Class: Mongo::Auth::Aws::CredentialsRetriever Private

Inherits:

Object

• Object
• Mongo::Auth::Aws::CredentialsRetriever

Defined in:

lib/mongo/auth/aws/credentials_retriever.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Retrieves AWS credentials from a variety of sources.

This class provides for AWS credentials retrieval from:

• the passed user (which receives the credentials passed to the client via URI options and Ruby options)

• AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN environment variables (commonly used by AWS SDKs and various tools, as well as AWS Lambda)

• AssumeRoleWithWebIdentity API call

• EC2 metadata endpoint

• ECS metadata endpoint

The sources listed above are consulted in the order specified. The first source that contains any of the three credential components (access key id, secret access key or session token) is used. The credential components must form a valid set if any of the components is specified; meaning, access key id and secret access key must always be provided together, and if a session token is provided the key id and secret key must also be provided. If a source provides partial credentials, credential retrieval fails with an exception.

Since:

• 2.0.0

Constant Summary

METADATA_TIMEOUT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Timeout for metadata operations, in seconds.

The auth spec suggests a 10 second timeout but this seems excessively long given that the endpoint is essentially local.

Since:

• 2.0.0

5

Instance Attribute Summary

• #user ⇒ Auth::User | nil readonly private

  The user object, if one was provided.

Instance Method Summary

• #credentials(timeout_holder = nil) ⇒ Auth::Aws::Credentials private

  Retrieves a valid set of credentials, if possible, or raises Auth::InvalidConfiguration.

• #initialize(user = nil, credentials_cache: CredentialsCache.instance) ⇒ CredentialsRetriever constructor private

  A new instance of CredentialsRetriever.

Constructor Details

#initialize(user = nil, credentials_cache: CredentialsCache.instance) ⇒ CredentialsRetriever

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of CredentialsRetriever.

Parameters:

• user (Auth::User | nil) (defaults to: nil) —

  The user object, if one was provided.

• credentials_cache (Auth::Aws::CredentialsCache) (defaults to: CredentialsCache.instance) —

  The credentials cache.

Since:

• 2.0.0

# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 61

def initialize(user = nil, credentials_cache: CredentialsCache.instance)
  @user = user
  @credentials_cache = credentials_cache
end

Instance Attribute Details

#user ⇒ Auth::User | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns The user object, if one was provided.

Returns:

• (Auth::User | nil) —

  The user object, if one was provided.

Since:

• 2.0.0

# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 67

def user
  @user
end

Instance Method Details

#credentials(timeout_holder = nil) ⇒ Auth::Aws::Credentials

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Retrieves a valid set of credentials, if possible, or raises Auth::InvalidConfiguration.

Parameters:

• timeout_holder (CsotTimeoutHolder | nil) (defaults to: nil) —

  CSOT timeout, if any.

Returns:

• (Auth::Aws::Credentials) —

  A valid set of credentials.

Raises:

• Auth::InvalidConfiguration if a source contains an invalid set of credentials.

• Auth::Aws::CredentialsNotFound if credentials could not be retrieved from any source.

• Error::TimeoutError if credentials cannot be retrieved within the timeout defined on the operation context.

Since:

• 2.0.0

# File 'lib/mongo/auth/aws/credentials_retriever.rb', line 82

def credentials(timeout_holder = nil)
  credentials = credentials_from_user(user)
  return credentials unless credentials.nil?

  credentials = credentials_from_environment
  return credentials unless credentials.nil?

  credentials = @credentials_cache.fetch { obtain_credentials_from_endpoints(timeout_holder) }
  return credentials unless credentials.nil?

  raise Auth::Aws::CredentialsNotFound
end