Documentation ¶
Overview ¶
Package session provides configuration for the SDK's service clients. Sessions can be shared across service clients that share the same base configuration.
Sessions are safe to use concurrently as long as the Session is not being modified. Sessions should be cached when possible, because creating a new Session will load all configuration values from the environment, and config files each time the Session is created. Sharing the Session value across all of your service clients will ensure the configuration is loaded the fewest number of times possible.
Sessions options from Shared Config ¶
By default NewSession will only load credentials from the shared credentials file (~/.aws/credentials). If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the Session will be created from the configuration values from the shared config (~/.aws/config) and shared credentials (~/.aws/credentials) files. Using the NewSessionWithOptions with SharedConfigState set to SharedConfigEnable will create the session as if the AWS_SDK_LOAD_CONFIG environment variable was set.
Credential and config loading order ¶
The Session will attempt to load configuration and credentials from the environment, configuration files, and other credential sources. The order configuration is loaded in is:
- Environment Variables
- Shared Credentials file
- Shared Configuration file (if SharedConfig is enabled)
- EC2 Instance Metadata (credentials only)
The Environment variables for credentials will have precedence over shared config even if SharedConfig is enabled. To override this behavior, and use shared config credentials instead specify the session.Options.Profile, (e.g. when using credential_source=Environment to assume a role).
sess, err := session.NewSessionWithOptions(session.Options{ Profile: "myProfile", })
Creating Sessions ¶
Creating a Session without additional options will load credentials region, and profile loaded from the environment and shared config automatically. See, "Environment Variables" section for information on environment variables used by Session.
// Create Session sess, err := session.NewSession()
When creating Sessions optional aws.Config values can be passed in that will override the default, or loaded, config values the Session is being created with. This allows you to provide additional, or case based, configuration as needed.
// Create a Session with a custom region sess, err := session.NewSession(&aws.Config{ Region: aws.String("us-west-2"), })
Use NewSessionWithOptions to provide additional configuration driving how the Session's configuration will be loaded. Such as, specifying shared config profile, or override the shared config state, (AWS_SDK_LOAD_CONFIG).
// Equivalent to session.NewSession() sess, err := session.NewSessionWithOptions(session.Options{ // Options }) sess, err := session.NewSessionWithOptions(session.Options{ // Specify profile to load for the session's config Profile: "profile_name", // Provide SDK Config options, such as Region. Config: aws.Config{ Region: aws.String("us-west-2"), }, // Force enable Shared Config support SharedConfigState: session.SharedConfigEnable, })
Adding Handlers ¶
You can add handlers to a session to decorate API operation, (e.g. adding HTTP headers). All clients that use the Session receive a copy of the Session's handlers. For example, the following request handler added to the Session logs every requests made.
// Create a session, and add additional handlers for all service // clients created with the Session to inherit. Adds logging handler. sess := session.Must(session.NewSession()) sess.Handlers.Send.PushFront(func(r *request.Request) { // Log every request made and its payload logger.Printf("Request: %s/%s, Params: %s", r.ClientInfo.ServiceName, r.Operation, r.Params) })
Shared Config Fields ¶
By default the SDK will only load the shared credentials file's (~/.aws/credentials) credentials values, and all other config is provided by the environment variables, SDK defaults, and user provided aws.Config values.
If the AWS_SDK_LOAD_CONFIG environment variable is set, or SharedConfigEnable option is used to create the Session the full shared config values will be loaded. This includes credentials, region, and support for assume role. In addition the Session will load its configuration from both the shared config file (~/.aws/config) and shared credentials file (~/.aws/credentials). Both files have the same format.
If both config files are present the configuration from both files will be read. The Session will be created from configuration values from the shared credentials file (~/.aws/credentials) over those in the shared config file (~/.aws/config).
Credentials are the values the SDK uses to authenticating requests with AWS Services. When specified in a file, both aws_access_key_id and aws_secret_access_key must be provided together in the same file to be considered valid. They will be ignored if both are not present. aws_session_token is an optional field that can be provided in addition to the other two fields.
aws_access_key_id = AKID aws_secret_access_key = SECRET aws_session_token = TOKEN ; region only supported if SharedConfigEnabled. region = us-east-1
Assume Role configuration ¶
The role_arn field allows you to configure the SDK to assume an IAM role using a set of credentials from another source. Such as when paired with static credentials, "profile_source", "credential_process", or "credential_source" fields. If "role_arn" is provided, a source of credentials must also be specified, such as "source_profile", "credential_source", or "credential_process".
role_arn = arn:aws:iam::<account_number>:role/<role_name> source_profile = profile_with_creds external_id = 1234 mfa_serial = <serial or mfa arn> role_session_name = session_name
The SDK supports assuming a role with MFA token. If "mfa_serial" is set, you must also set the Session Option.AssumeRoleTokenProvider. The Session will fail to load if the AssumeRoleTokenProvider is not specified.
sess := session.Must(session.NewSessionWithOptions(session.Options{ AssumeRoleTokenProvider: stscreds.StdinTokenProvider, }))
To setup Assume Role outside of a session see the stscreds.AssumeRoleProvider documentation.
Environment Variables ¶
When a Session is created several environment variables can be set to adjust how the SDK functions, and what configuration data it loads when creating Sessions. All environment values are optional, but some values like credentials require multiple of the values to set or the partial values will be ignored. All environment variable values are strings unless otherwise noted.
Environment configuration values. If set both Access Key ID and Secret Access Key must be provided. Session Token and optionally also be provided, but is not required.
# Access Key ID AWS_ACCESS_KEY_ID=AKID AWS_ACCESS_KEY=AKID # only read if AWS_ACCESS_KEY_ID is not set. # Secret Access Key AWS_SECRET_ACCESS_KEY=SECRET AWS_SECRET_KEY=SECRET=SECRET # only read if AWS_SECRET_ACCESS_KEY is not set. # Session Token AWS_SESSION_TOKEN=TOKEN
Region value will instruct the SDK where to make service API requests to. If is not provided in the environment the region must be provided before a service client request is made.
AWS_REGION=us-east-1 # AWS_DEFAULT_REGION is only read if AWS_SDK_LOAD_CONFIG is also set, # and AWS_REGION is not also set. AWS_DEFAULT_REGION=us-east-1
Profile name the SDK should load use when loading shared config from the configuration files. If not provided "default" will be used as the profile name.
AWS_PROFILE=my_profile # AWS_DEFAULT_PROFILE is only read if AWS_SDK_LOAD_CONFIG is also set, # and AWS_PROFILE is not also set. AWS_DEFAULT_PROFILE=my_profile
SDK load config instructs the SDK to load the shared config in addition to shared credentials. This also expands the configuration loaded so the shared credentials will have parity with the shared config file. This also enables Region and Profile support for the AWS_DEFAULT_REGION and AWS_DEFAULT_PROFILE env values as well.
AWS_SDK_LOAD_CONFIG=1
Shared credentials file path can be set to instruct the SDK to use an alternative file for the shared credentials. If not set the file will be loaded from $HOME/.aws/credentials on Linux/Unix based systems, and %USERPROFILE%\.aws\credentials on Windows.
AWS_SHARED_CREDENTIALS_FILE=$HOME/my_shared_credentials
Shared config file path can be set to instruct the SDK to use an alternative file for the shared config. If not set the file will be loaded from $HOME/.aws/config on Linux/Unix based systems, and %USERPROFILE%\.aws\config on Windows.
AWS_CONFIG_FILE=$HOME/my_shared_config
Path to a custom Credentials Authority (CA) bundle PEM file that the SDK will use instead of the default system's root CA bundle. Use this only if you want to replace the CA bundle the SDK uses for TLS requests.
AWS_CA_BUNDLE=$HOME/my_custom_ca_bundle
Enabling this option will attempt to merge the Transport into the SDK's HTTP client. If the client's Transport is not a http.Transport an error will be returned. If the Transport's TLS config is set this option will cause the SDK to overwrite the Transport's TLS config's RootCAs value. If the CA bundle file contains multiple certificates all of them will be loaded.
The Session option CustomCABundle is also available when creating sessions to also enable this feature. CustomCABundle session option field has priority over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
Setting a custom HTTPClient in the aws.Config options will override this setting. To use this option and custom HTTP client, the HTTP client needs to be provided when creating the session. Not the service client.
Index ¶
Constants ¶
const ( // loading configuration from the config files if another profile name // is not provided. DefaultSharedConfigProfile = `default` )
const EnvProviderName = "EnvConfigCredentials"
EnvProviderName provides a name of the provider when config is loaded from environment.
const ( // configuration logic ErrCodeSharedConfig = "SharedConfigErr" )
Variables ¶
ErrSharedConfigECSContainerEnvVarEmpty will be returned if the environment variables are empty and Environment was set as the credential source
ErrSharedConfigInvalidCredSource will be returned if an invalid credential source was provided
ErrSharedConfigSourceCollision will be returned if a section contains both source_profile and credential_source
var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil)
WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but 'AWS_ROLE_ARN' was not set.
var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil)
WebIdentityEmptyTokenFilePathErr will occur if 'AWS_ROLE_ARN' was set but 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set.
Functions ¶
This section is empty.
Types ¶
type AssumeRoleTokenProviderNotSetError ¶
type AssumeRoleTokenProviderNotSetError struct{}
AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the MFAToken option is not set when shared config is configured load assume a role with an MFA token.
func (AssumeRoleTokenProviderNotSetError) Code ¶
func (e AssumeRoleTokenProviderNotSetError) Code() string
Code is the short id of the error.
func (AssumeRoleTokenProviderNotSetError) Error ¶
func (e AssumeRoleTokenProviderNotSetError) Error() string
Error satisfies the error interface.
func (AssumeRoleTokenProviderNotSetError) Message ¶
func (e AssumeRoleTokenProviderNotSetError) Message() string
Message is the description of the error
func (AssumeRoleTokenProviderNotSetError) OrigErr ¶
func (e AssumeRoleTokenProviderNotSetError) OrigErr() error
OrigErr is the underlying error that caused the failure.
type CredentialRequiresARNError ¶
type CredentialRequiresARNError struct { // type of credentials that were configured. Type string // Profile name the credentials were in. Profile string }
CredentialRequiresARNError provides the error for shared config credentials that are incorrectly configured in the shared config or credentials file.
func (CredentialRequiresARNError) Code ¶
func (e CredentialRequiresARNError) Code() string
Code is the short id of the error.
func (CredentialRequiresARNError) Error ¶
func (e CredentialRequiresARNError) Error() string
Error satisfies the error interface.
func (CredentialRequiresARNError) Message ¶
func (e CredentialRequiresARNError) Message() string
Message is the description of the error
func (CredentialRequiresARNError) OrigErr ¶
func (e CredentialRequiresARNError) OrigErr() error
OrigErr is the underlying error that caused the failure.
type Options ¶
type Options struct { // Provides config values for the SDK to use when creating service clients // and making API requests to services. Any value set in with this field // will override the associated value provided by the SDK defaults, // environment or config files where relevant. // // If not set, configuration values from from SDK defaults, environment, // config will be used. Config aws.Config // Overrides the config profile the Session should be created from. If not // set the value of the environment variable will be loaded (AWS_PROFILE, // or AWS_DEFAULT_PROFILE if the Shared Config is enabled). // // If not set and environment variables are not set the "default" // (DefaultSharedConfigProfile) will be used as the profile to load the // session config from. Profile string // environment variable. By default a Session will be created using the // value provided by the AWS_SDK_LOAD_CONFIG environment variable. // // Setting this value to SharedConfigEnable or SharedConfigDisable // will allow you to override the AWS_SDK_LOAD_CONFIG environment variable // and enable or disable the shared config functionality. SharedConfigState SharedConfigState // It will override environment variable AWS_SHARED_CREDENTIALS_FILE, AWS_CONFIG_FILE. SharedConfigFiles []string // When the SDK's shared config is configured to assume a role with MFA // this option is required in order to provide the mechanism that will // retrieve the MFA token. There is no default value for this field. If // it is not set an error will be returned when creating the session. // // This token provider will be called when ever the assumed role's // credentials need to be refreshed. Within the context of service clients // all sharing the same session the SDK will ensure calls to the token // provider are atomic. When sharing a token provider across multiple // sessions additional synchronization logic is needed to ensure the // token providers do not introduce race conditions. It is recommend to // share the session where possible. // // stscreds.StdinTokenProvider is a basic implementation that will prompt // from stdin for the MFA token code. // // This field is only used if the shared configuration is enabled, and // the config enables assume role wit MFA via the mfa_serial field. AssumeRoleTokenProvider func() (string, error) // When the SDK's shared config is configured to assume a role this option // may be provided to set the expiry duration of the STS credentials. // Defaults to 15 minutes if not set as documented in the // stscreds.AssumeRoleProvider. AssumeRoleDuration time.Duration // Reader for a custom Credentials Authority (CA) bundle in PEM format that // the SDK will use instead of the default system's root CA bundle. Use this // only if you want to replace the CA bundle the SDK uses for TLS requests. // // Enabling this option will attempt to merge the Transport into the SDK's HTTP // client. If the client's Transport is not a http.Transport an error will be // returned. If the Transport's TLS config is set this option will cause the SDK // to overwrite the Transport's TLS config's RootCAs value. If the CA // bundle reader contains multiple certificates all of them will be loaded. // // The Session option CustomCABundle is also available when creating sessions // to also enable this feature. CustomCABundle session option field has priority // over the AWS_CA_BUNDLE environment variable, and will be used if both are set. CustomCABundle io.Reader // The handlers that the session and all API clients will be created with. // This must be a complete set of handlers. Use the defaults.Handlers() // function to initialize this value before changing the handlers to be // used by the SDK. Handlers request.Handlers }
Options provides the means to control how a Session is created and what configuration values will be loaded.
type Session ¶
A Session provides a central location to create service clients from and store configurations and request handlers for those services.
Sessions are safe to create service clients concurrently, but it is not safe to mutate the Session concurrently.
The Session satisfies the service client's client.ConfigProvider.
func Must ¶
Must is a helper function to ensure the Session is valid and there was no error when calling a NewSession function.
This helper is intended to be used in variable initialization to load the Session and configuration at startup. Such as:
var sess = session.Must(session.NewSession())
func New
deprecated
New creates a new instance of the handlers merging in the provided configs on top of the SDK's default configurations. Once the Session is created it can be mutated to modify the Config or Handlers. The Session is safe to be read concurrently, but it should not be written to concurrently.
If the AWS_SDK_LOAD_CONFIG environment is set to a truthy value, the New method could now encounter an error when loading the configuration. When The environment variable is set, and an error occurs, New will return a session that will fail all requests reporting the error that occurred while loading the session. Use NewSession to get the error when creating the session.
If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded, in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file.
Deprecated: Use NewSession functions to create sessions instead. NewSession has the same functionality as New except an error can be returned when the func is called instead of waiting to receive an error until a request is made.
func NewSession ¶
NewSession returns a new Session created from SDK defaults, config files, environment, and user provided config files. Once the Session is created it can be mutated to modify the Config or Handlers. The Session is safe to be read concurrently, but it should not be written to concurrently.
If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file. Enabling the Shared Config will also allow the Session to be built with retrieving credentials with AssumeRole set in the config.
See the NewSessionWithOptions func for information on how to override or control through code how the Session will be created, such as specifying the config profile, and controlling if shared config is enabled or not.
func NewSessionWithOptions ¶
NewSessionWithOptions returns a new Session created from SDK defaults, config files, environment, and user provided config files. This func uses the Options values to configure how the Session is created.
If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value the shared config file (~/.aws/config) will also be loaded in addition to the shared credentials file (~/.aws/credentials). Values set in both the shared config, and shared credentials will be taken from the shared credentials file. Enabling the Shared Config will also allow the Session to be built with retrieving credentials with AssumeRole set in the config.
// Equivalent to session.New sess := session.Must(session.NewSessionWithOptions(session.Options{})) // Specify profile to load for the session's config sess := session.Must(session.NewSessionWithOptions(session.Options{ Profile: "profile_name", })) // Specify profile for config and region for requests sess := session.Must(session.NewSessionWithOptions(session.Options{ Config: aws.Config{Region: aws.String("us-east-1")}, Profile: "profile_name", })) // Force enable Shared Config support sess := session.Must(session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, }))
func (*Session) ClientConfig ¶
ClientConfig satisfies the client.ConfigProvider interface and is used to configure the service client instances. Passing the Session to the service client's constructor (New) will use this method to configure the client.
func (*Session) ClientConfigNoResolveEndpoint ¶
ClientConfigNoResolveEndpoint is the same as ClientConfig with the exception that the EndpointResolver will not be used to resolve the endpoint. The only endpoint set must come from the aws.Config.Endpoint field.
func (*Session) Copy ¶
Copy creates and returns a copy of the current Session, copying the config and handlers. If any additional configs are provided they will be merged on top of the Session's copied config.
// Create a copy of the current Session, configured for the us-west-2 region. sess.Copy(&aws.Config{Region: aws.String("us-west-2")})
type SharedConfigAssumeRoleError ¶
type SharedConfigAssumeRoleError struct {}
SharedConfigAssumeRoleError is an error for the shared config when the profile contains assume role information, but that information is invalid or not complete.
func (SharedConfigAssumeRoleError) Code ¶
func (e SharedConfigAssumeRoleError) Code() string
Code is the short id of the error.
func (SharedConfigAssumeRoleError) Error ¶
func (e SharedConfigAssumeRoleError) Error() string
Error satisfies the error interface.
func (SharedConfigAssumeRoleError) Message ¶
func (e SharedConfigAssumeRoleError) Message() string
Message is the description of the error
func (SharedConfigAssumeRoleError) OrigErr ¶
func (e SharedConfigAssumeRoleError) OrigErr() error
OrigErr is the underlying error that caused the failure.
type SharedConfigLoadError ¶
type SharedConfigLoadError struct {}
SharedConfigLoadError is an error for the shared config file failed to load.
func (SharedConfigLoadError) Code ¶
func (e SharedConfigLoadError) Code() string
Code is the short id of the error.
func (SharedConfigLoadError) Error ¶
func (e SharedConfigLoadError) Error() string
Error satisfies the error interface.
func (SharedConfigLoadError) Message ¶
func (e SharedConfigLoadError) Message() string
Message is the description of the error
func (SharedConfigLoadError) OrigErr ¶
func (e SharedConfigLoadError) OrigErr() error
OrigErr is the underlying error that caused the failure.
type SharedConfigProfileNotExistsError ¶
type SharedConfigProfileNotExistsError struct {}
SharedConfigProfileNotExistsError is an error for the shared config when the profile was not find in the config file.
func (SharedConfigProfileNotExistsError) Code ¶
func (e SharedConfigProfileNotExistsError) Code() string
Code is the short id of the error.
func (SharedConfigProfileNotExistsError) Error ¶
func (e SharedConfigProfileNotExistsError) Error() string
Error satisfies the error interface.
func (SharedConfigProfileNotExistsError) Message ¶
func (e SharedConfigProfileNotExistsError) Message() string
Message is the description of the error
func (SharedConfigProfileNotExistsError) OrigErr ¶
func (e SharedConfigProfileNotExistsError) OrigErr() error
OrigErr is the underlying error that caused the failure.
type SharedConfigState ¶
type SharedConfigState int
SharedConfigState provides the ability to optionally override the state of the session's creation based on the shared config being enabled or disabled.
const ( // AWS_SDK_LOAD_CONFIG env var. It is the default value of the // SharedConfigState type. SharedConfigStateFromEnv SharedConfigState = iota // and disables the shared config functionality. SharedConfigDisable // and enables the shared config functionality. SharedConfigEnable )