that contains any of the three credential components (access key id, secret access key or session token) is used. The credential components must form a valid set if any of the components is specified; meaning, access key id and secret access key must always be provided together, and if a session token is provided the key id and secret key must also be provided. If a source provides partial credentials, credential retrieval fails with an exception.
Constant Summary collapse
- METADATA_TIMEOUT =
This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.
Timeout for metadata operations, in seconds.
The auth spec suggests a 10 second timeout but this seems excessively long given that the endpoint is essentially local.
5
Instance Attribute Summary collapse
-
#user ⇒ Auth::User | nil
readonly
private
The user object, if one was provided.
Instance Method Summary collapse
-
#credentials ⇒ Auth::Aws::Credentials
private
Retrieves a valid set of credentials, if possible, or raises Auth::InvalidConfiguration.
-
#initialize(user = nil) ⇒ CredentialsRetriever
constructor
private
A new instance of CredentialsRetriever.
Constructor Details
#initialize(user = nil) ⇒ CredentialsRetriever
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of CredentialsRetriever.
51 52 53 |
# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 51 def initialize(user = nil) @user = user end |
Instance Attribute Details
#user ⇒ Auth::User | nil (readonly)
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns The user object, if one was provided.
56 57 58 |
# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 56 def user @user end |
Instance Method Details
#credentials ⇒ Auth::Aws::Credentials
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Retrieves a valid set of credentials, if possible, or raises Auth::InvalidConfiguration.
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 66 def credentials if user credentials = Credentials.new( user.name, user.password, user.auth_mech_properties['aws_session_token'], ) if credentials_valid?(credentials, 'Mongo::Client URI or Ruby options') return credentials end end credentials = Credentials.new( ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'], ENV['AWS_SESSION_TOKEN'], ) if credentials_valid?(credentials, 'environment variables') return credentials end credentials = if credentials && credentials_valid?(credentials, 'ECS task metadata') return credentials end credentials = if credentials && credentials_valid?(credentials, 'EC2 instance metadata') return credentials end raise Auth::InvalidConfiguration, "Could not locate AWS credentials (checked Client URI and Ruby options, environment variables, ECS and EC2 metadata)" end |