Copyright | (c) 2013-2021 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
Stability | provisional |
Portability | non-portable (GHC extensions) |
Safe Haskell | None |
Explicitly specify your Amazon AWS security credentials, or retrieve them from the underlying OS.
The format of environment variables and the credentials file follows the official AWS SDK guidelines.
Synopsis
- getAuth :: (MonadIO m, Foldable withAuth) => Env' withAuth -> Credentials -> m (Auth, Maybe Region)
- data Credentials
- data Auth
- envAccessKey :: Text
- envSecretKey :: Text
- envSessionToken :: Text
- envWebIdentityTokenFile :: Text
- envRole :: Text
- envRoleSessionName :: Text
- confRegion :: Text
- confFile :: MonadIO m => m FilePath
- credAccessKey :: Text
- credSecretKey :: Text
- credSessionToken :: Text
- credProfile :: Text
- credFile :: MonadIO m => m FilePath
- fromKeys :: AccessKey -> SecretKey -> Auth
- fromSession :: AccessKey -> SecretKey -> SessionToken -> Auth
- fromTemporarySession :: AccessKey -> SecretKey -> SessionToken -> UTCTime -> Auth
- fromEnv :: MonadIO m => m (Auth, Maybe Region)
- fromEnvKeys :: MonadIO m => Text -> Text -> Maybe Text -> Maybe Text -> m (Auth, Maybe Region)
- fromFile :: MonadIO m => m (Auth, Maybe Region)
- fromFilePath :: MonadIO m => Text -> FilePath -> FilePath -> m (Auth, Maybe Region)
- fromProfile :: MonadIO m => Manager -> m (Auth, Maybe Region)
- fromProfileName :: MonadIO m => Manager -> Text -> m (Auth, Maybe Region)
- fromContainer :: MonadIO m => Manager -> m (Auth, Maybe Region)
- newtype AccessKey = AccessKey ByteString
- newtype SecretKey = SecretKey ByteString
- newtype SessionToken = SessionToken ByteString
- class AsAuthError a where
- _AuthError :: Prism' a AuthError
- _RetrievalError :: Prism' a HttpException
- _MissingEnvError :: Prism' a Text
- _InvalidEnvError :: Prism' a Text
- _MissingFileError :: Prism' a FilePath
- _InvalidFileError :: Prism' a Text
- _InvalidIAMError :: Prism' a Text
- data AuthError
- data Env' withAuth = Env {
- _envRegion :: Region
- _envLogger :: Logger
- _envRetryCheck :: Int -> HttpException -> Bool
- _envOverride :: Dual (Endo Service)
- _envManager :: Manager
- _envAuth :: withAuth Auth
Authentication
Retrieving Authentication
getAuth :: (MonadIO m, Foldable withAuth) => Env' withAuth -> Credentials -> m (Auth, Maybe Region) Source #
Retrieve authentication information via the specified Credentials
mechanism.
Throws AuthError
when environment variables or IAM profiles cannot be read,
and credentials files are invalid or cannot be found.
data Credentials Source #
Determines how AuthN/AuthZ information is retrieved.
FromKeys AccessKey SecretKey | Explicit access and secret keys. See |
FromSession AccessKey SecretKey SessionToken | Explicit access key, secret key and a session token. See |
FromEnv Text Text (Maybe Text) (Maybe Text) | Lookup specific environment variables for access key, secret key, an optional session token, and an optional region, respectively. |
FromProfile Text | An IAM Profile name to lookup from the local EC2 instance-data. Environment variables to lookup for the access key, secret key and optional session token. |
FromFile Text FilePath FilePath | A credentials profile name (the INI section), the path to the AWS
credentials file,
and the path to the |
FromWebIdentity | Obtain credentials using STS:AssumeRoleWithWebIdentity See About web identity federation in the AWS documentation for more information. |
FromContainer | Obtain credentials by attempting to contact the ECS container agent
at http://169.254.170.2 using the path in |
Discover | Attempt credentials discovery via the following steps:
An attempt is made to resolve http://instance-data rather than directly retrieving http://169.254.169.254 for IAM profile information. This assists in ensuring the DNS lookup terminates promptly if not running on EC2. |
Instances
An authorisation environment containing AWS credentials, and potentially a reference which can be refreshed out-of-band as temporary credentials expire.
Instances
ToLog Auth | |
Defined in Amazonka.Types build :: Auth -> ByteStringBuilder # |
Defaults
Environment
envWebIdentityTokenFile Source #
:: Text | AWS_WEB_IDENTITY_TOKEN_FILE |
Default web identity token file environment variable
:: Text | AWS_ROLE_SESSION_NAME |
Default role session name environment variable
Configuration
confFile :: MonadIO m => m FilePath Source #
Default path for the configuration file. This looks in in the HOME
directory
as determined by the directory
library.
- UNIXOSX: @$HOME.aws/config@
- Windows:
C:/Users//<user>.awsconfig
Note: This does not match the default AWS SDK location of
%USERPROFILE%.awsconfig
on Windows. (Sorry.)
Credentials File
credFile :: MonadIO m => m FilePath Source #
Default path for the credentials file. This looks in in the HOME
directory
as determined by the directory
library.
- UNIXOSX: @$HOME.aws/credentials@
- Windows:
C:/Users//<user>.awscredentials
Note: This does not match the default AWS SDK location of
%USERPROFILE%.awscredentials
on Windows. (Sorry.)
Credentials
getAuth
is implemented using the following from*
-styled functions below.
Both fromKeys
and fromSession
can be used directly to avoid the MonadIO
constraint.
fromSession :: AccessKey -> SecretKey -> SessionToken -> Auth Source #
Temporary credentials from a STS session consisting of the access key, secret key, and session token.
See: fromTemporarySession
fromTemporarySession :: AccessKey -> SecretKey -> SessionToken -> UTCTime -> Auth Source #
Temporary credentials from a STS session consisting of the access key, secret key, session token, and expiration time.
See: fromSession
fromEnv :: MonadIO m => m (Auth, Maybe Region) Source #
Retrieve access key, secret key, and a session token from the default environment variables.
Throws MissingEnvError
if either of the default environment variables
cannot be read, but not if the session token is absent.
:: MonadIO m | |
=> Text | Access key environment variable. |
-> Text | Secret key environment variable. |
-> Maybe Text | Session token environment variable. |
-> Maybe Text | Region environment variable. |
-> m (Auth, Maybe Region) |
Retrieve access key, secret key and a session token from specific environment variables.
Throws MissingEnvError
if either of the specified key environment variables
cannot be read, but not if the session token is absent.
fromFile :: MonadIO m => m (Auth, Maybe Region) Source #
Loads the default credentials
INI file using the default profile name.
Throws MissingFileError
if credFile
is missing, or InvalidFileError
if an error occurs during parsing.
See: credProfile
, credFile
, and envProfile
fromProfile :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #
Retrieve the default IAM Profile from the local EC2 instance-data.
The default IAM profile is determined by Amazon as the first profile found
in the response from:
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Throws RetrievalError
if the HTTP call fails, or InvalidIAMError
if
the default IAM profile cannot be read.
fromProfileName :: MonadIO m => Manager -> Text -> m (Auth, Maybe Region) Source #
Lookup a specific IAM Profile by name from the local EC2 instance-data.
Additionally starts a refresh thread for the given authentication environment.
The resulting IORef
wrapper + timer is designed so that multiple concurrent
accesses of AuthEnv
from the AWS
environment are not required to calculate
expiry and sequentially queue to update it.
The forked timer ensures a singular owner and pre-emptive refresh of the temporary session credentials before expiration.
A weak reference is used to ensure that the forked thread will eventually
terminate when Auth
is no longer referenced.
If no session token or expiration time is present the credentials will be returned verbatim.
fromContainer :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #
Obtain credentials exposed to a task via the ECS container agent, as
described in the IAM Roles for Tasks
section of the AWS ECS documentation. The credentials are obtained by making
a request to http://169.254.170.2 at the path contained by the
envContainerCredentialsURI
environment variable.
The ECS container agent provides an access key, secret key, session token,
and expiration time, but it does not include a region, so the region will
attempt to be determined from the envRegion
environment variable if it is
set.
Like fromProfileName
, additionally starts a refresh thread that will
periodically fetch fresh credentials before the current ones expire.
Throws MissingEnvError
if the envContainerCredentialsURI
environment
variable is not set or InvalidIAMError
if the payload returned by the ECS
container agent is not of the expected format.
Keys
An access key ID.
For example: AKIAIOSFODNN7EXAMPLE
Instances
Eq AccessKey | |
Read AccessKey | |
Show AccessKey | |
IsString AccessKey | |
Defined in Amazonka.Types fromString :: String -> AccessKey # | |
Generic AccessKey | |
NFData AccessKey | |
Defined in Amazonka.Types | |
Hashable AccessKey | |
Defined in Amazonka.Types | |
ToJSON AccessKey | |
Defined in Amazonka.Types | |
FromJSON AccessKey | |
ToLog AccessKey | |
Defined in Amazonka.Types build :: AccessKey -> ByteStringBuilder # | |
ToQuery AccessKey | |
Defined in Amazonka.Types toQuery :: AccessKey -> QueryString # | |
FromXML AccessKey | |
ToXML AccessKey | |
Defined in Amazonka.Types | |
ToByteString AccessKey | |
Defined in Amazonka.Types toBS :: AccessKey -> ByteString # | |
FromText AccessKey | |
ToText AccessKey | |
Defined in Amazonka.Types | |
type Rep AccessKey | |
Defined in Amazonka.Types type Rep AccessKey = D1 ('MetaData "AccessKey" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "AccessKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) |
Secret access key credential.
For example: wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKE
Instances
Eq SecretKey | |
IsString SecretKey | |
Defined in Amazonka.Types fromString :: String -> SecretKey # | |
Generic SecretKey | |
NFData SecretKey | |
Defined in Amazonka.Types | |
Hashable SecretKey | |
Defined in Amazonka.Types | |
ToJSON SecretKey | |
Defined in Amazonka.Types | |
FromJSON SecretKey | |
FromXML SecretKey | |
ToXML SecretKey | |
Defined in Amazonka.Types | |
ToByteString SecretKey | |
Defined in Amazonka.Types toBS :: SecretKey -> ByteString # | |
FromText SecretKey | |
ToText SecretKey | |
Defined in Amazonka.Types | |
type Rep SecretKey | |
Defined in Amazonka.Types type Rep SecretKey = D1 ('MetaData "SecretKey" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "SecretKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) |
newtype SessionToken #
A session token used by STS to temporarily authorise access to an AWS resource.
Instances
Handling Errors
class AsAuthError a where Source #
_AuthError :: Prism' a AuthError Source #
A general authentication error.
_RetrievalError :: Prism' a HttpException Source #
An error occured while communicating over HTTP with the local metadata endpoint.
_MissingEnvError :: Prism' a Text Source #
The named environment variable was not found.
_InvalidEnvError :: Prism' a Text Source #
An error occured parsing named environment variable's value.
_MissingFileError :: Prism' a FilePath Source #
The specified credentials file could not be found.
_InvalidFileError :: Prism' a Text Source #
An error occured parsing the credentials file.
_InvalidIAMError :: Prism' a Text Source #
The specified IAM profile could not be found or deserialised.
Instances
An error thrown when attempting to read AuthN/AuthZ information.
RetrievalError HttpException | |
MissingEnvError Text | |
InvalidEnvError Text | |
MissingFileError FilePath | |
InvalidFileError Text | |
InvalidIAMError Text |
Instances
Env'
This really should be defined in Amazonka.Env
, but we define it
here to break a gnarly module import cycle.
The environment containing the parameters required to make AWS requests.
This type tracks whether or not we have credentials at the type level, to avoid "presigning" requests when we lack auth information.
Env | |
|
Instances
Generic (Env' withAuth) Source # | |
type Rep (Env' withAuth) Source # | |
Defined in Amazonka.Auth type Rep (Env' withAuth) = D1 ('MetaData "Env'" "Amazonka.Auth" "libZSamazonkaZSamazonka" 'False) (C1 ('MetaCons "Env" 'PrefixI 'True) ((S1 ('MetaSel ('Just "_envRegion") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Region) :*: (S1 ('MetaSel ('Just "_envLogger") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Logger) :*: S1 ('MetaSel ('Just "_envRetryCheck") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Int -> HttpException -> Bool)))) :*: (S1 ('MetaSel ('Just "_envOverride") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Dual (Endo Service))) :*: (S1 ('MetaSel ('Just "_envManager") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Manager) :*: S1 ('MetaSel ('Just "_envAuth") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (withAuth Auth)))))) |