aws-sdk-cpp/src/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp at 3cd88b2223dbfdfa9151e14c4000710db0bb0005 · aws/aws-sdk-cpp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
/**
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 * SPDX-License-Identifier: Apache-2.0.
 */
#include <aws/core/Globals.h>
#include <aws/core/auth/STSCredentialsProvider.h>
#include <aws/core/client/ClientConfiguration.h>
#include <aws/core/client/UserAgent.h>
#include <aws/core/platform/Environment.h>
#include <aws/crt/auth/Credentials.h>

using namespace Aws::Auth;
using namespace Aws::Utils;

namespace {
std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> GetSTSCrtProvider(
    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig,
    Aws::Crt::Io::ClientBootstrap* defaultClientBootstrap) {
  Aws::Crt::Auth::CredentialsProviderSTSWebIdentityConfig stsConfig{};
  stsConfig.Bootstrap = defaultClientBootstrap;
  Aws::Crt::Io::TlsContextOptions tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient();
  const Aws::Crt::Io::TlsContext tlsContext(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT);
  const auto tlsOptions = Aws::GetDefaultTlsConnectionOptions();
  if (tlsOptions) {
    stsConfig.TlsConnectionOptions = *tlsOptions;
  }
  stsConfig.Region = credentialsConfig.region.c_str();
  stsConfig.TokenFilePath = credentialsConfig.stsCredentialsProviderConfig.tokenFilePath.c_str();
  stsConfig.RoleArn = credentialsConfig.stsCredentialsProviderConfig.roleArn.c_str();
  stsConfig.SessionName = [&credentialsConfig]() -> Aws::String {
    if (!credentialsConfig.stsCredentialsProviderConfig.sessionName.empty()) {
      return credentialsConfig.stsCredentialsProviderConfig.sessionName;
    }
    return UUID::RandomUUID();
  }()
                                                        .c_str();

  Aws::Crt::Http::ProxyEnvVarOptions options{};
  options.proxyEnvVarType = Aws::Crt::Http::ProxyEnvVarType::Enabled;
  options.connectionType = Aws::Crt::Http::AwsHttpProxyConnectionType::Legacy;
  if (tlsOptions) {
    options.TlsOptions = *tlsOptions;
  }
  stsConfig.ProxyEnvVarOptions = options;

  return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderSTSWebIdentity(stsConfig);
}
}  // namespace

STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider(
    const Aws::Client::ClientConfiguration::CredentialProviderConfiguration& credentialsConfig)
    : CrtCredentialsProvider{[&credentialsConfig]() -> std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> {
                               return GetSTSCrtProvider(credentialsConfig, GetDefaultClientBootstrap());
                             },
                             credentialsConfig.stsCredentialsProviderConfig.retrieveCredentialsFutureTimeout,
                             Aws::Client::UserAgentFeature::CREDENTIALS_STS_WEB_IDENTITY_TOKEN,
                             "STSAssumeRoleWebIdentityCredentialsProvider"} {}

Aws::String GetLegacySettingFromEnvOrProfile(const Aws::String& envVar,
                                             std::function<Aws::String(Aws::Config::Profile)> profileFetchFunction) {
  auto value = Aws::Environment::GetEnv(envVar.c_str());
  if (value.empty()) {
    auto profile = Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName());
    value = profileFetchFunction(profile);
  }
  return value;
}

STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider()
    : STSAssumeRoleWebIdentityCredentialsProvider(Aws::Client::ClientConfiguration::CredentialProviderConfiguration{
          Aws::Auth::GetConfigProfileName(),
          GetLegacySettingFromEnvOrProfile("AWS_DEFAULT_REGION",
                                           [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRegion(); }),
          {},
          {GetLegacySettingFromEnvOrProfile("AWS_ROLE_ARN",
                                            [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetRoleArn(); }),
           GetLegacySettingFromEnvOrProfile(
               "AWS_ROLE_SESSION_NAME",
               [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("role_session_name"); }),
           GetLegacySettingFromEnvOrProfile(
               "AWS_WEB_IDENTITY_TOKEN_FILE",
               [](const Aws::Config::Profile& profile) -> Aws::String { return profile.GetValue("web_identity_token_file"); })},
          {}}) {}

STSAssumeRoleWebIdentityCredentialsProvider::~STSAssumeRoleWebIdentityCredentialsProvider() = default;