libZSamazonkaZSamazonka
Copyright(c) 2013-2021 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay+amazonka@gmail.com>
Stabilityprovisional
Portabilitynon-portable (GHC extensions)
Safe HaskellNone

Amazonka.Auth

Description

Explicitly specify your Amazon AWS security credentials, or retrieve them from the underlying OS.

The format of environment variables and the credentials file follows the official AWS SDK guidelines.

Synopsis

Authentication

Retrieving Authentication

getAuth :: (MonadIO m, Foldable withAuth) => Env' withAuth -> Credentials -> m (Auth, Maybe Region) Source #

Retrieve authentication information via the specified Credentials mechanism.

Throws AuthError when environment variables or IAM profiles cannot be read, and credentials files are invalid or cannot be found.

data Credentials Source #

Determines how AuthN/AuthZ information is retrieved.

Constructors

FromKeys AccessKey SecretKey

Explicit access and secret keys. See fromKeys.

FromSession AccessKey SecretKey SessionToken

Explicit access key, secret key and a session token. See fromSession.

FromEnv Text Text (Maybe Text) (Maybe Text)

Lookup specific environment variables for access key, secret key, an optional session token, and an optional region, respectively.

FromProfile Text

An IAM Profile name to lookup from the local EC2 instance-data. Environment variables to lookup for the access key, secret key and optional session token.

FromFile Text FilePath FilePath

A credentials profile name (the INI section), the path to the AWS credentials file, and the path to the ~.awsconfig file.

FromWebIdentity

Obtain credentials using STS:AssumeRoleWithWebIdentity See About web identity federation in the AWS documentation for more information.

FromContainer

Obtain credentials by attempting to contact the ECS container agent at http://169.254.170.2 using the path in envContainerCredentialsURI. See IAM Roles for Tasks in the AWS documentation for more information.

Discover

Attempt credentials discovery via the following steps:

  • Read the envAccessKey, envSecretKey, and envRegion from the environment if they are set.
  • Read the credentials file if credFile exists.
  • Try to exchange a Web Identity for AWS credentials using sts:AssumeRoleWithWebIdentity.
  • Obtain credentials from the ECS container agent if envContainerCredentialsURI is set.
  • Retrieve the first available IAM profile and read the Region from the instance identity document, if running on EC2.

An attempt is made to resolve http://instance-data rather than directly retrieving http://169.254.169.254 for IAM profile information. This assists in ensuring the DNS lookup terminates promptly if not running on EC2.

Instances

Instances details
Eq Credentials Source # 
Instance details

Defined in Amazonka.Auth

Show Credentials Source # 
Instance details

Defined in Amazonka.Auth

Generic Credentials Source # 
Instance details

Defined in Amazonka.Auth

Associated Types

type Rep Credentials :: Type -> Type #

ToLog Credentials Source # 
Instance details

Defined in Amazonka.Auth

type Rep Credentials Source # 
Instance details

Defined in Amazonka.Auth

type Rep Credentials = D1 ('MetaData "Credentials" "Amazonka.Auth" "libZSamazonkaZSamazonka" 'False) (((C1 ('MetaCons "FromKeys" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 AccessKey) :*: S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 SecretKey)) :+: C1 ('MetaCons "FromSession" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 AccessKey) :*: (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 SecretKey) :*: S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 SessionToken)))) :+: (C1 ('MetaCons "FromEnv" 'PrefixI 'False) ((S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)) :*: (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :*: S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)))) :+: C1 ('MetaCons "FromProfile" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)))) :+: ((C1 ('MetaCons "FromFile" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 FilePath) :*: S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 FilePath))) :+: C1 ('MetaCons "FromWebIdentity" 'PrefixI 'False) (U1 :: Type -> Type)) :+: (C1 ('MetaCons "FromContainer" 'PrefixI 'False) (U1 :: Type -> Type) :+: C1 ('MetaCons "Discover" 'PrefixI 'False) (U1 :: Type -> Type))))

data Auth #

An authorisation environment containing AWS credentials, and potentially a reference which can be refreshed out-of-band as temporary credentials expire.

Instances

Instances details
ToLog Auth 
Instance details

Defined in Amazonka.Types

Defaults

Environment

envAccessKey Source #

Arguments

:: Text

AWS_ACCESS_KEY_ID

Default access key environment variable.

envSecretKey Source #

Arguments

:: Text

AWS_SECRET_ACCESS_KEY

Default secret key environment variable.

envSessionToken Source #

Arguments

:: Text

AWS_SESSION_TOKEN

Default session token environment variable.

envWebIdentityTokenFile Source #

Arguments

:: Text

AWS_WEB_IDENTITY_TOKEN_FILE

Default web identity token file environment variable

envRole Source #

Arguments

:: Text

AWS_ROLE_ARN

Default role environment variable

envRoleSessionName Source #

Arguments

:: Text

AWS_ROLE_SESSION_NAME

Default role session name environment variable

Configuration

confRegion Source #

Arguments

:: Text

default

Credentials INI default profile section variable.

confFile :: MonadIO m => m FilePath Source #

Default path for the configuration file. This looks in in the HOME directory as determined by the directory library.

  • UNIXOSX: @$HOME.aws/config@
  • Windows: C:/Users//<user>.awsconfig

Note: This does not match the default AWS SDK location of %USERPROFILE%.awsconfig on Windows. (Sorry.)

Credentials File

credAccessKey Source #

Arguments

:: Text

aws_access_key_id

Credentials INI file access key variable.

credSecretKey Source #

Arguments

:: Text

aws_secret_access_key

Credentials INI file secret key variable.

credSessionToken Source #

Arguments

:: Text

aws_session_token

Credentials INI file session token variable.

credProfile Source #

Arguments

:: Text

default

Credentials INI default profile section variable.

credFile :: MonadIO m => m FilePath Source #

Default path for the credentials file. This looks in in the HOME directory as determined by the directory library.

  • UNIXOSX: @$HOME.aws/credentials@
  • Windows: C:/Users//<user>.awscredentials

Note: This does not match the default AWS SDK location of %USERPROFILE%.awscredentials on Windows. (Sorry.)

Credentials

getAuth is implemented using the following from*-styled functions below. Both fromKeys and fromSession can be used directly to avoid the MonadIO constraint.

fromKeys :: AccessKey -> SecretKey -> Auth Source #

Explicit access and secret keys.

fromSession :: AccessKey -> SecretKey -> SessionToken -> Auth Source #

Temporary credentials from a STS session consisting of the access key, secret key, and session token.

See: fromTemporarySession

fromTemporarySession :: AccessKey -> SecretKey -> SessionToken -> UTCTime -> Auth Source #

Temporary credentials from a STS session consisting of the access key, secret key, session token, and expiration time.

See: fromSession

fromEnv :: MonadIO m => m (Auth, Maybe Region) Source #

Retrieve access key, secret key, and a session token from the default environment variables.

Throws MissingEnvError if either of the default environment variables cannot be read, but not if the session token is absent.

See: envAccessKey, envSecretKey, envSessionToken

fromEnvKeys Source #

Arguments

:: MonadIO m 
=> Text

Access key environment variable.

-> Text

Secret key environment variable.

-> Maybe Text

Session token environment variable.

-> Maybe Text

Region environment variable.

-> m (Auth, Maybe Region) 

Retrieve access key, secret key and a session token from specific environment variables.

Throws MissingEnvError if either of the specified key environment variables cannot be read, but not if the session token is absent.

fromFile :: MonadIO m => m (Auth, Maybe Region) Source #

Loads the default credentials INI file using the default profile name.

Throws MissingFileError if credFile is missing, or InvalidFileError if an error occurs during parsing.

See: credProfile, credFile, and envProfile

fromProfile :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #

Retrieve the default IAM Profile from the local EC2 instance-data.

The default IAM profile is determined by Amazon as the first profile found in the response from: http://169.254.169.254/latest/meta-data/iam/security-credentials/

Throws RetrievalError if the HTTP call fails, or InvalidIAMError if the default IAM profile cannot be read.

fromProfileName :: MonadIO m => Manager -> Text -> m (Auth, Maybe Region) Source #

Lookup a specific IAM Profile by name from the local EC2 instance-data.

Additionally starts a refresh thread for the given authentication environment.

The resulting IORef wrapper + timer is designed so that multiple concurrent accesses of AuthEnv from the AWS environment are not required to calculate expiry and sequentially queue to update it.

The forked timer ensures a singular owner and pre-emptive refresh of the temporary session credentials before expiration.

A weak reference is used to ensure that the forked thread will eventually terminate when Auth is no longer referenced.

If no session token or expiration time is present the credentials will be returned verbatim.

fromContainer :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #

Obtain credentials exposed to a task via the ECS container agent, as described in the IAM Roles for Tasks section of the AWS ECS documentation. The credentials are obtained by making a request to http://169.254.170.2 at the path contained by the envContainerCredentialsURI environment variable.

The ECS container agent provides an access key, secret key, session token, and expiration time, but it does not include a region, so the region will attempt to be determined from the envRegion environment variable if it is set.

Like fromProfileName, additionally starts a refresh thread that will periodically fetch fresh credentials before the current ones expire.

Throws MissingEnvError if the envContainerCredentialsURI environment variable is not set or InvalidIAMError if the payload returned by the ECS container agent is not of the expected format.

Keys

newtype AccessKey #

An access key ID.

For example: AKIAIOSFODNN7EXAMPLE

See: Understanding and Getting Your Security Credentials.

Constructors

AccessKey ByteString 

Instances

Instances details
Eq AccessKey 
Instance details

Defined in Amazonka.Types

Read AccessKey 
Instance details

Defined in Amazonka.Types

Show AccessKey 
Instance details

Defined in Amazonka.Types

IsString AccessKey 
Instance details

Defined in Amazonka.Types

Generic AccessKey 
Instance details

Defined in Amazonka.Types

Associated Types

type Rep AccessKey :: Type -> Type #

NFData AccessKey 
Instance details

Defined in Amazonka.Types

Methods

rnf :: AccessKey -> () #

Hashable AccessKey 
Instance details

Defined in Amazonka.Types

ToJSON AccessKey 
Instance details

Defined in Amazonka.Types

FromJSON AccessKey 
Instance details

Defined in Amazonka.Types

ToLog AccessKey 
Instance details

Defined in Amazonka.Types

ToQuery AccessKey 
Instance details

Defined in Amazonka.Types

FromXML AccessKey 
Instance details

Defined in Amazonka.Types

ToXML AccessKey 
Instance details

Defined in Amazonka.Types

Methods

toXML :: AccessKey -> XML #

ToByteString AccessKey 
Instance details

Defined in Amazonka.Types

Methods

toBS :: AccessKey -> ByteString #

FromText AccessKey 
Instance details

Defined in Amazonka.Types

ToText AccessKey 
Instance details

Defined in Amazonka.Types

Methods

toText :: AccessKey -> Text #

type Rep AccessKey 
Instance details

Defined in Amazonka.Types

type Rep AccessKey = D1 ('MetaData "AccessKey" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "AccessKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString)))

newtype SecretKey #

Secret access key credential.

For example: wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKE

See: Understanding and Getting Your Security Credentials.

Constructors

SecretKey ByteString 

Instances

Instances details
Eq SecretKey 
Instance details

Defined in Amazonka.Types

IsString SecretKey 
Instance details

Defined in Amazonka.Types

Generic SecretKey 
Instance details

Defined in Amazonka.Types

Associated Types

type Rep SecretKey :: Type -> Type #

NFData SecretKey 
Instance details

Defined in Amazonka.Types

Methods

rnf :: SecretKey -> () #

Hashable SecretKey 
Instance details

Defined in Amazonka.Types

ToJSON SecretKey 
Instance details

Defined in Amazonka.Types

FromJSON SecretKey 
Instance details

Defined in Amazonka.Types

FromXML SecretKey 
Instance details

Defined in Amazonka.Types

ToXML SecretKey 
Instance details

Defined in Amazonka.Types

Methods

toXML :: SecretKey -> XML #

ToByteString SecretKey 
Instance details

Defined in Amazonka.Types

Methods

toBS :: SecretKey -> ByteString #

FromText SecretKey 
Instance details

Defined in Amazonka.Types

ToText SecretKey 
Instance details

Defined in Amazonka.Types

Methods

toText :: SecretKey -> Text #

type Rep SecretKey 
Instance details

Defined in Amazonka.Types

type Rep SecretKey = D1 ('MetaData "SecretKey" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "SecretKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString)))

newtype SessionToken #

A session token used by STS to temporarily authorise access to an AWS resource.

See: Temporary Security Credentials.

Constructors

SessionToken ByteString 

Instances

Instances details
Eq SessionToken 
Instance details

Defined in Amazonka.Types

IsString SessionToken 
Instance details

Defined in Amazonka.Types

Generic SessionToken 
Instance details

Defined in Amazonka.Types

Associated Types

type Rep SessionToken :: Type -> Type #

NFData SessionToken 
Instance details

Defined in Amazonka.Types

Methods

rnf :: SessionToken -> () #

Hashable SessionToken 
Instance details

Defined in Amazonka.Types

ToJSON SessionToken 
Instance details

Defined in Amazonka.Types

FromJSON SessionToken 
Instance details

Defined in Amazonka.Types

FromXML SessionToken 
Instance details

Defined in Amazonka.Types

ToXML SessionToken 
Instance details

Defined in Amazonka.Types

Methods

toXML :: SessionToken -> XML #

ToByteString SessionToken 
Instance details

Defined in Amazonka.Types

FromText SessionToken 
Instance details

Defined in Amazonka.Types

ToText SessionToken 
Instance details

Defined in Amazonka.Types

Methods

toText :: SessionToken -> Text #

type Rep SessionToken 
Instance details

Defined in Amazonka.Types

type Rep SessionToken = D1 ('MetaData "SessionToken" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "SessionToken" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString)))

Handling Errors

class AsAuthError a where Source #

Minimal complete definition

_AuthError

Methods

_AuthError :: Prism' a AuthError Source #

A general authentication error.

_RetrievalError :: Prism' a HttpException Source #

An error occured while communicating over HTTP with the local metadata endpoint.

_MissingEnvError :: Prism' a Text Source #

The named environment variable was not found.

_InvalidEnvError :: Prism' a Text Source #

An error occured parsing named environment variable's value.

_MissingFileError :: Prism' a FilePath Source #

The specified credentials file could not be found.

_InvalidFileError :: Prism' a Text Source #

An error occured parsing the credentials file.

_InvalidIAMError :: Prism' a Text Source #

The specified IAM profile could not be found or deserialised.

data AuthError Source #

An error thrown when attempting to read AuthN/AuthZ information.

Instances

Instances details
Show AuthError Source # 
Instance details

Defined in Amazonka.Auth

Generic AuthError Source # 
Instance details

Defined in Amazonka.Auth

Associated Types

type Rep AuthError :: Type -> Type #

Exception AuthError Source # 
Instance details

Defined in Amazonka.Auth

ToLog AuthError Source # 
Instance details

Defined in Amazonka.Auth

AsAuthError AuthError Source # 
Instance details

Defined in Amazonka.Auth

type Rep AuthError Source # 
Instance details

Defined in Amazonka.Auth

Env'

This really should be defined in Amazonka.Env, but we define it here to break a gnarly module import cycle.

data Env' withAuth Source #

The environment containing the parameters required to make AWS requests.

This type tracks whether or not we have credentials at the type level, to avoid "presigning" requests when we lack auth information.

Instances

Instances details
Generic (Env' withAuth) Source # 
Instance details

Defined in Amazonka.Auth

Associated Types

type Rep (Env' withAuth) :: Type -> Type #

Methods

from :: Env' withAuth -> Rep (Env' withAuth) x #

to :: Rep (Env' withAuth) x -> Env' withAuth #

type Rep (Env' withAuth) Source # 
Instance details

Defined in Amazonka.Auth