| Copyright | (c) 2013-2021 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | provisional |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
Amazonka.Auth
Description
Explicitly specify your Amazon AWS security credentials, or retrieve them from the underlying OS.
The format of environment variables and the credentials file follows the official AWS SDK guidelines.
Synopsis
- getAuth :: (MonadIO m, Foldable withAuth) => Env' withAuth -> Credentials -> m (Auth, Maybe Region)
- data Credentials
- data Auth
- envAccessKey :: Text
- envSecretKey :: Text
- envSessionToken :: Text
- envWebIdentityTokenFile :: Text
- envRole :: Text
- envRoleSessionName :: Text
- confRegion :: Text
- confFile :: MonadIO m => m FilePath
- credAccessKey :: Text
- credSecretKey :: Text
- credSessionToken :: Text
- credProfile :: Text
- credFile :: MonadIO m => m FilePath
- fromKeys :: AccessKey -> SecretKey -> Auth
- fromSession :: AccessKey -> SecretKey -> SessionToken -> Auth
- fromTemporarySession :: AccessKey -> SecretKey -> SessionToken -> UTCTime -> Auth
- fromEnv :: MonadIO m => m (Auth, Maybe Region)
- fromEnvKeys :: MonadIO m => Text -> Text -> Maybe Text -> Maybe Text -> m (Auth, Maybe Region)
- fromFile :: MonadIO m => m (Auth, Maybe Region)
- fromFilePath :: MonadIO m => Text -> FilePath -> FilePath -> m (Auth, Maybe Region)
- fromProfile :: MonadIO m => Manager -> m (Auth, Maybe Region)
- fromProfileName :: MonadIO m => Manager -> Text -> m (Auth, Maybe Region)
- fromContainer :: MonadIO m => Manager -> m (Auth, Maybe Region)
- newtype AccessKey = AccessKey ByteString
- newtype SecretKey = SecretKey ByteString
- newtype SessionToken = SessionToken ByteString
- class AsAuthError a where
- _AuthError :: Prism' a AuthError
- _RetrievalError :: Prism' a HttpException
- _MissingEnvError :: Prism' a Text
- _InvalidEnvError :: Prism' a Text
- _MissingFileError :: Prism' a FilePath
- _InvalidFileError :: Prism' a Text
- _InvalidIAMError :: Prism' a Text
- data AuthError
- data Env' withAuth = Env {
- _envRegion :: Region
- _envLogger :: Logger
- _envRetryCheck :: Int -> HttpException -> Bool
- _envOverride :: Dual (Endo Service)
- _envManager :: Manager
- _envAuth :: withAuth Auth
Authentication
Retrieving Authentication
getAuth :: (MonadIO m, Foldable withAuth) => Env' withAuth -> Credentials -> m (Auth, Maybe Region) Source #
Retrieve authentication information via the specified Credentials mechanism.
Throws AuthError when environment variables or IAM profiles cannot be read,
and credentials files are invalid or cannot be found.
data Credentials Source #
Determines how AuthN/AuthZ information is retrieved.
Constructors
| FromKeys AccessKey SecretKey | Explicit access and secret keys. See |
| FromSession AccessKey SecretKey SessionToken | Explicit access key, secret key and a session token. See |
| FromEnv Text Text (Maybe Text) (Maybe Text) | Lookup specific environment variables for access key, secret key, an optional session token, and an optional region, respectively. |
| FromProfile Text | An IAM Profile name to lookup from the local EC2 instance-data. Environment variables to lookup for the access key, secret key and optional session token. |
| FromFile Text FilePath FilePath | A credentials profile name (the INI section), the path to the AWS
credentials file,
and the path to the |
| FromWebIdentity | Obtain credentials using STS:AssumeRoleWithWebIdentity See About web identity federation in the AWS documentation for more information. |
| FromContainer | Obtain credentials by attempting to contact the ECS container agent
at http://169.254.170.2 using the path in |
| Discover | Attempt credentials discovery via the following steps:
An attempt is made to resolve http://instance-data rather than directly retrieving http://169.254.169.254 for IAM profile information. This assists in ensuring the DNS lookup terminates promptly if not running on EC2. |
Instances
An authorisation environment containing AWS credentials, and potentially a reference which can be refreshed out-of-band as temporary credentials expire.
Instances
| ToLog Auth | |
Defined in Amazonka.Types Methods build :: Auth -> ByteStringBuilder # | |
Defaults
Environment
Arguments
| :: Text | AWS_SESSION_TOKEN |
Default session token environment variable.
envWebIdentityTokenFile Source #
Arguments
| :: Text | AWS_WEB_IDENTITY_TOKEN_FILE |
Default web identity token file environment variable
Arguments
| :: Text | AWS_ROLE_SESSION_NAME |
Default role session name environment variable
Configuration
confFile :: MonadIO m => m FilePath Source #
Default path for the configuration file. This looks in in the HOME directory
as determined by the directory
library.
- UNIXOSX: @$HOME.aws/config@
- Windows:
C:/Users//<user>.awsconfig
Note: This does not match the default AWS SDK location of
%USERPROFILE%.awsconfig on Windows. (Sorry.)
Credentials File
Arguments
| :: Text | aws_secret_access_key |
Credentials INI file secret key variable.
Arguments
| :: Text | aws_session_token |
Credentials INI file session token variable.
credFile :: MonadIO m => m FilePath Source #
Default path for the credentials file. This looks in in the HOME directory
as determined by the directory
library.
- UNIXOSX: @$HOME.aws/credentials@
- Windows:
C:/Users//<user>.awscredentials
Note: This does not match the default AWS SDK location of
%USERPROFILE%.awscredentials on Windows. (Sorry.)
Credentials
getAuth is implemented using the following from*-styled functions below.
Both fromKeys and fromSession can be used directly to avoid the MonadIO
constraint.
fromSession :: AccessKey -> SecretKey -> SessionToken -> Auth Source #
Temporary credentials from a STS session consisting of the access key, secret key, and session token.
See: fromTemporarySession
fromTemporarySession :: AccessKey -> SecretKey -> SessionToken -> UTCTime -> Auth Source #
Temporary credentials from a STS session consisting of the access key, secret key, session token, and expiration time.
See: fromSession
fromEnv :: MonadIO m => m (Auth, Maybe Region) Source #
Retrieve access key, secret key, and a session token from the default environment variables.
Throws MissingEnvError if either of the default environment variables
cannot be read, but not if the session token is absent.
Arguments
| :: MonadIO m | |
| => Text | Access key environment variable. |
| -> Text | Secret key environment variable. |
| -> Maybe Text | Session token environment variable. |
| -> Maybe Text | Region environment variable. |
| -> m (Auth, Maybe Region) |
Retrieve access key, secret key and a session token from specific environment variables.
Throws MissingEnvError if either of the specified key environment variables
cannot be read, but not if the session token is absent.
fromFile :: MonadIO m => m (Auth, Maybe Region) Source #
Loads the default credentials INI file using the default profile name.
Throws MissingFileError if credFile is missing, or InvalidFileError
if an error occurs during parsing.
See: credProfile, credFile, and envProfile
fromProfile :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #
Retrieve the default IAM Profile from the local EC2 instance-data.
The default IAM profile is determined by Amazon as the first profile found
in the response from:
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Throws RetrievalError if the HTTP call fails, or InvalidIAMError if
the default IAM profile cannot be read.
fromProfileName :: MonadIO m => Manager -> Text -> m (Auth, Maybe Region) Source #
Lookup a specific IAM Profile by name from the local EC2 instance-data.
Additionally starts a refresh thread for the given authentication environment.
The resulting IORef wrapper + timer is designed so that multiple concurrent
accesses of AuthEnv from the AWS environment are not required to calculate
expiry and sequentially queue to update it.
The forked timer ensures a singular owner and pre-emptive refresh of the temporary session credentials before expiration.
A weak reference is used to ensure that the forked thread will eventually
terminate when Auth is no longer referenced.
If no session token or expiration time is present the credentials will be returned verbatim.
fromContainer :: MonadIO m => Manager -> m (Auth, Maybe Region) Source #
Obtain credentials exposed to a task via the ECS container agent, as
described in the IAM Roles for Tasks
section of the AWS ECS documentation. The credentials are obtained by making
a request to http://169.254.170.2 at the path contained by the
envContainerCredentialsURI environment variable.
The ECS container agent provides an access key, secret key, session token,
and expiration time, but it does not include a region, so the region will
attempt to be determined from the envRegion environment variable if it is
set.
Like fromProfileName, additionally starts a refresh thread that will
periodically fetch fresh credentials before the current ones expire.
Throws MissingEnvError if the envContainerCredentialsURI environment
variable is not set or InvalidIAMError if the payload returned by the ECS
container agent is not of the expected format.
Keys
An access key ID.
For example: AKIAIOSFODNN7EXAMPLE
Constructors
| AccessKey ByteString |
Instances
Secret access key credential.
For example: wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKE
Constructors
| SecretKey ByteString |
Instances
| Eq SecretKey | |
| IsString SecretKey | |
Defined in Amazonka.Types Methods fromString :: String -> SecretKey # | |
| Generic SecretKey | |
| NFData SecretKey | |
Defined in Amazonka.Types | |
| Hashable SecretKey | |
Defined in Amazonka.Types | |
| ToJSON SecretKey | |
Defined in Amazonka.Types | |
| FromJSON SecretKey | |
| FromXML SecretKey | |
| ToXML SecretKey | |
Defined in Amazonka.Types | |
| ToByteString SecretKey | |
Defined in Amazonka.Types Methods toBS :: SecretKey -> ByteString # | |
| FromText SecretKey | |
| ToText SecretKey | |
Defined in Amazonka.Types | |
| type Rep SecretKey | |
Defined in Amazonka.Types type Rep SecretKey = D1 ('MetaData "SecretKey" "Amazonka.Types" "libZSamazonka-coreZSamazonka-core" 'True) (C1 ('MetaCons "SecretKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) | |
newtype SessionToken #
A session token used by STS to temporarily authorise access to an AWS resource.
Constructors
| SessionToken ByteString |
Instances
Handling Errors
class AsAuthError a where Source #
Minimal complete definition
Methods
_AuthError :: Prism' a AuthError Source #
A general authentication error.
_RetrievalError :: Prism' a HttpException Source #
An error occured while communicating over HTTP with the local metadata endpoint.
_MissingEnvError :: Prism' a Text Source #
The named environment variable was not found.
_InvalidEnvError :: Prism' a Text Source #
An error occured parsing named environment variable's value.
_MissingFileError :: Prism' a FilePath Source #
The specified credentials file could not be found.
_InvalidFileError :: Prism' a Text Source #
An error occured parsing the credentials file.
_InvalidIAMError :: Prism' a Text Source #
The specified IAM profile could not be found or deserialised.
Instances
An error thrown when attempting to read AuthN/AuthZ information.
Constructors
| RetrievalError HttpException | |
| MissingEnvError Text | |
| InvalidEnvError Text | |
| MissingFileError FilePath | |
| InvalidFileError Text | |
| InvalidIAMError Text |
Instances
Env'
This really should be defined in Amazonka.Env, but we define it
here to break a gnarly module import cycle.
The environment containing the parameters required to make AWS requests.
This type tracks whether or not we have credentials at the type level, to avoid "presigning" requests when we lack auth information.
Constructors
| Env | |
Fields
| |
Instances
| Generic (Env' withAuth) Source # | |
| type Rep (Env' withAuth) Source # | |
Defined in Amazonka.Auth type Rep (Env' withAuth) = D1 ('MetaData "Env'" "Amazonka.Auth" "libZSamazonkaZSamazonka" 'False) (C1 ('MetaCons "Env" 'PrefixI 'True) ((S1 ('MetaSel ('Just "_envRegion") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Region) :*: (S1 ('MetaSel ('Just "_envLogger") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Logger) :*: S1 ('MetaSel ('Just "_envRetryCheck") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Int -> HttpException -> Bool)))) :*: (S1 ('MetaSel ('Just "_envOverride") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Dual (Endo Service))) :*: (S1 ('MetaSel ('Just "_envManager") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Manager) :*: S1 ('MetaSel ('Just "_envAuth") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (withAuth Auth)))))) | |