Class: Mongo::Auth::Aws::CredentialsRetriever Private

Inherits:
Object
  • Object
show all
Defined in:
build/ruby-driver-master/lib/mongo/auth/aws/credentials_retriever.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Retrieves AWS credentials from a variety of sources.

This class provides for AWS credentials retrieval from:

  • the passed user (which receives the credentials passed to the client via URI options and Ruby options)

  • AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN environment variables (commonly used by AWS SDKs and various tools, as well as AWS Lambda)

  • EC2 metadata endpoint

  • ECS metadata endpoint

The sources listed above are consulted in the order specified. The first source that contains any of the three credential components (access key id, secret access key or session token) is used. The credential components must form a valid set if any of the components is specified; meaning, access key id and secret access key must always be provided together, and if a session token is provided the key id and secret key must also be provided. If a source provides partial credentials, credential retrieval fails with an exception.

Since:

  • 2.0.0

Constant Summary collapse

METADATA_TIMEOUT =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Timeout for metadata operations, in seconds.

The auth spec suggests a 10 second timeout but this seems excessively long given that the endpoint is essentially local.

Since:

  • 2.0.0

5

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(user = nil) ⇒ CredentialsRetriever

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of CredentialsRetriever.

Since:

  • 2.0.0



51
52
53
# File 'build/ruby-driver-master/lib/mongo/auth/aws/credentials_retriever.rb', line 51

def initialize(user = nil)
  @user = user
end

Instance Attribute Details

#userAuth::User | nil (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns The user object, if one was provided.

Returns:

  • (Auth::User | nil)

    The user object, if one was provided.

Since:

  • 2.0.0



56
57
58
# File 'build/ruby-driver-master/lib/mongo/auth/aws/credentials_retriever.rb', line 56

def user
  @user
end

Instance Method Details

#credentialsAuth::Aws::Credentials

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Retrieves a valid set of credentials, if possible, or raises Auth::InvalidConfiguration.

Returns:

Raises:

  • Auth::InvalidConfiguration if credentials could not be retrieved for any reason, or if a source contains an invalid set of credentials.

Since:

  • 2.0.0



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'build/ruby-driver-master/lib/mongo/auth/aws/credentials_retriever.rb', line 66

def credentials
  if user
    credentials = Credentials.new(
      user.name,
      user.password,
      user.auth_mech_properties['aws_session_token'],
    )

    if credentials_valid?(credentials, 'Mongo::Client URI or Ruby options')
      return credentials
    end
  end

  credentials = Credentials.new(
    ENV['AWS_ACCESS_KEY_ID'],
    ENV['AWS_SECRET_ACCESS_KEY'],
    ENV['AWS_SESSION_TOKEN'],
  )

  if credentials_valid?(credentials, 'environment variables')
    return credentials
  end

  credentials = 

  if credentials && credentials_valid?(credentials, 'ECS task metadata')
    return credentials
  end

  credentials = 

  if credentials && credentials_valid?(credentials, 'EC2 instance metadata')
    return credentials
  end

  raise Auth::InvalidConfiguration,
    "Could not locate AWS credentials (checked Client URI and Ruby options, environment variables, ECS and EC2 metadata)"
end