Documentation

Overview

Package credentials provides credential retrieval and management

The Credentials is the primary method of getting access to and managing credentials Values. Using dependency injection retrieval of the credential values is handled by a object which satisfies the Provider interface.

By default the Credentials.Get() will cache the successful result of a Provider's Retrieve() until Provider.IsExpired() returns true. At which point Credentials will call Provider's Retrieve() to get new credential Value.

The Provider is responsible for determining when credentials Value have expired. It is also important to note that Credentials will always call Retrieve the first time Credentials.Get() is called.

Example of using the environment variable credentials.

creds := credentials.NewEnvCredentials()

// Retrieve the credentials value
credValue, err := creds.Get()
if err != nil {
    // handle error
}

Example of forcing credentials to expire and be refreshed on the next Get(). This may be helpful to proactively expire credentials and refresh them sooner than they would naturally expire on their own.

creds := credentials.NewCredentials(&ec2rolecreds.EC2RoleProvider{})
creds.Expire()
credsValue, err := creds.Get()
// New credentials will be retrieved instead of from cache.

Custom Provider

Each Provider built into this package also provides a helper method to generate a Credentials pointer setup with the provider. To use a custom Provider just create a type which satisfies the Provider interface and pass it to the NewCredentials method.

type MyProvider struct{}
func (m *MyProvider) Retrieve() (Value, error) {...}
func (m *MyProvider) IsExpired() bool {...}

creds := credentials.NewCredentials(&MyProvider{})
credValue, err := creds.Get()

Index

Constants

View Source
const EnvProviderName = "EnvProvider"

    EnvProviderName provides a name of Env provider

    View Source
    const SharedCredsProviderName = "SharedCredentialsProvider"

      SharedCredsProviderName provides a name of SharedCreds provider

      View Source
      const StaticProviderName = "StaticProvider"

        StaticProviderName provides a name of Static provider

        Variables

        View Source
        var (
        	// ErrAccessKeyIDNotFound is returned when the AWS Access Key ID can't be
        	// found in the process's environment.
        	//
        	// @readonly
        	ErrAccessKeyIDNotFound = awserr.New("EnvAccessKeyNotFound", "AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY not found in environment", nil)
        
        	// ErrSecretAccessKeyNotFound is returned when the AWS Secret Access Key
        	// can't be found in the process's environment.
        	//
        	// @readonly
        	ErrSecretAccessKeyNotFound = awserr.New("EnvSecretNotFound", "AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY not found in environment", nil)
        )
        View Source
        var AnonymousCredentials = NewStaticCredentials("", "", "")

          AnonymousCredentials is an empty Credential object that can be used as dummy placeholder credentials for requests that do not need signed.

          This Credentials can be used to configure a service to not sign requests when making service API calls. For example, when accessing public s3 buckets.

          svc := s3.New(session.Must(session.NewSession(&aws.Config{
            Credentials: credentials.AnonymousCredentials,
          })))
          // Access public S3 buckets.
          

          @readonly

          View Source
          var (
          	// ErrNoValidProvidersFoundInChain Is returned when there are no valid
          	// providers in the ChainProvider.
          	//
          	// This has been deprecated. For verbose error messaging set
          	// aws.Config.CredentialsChainVerboseErrors to true
          	//
          	// @readonly
          	ErrNoValidProvidersFoundInChain = awserr.New("NoCredentialProviders",
          		`no valid providers in chain. Deprecated.
          	For verbose messaging see aws.Config.CredentialsChainVerboseErrors`,
          		nil)
          )
          View Source
          var (
          	// ErrSharedCredentialsHomeNotFound is emitted when the user directory cannot be found.
          	ErrSharedCredentialsHomeNotFound = awserr.New("UserHomeNotFound", "user home directory not found.", nil)
          )
          View Source
          var (
          	// ErrStaticCredentialsEmpty is emitted when static credentials are empty.
          	//
          	// @readonly
          	ErrStaticCredentialsEmpty = awserr.New("EmptyStaticCreds", "static credentials are empty", nil)
          )

          Functions

          This section is empty.

          Types

          type ChainProvider

          type ChainProvider struct {
          	Providers []Provider
          
          	VerboseErrors bool
          	// contains filtered or unexported fields
          }

            A ChainProvider will search for a provider which returns credentials and cache that provider until Retrieve is called again.

            The ChainProvider provides a way of chaining multiple providers together which will pick the first available using priority order of the Providers in the list.

            If none of the Providers retrieve valid credentials Value, ChainProvider's Retrieve() will return the error ErrNoValidProvidersFoundInChain.

            If a Provider is found which returns valid credentials Value ChainProvider will cache that Provider for all calls to IsExpired(), until Retrieve is called again.

            Example of ChainProvider to be used with an EnvProvider and EC2RoleProvider. In this example EnvProvider will first check if any credentials are available via the environment variables. If there are none ChainProvider will check the next Provider in the list, EC2RoleProvider in this case. If EC2RoleProvider does not return any credentials ChainProvider will return the error ErrNoValidProvidersFoundInChain

            creds := credentials.NewChainCredentials(
                []credentials.Provider{
                    &credentials.EnvProvider{},
                    &ec2rolecreds.EC2RoleProvider{
                        Client: ec2metadata.New(sess),
                    },
                })
            
            // Usage of ChainCredentials with aws.Config
            svc := ec2.New(session.Must(session.NewSession(&aws.Config{
              Credentials: creds,
            })))
            

            func (*ChainProvider) IsExpired

            func (c *ChainProvider) IsExpired() bool

              IsExpired will returned the expired state of the currently cached provider if there is one. If there is no current provider, true will be returned.

              func (*ChainProvider) Retrieve

              func (c *ChainProvider) Retrieve() (Value, error)

                Retrieve returns the credentials value or error if no provider returned without error.

                If a provider is found it will be cached and any calls to IsExpired() will return the expired state of the cached provider.

                type Credentials

                type Credentials struct {
                	// contains filtered or unexported fields
                }

                  A Credentials provides synchronous safe retrieval of AWS credentials Value. Credentials will cache the credentials value until they expire. Once the value expires the next Get will attempt to retrieve valid credentials.

                  Credentials is safe to use across multiple goroutines and will manage the synchronous state so the Providers do not need to implement their own synchronization.

                  The first Credentials.Get() will always call Provider.Retrieve() to get the first instance of the credentials Value. All calls to Get() after that will return the cached credentials Value until IsExpired() returns true.

                  func NewChainCredentials

                  func NewChainCredentials(providers []Provider) *Credentials

                    NewChainCredentials returns a pointer to a new Credentials object wrapping a chain of providers.

                    func NewCredentials

                    func NewCredentials(provider Provider) *Credentials

                      NewCredentials returns a pointer to a new Credentials with the provider set.

                      func NewEnvCredentials

                      func NewEnvCredentials() *Credentials

                        NewEnvCredentials returns a pointer to a new Credentials object wrapping the environment variable provider.

                        func NewSharedCredentials

                        func NewSharedCredentials(filename, profile string) *Credentials

                          NewSharedCredentials returns a pointer to a new Credentials object wrapping the Profile file provider.

                          func NewStaticCredentials

                          func NewStaticCredentials(id, secret, token string) *Credentials

                            NewStaticCredentials returns a pointer to a new Credentials object wrapping a static credentials value provider.

                            func NewStaticCredentialsFromCreds

                            func NewStaticCredentialsFromCreds(creds Value) *Credentials

                              NewStaticCredentialsFromCreds returns a pointer to a new Credentials object wrapping the static credentials value provide. Same as NewStaticCredentials but takes the creds Value instead of individual fields

                              func (*Credentials) Expire

                              func (c *Credentials) Expire()

                                Expire expires the credentials and forces them to be retrieved on the next call to Get().

                                This will override the Provider's expired state, and force Credentials to call the Provider's Retrieve().

                                func (*Credentials) Get

                                func (c *Credentials) Get() (Value, error)

                                  Get returns the credentials value, or error if the credentials Value failed to be retrieved.

                                  Will return the cached credentials Value if it has not expired. If the credentials Value has expired the Provider's Retrieve() will be called to refresh the credentials.

                                  If Credentials.Expire() was called the credentials Value will be force expired, and the next call to Get() will cause them to be refreshed.

                                  func (*Credentials) IsExpired

                                  func (c *Credentials) IsExpired() bool

                                    IsExpired returns if the credentials are no longer valid, and need to be retrieved.

                                    If the Credentials were forced to be expired with Expire() this will reflect that override.

                                    type EnvProvider

                                    type EnvProvider struct {
                                    	// contains filtered or unexported fields
                                    }

                                      A EnvProvider retrieves credentials from the environment variables of the running process. Environment credentials never expire.

                                      Environment variables used:

                                      * Access Key ID: AWS_ACCESS_KEY_ID or AWS_ACCESS_KEY

                                      * Secret Access Key: AWS_SECRET_ACCESS_KEY or AWS_SECRET_KEY

                                      func (*EnvProvider) IsExpired

                                      func (e *EnvProvider) IsExpired() bool

                                        IsExpired returns if the credentials have been retrieved.

                                        func (*EnvProvider) Retrieve

                                        func (e *EnvProvider) Retrieve() (Value, error)

                                          Retrieve retrieves the keys from the environment.

                                          type ErrorProvider

                                          type ErrorProvider struct {
                                          	// The error to be returned from Retrieve
                                          	Err error
                                          
                                          	// The provider name to set on the Retrieved returned Value
                                          	ProviderName string
                                          }

                                            An ErrorProvider is a stub credentials provider that always returns an error this is used by the SDK when construction a known provider is not possible due to an error.

                                            func (ErrorProvider) IsExpired

                                            func (p ErrorProvider) IsExpired() bool

                                              IsExpired will always return not expired.

                                              func (ErrorProvider) Retrieve

                                              func (p ErrorProvider) Retrieve() (Value, error)

                                                Retrieve will always return the error that the ErrorProvider was created with.

                                                type Expiry

                                                type Expiry struct {
                                                
                                                	// If set will be used by IsExpired to determine the current time.
                                                	// Defaults to time.Now if CurrentTime is not set.  Available for testing
                                                	// to be able to mock out the current time.
                                                	CurrentTime func() time.Time
                                                	// contains filtered or unexported fields
                                                }

                                                  A Expiry provides shared expiration logic to be used by credentials providers to implement expiry functionality.

                                                  The best method to use this struct is as an anonymous field within the provider's struct.

                                                  Example:

                                                  type EC2RoleProvider struct {
                                                      Expiry
                                                      ...
                                                  }
                                                  

                                                  func (*Expiry) IsExpired

                                                  func (e *Expiry) IsExpired() bool

                                                    IsExpired returns if the credentials are expired.

                                                    func (*Expiry) SetExpiration

                                                    func (e *Expiry) SetExpiration(expiration time.Time, window time.Duration)

                                                      SetExpiration sets the expiration IsExpired will check when called.

                                                      If window is greater than 0 the expiration time will be reduced by the window value.

                                                      Using a window is helpful to trigger credentials to expire sooner than the expiration time given to ensure no requests are made with expired tokens.

                                                      type Provider

                                                      type Provider interface {
                                                      	// Retrieve returns nil if it successfully retrieved the value.
                                                      	// Error is returned if the value were not obtainable, or empty.
                                                      	Retrieve() (Value, error)
                                                      
                                                      	// IsExpired returns if the credentials are no longer valid, and need
                                                      	// to be retrieved.
                                                      	IsExpired() bool
                                                      }

                                                        A Provider is the interface for any component which will provide credentials Value. A provider is required to manage its own Expired state, and what to be expired means.

                                                        The Provider should not need to implement its own mutexes, because that will be managed by Credentials.

                                                        type SharedCredentialsProvider

                                                        type SharedCredentialsProvider struct {
                                                        	// Path to the shared credentials file.
                                                        	//
                                                        	// If empty will look for "AWS_SHARED_CREDENTIALS_FILE" env variable. If the
                                                        	// env value is empty will default to current user's home directory.
                                                        	// Linux/OSX: "$HOME/.aws/credentials"
                                                        	// Windows:   "%USERPROFILE%\.aws\credentials"
                                                        	Filename string
                                                        
                                                        	// AWS Profile to extract credentials from the shared credentials file. If empty
                                                        	// will default to environment variable "AWS_PROFILE" or "default" if
                                                        	// environment variable is also not set.
                                                        	Profile string
                                                        	// contains filtered or unexported fields
                                                        }

                                                          A SharedCredentialsProvider retrieves credentials from the current user's home directory, and keeps track if those credentials are expired.

                                                          Profile ini file example: $HOME/.aws/credentials

                                                          func (*SharedCredentialsProvider) IsExpired

                                                          func (p *SharedCredentialsProvider) IsExpired() bool

                                                            IsExpired returns if the shared credentials have expired.

                                                            func (*SharedCredentialsProvider) Retrieve

                                                            func (p *SharedCredentialsProvider) Retrieve() (Value, error)

                                                              Retrieve reads and extracts the shared credentials from the current users home directory.

                                                              type StaticProvider

                                                              type StaticProvider struct {
                                                              	Value
                                                              }

                                                                A StaticProvider is a set of credentials which are set programmatically, and will never expire.

                                                                func (*StaticProvider) IsExpired

                                                                func (s *StaticProvider) IsExpired() bool

                                                                  IsExpired returns if the credentials are expired.

                                                                  For StaticProvider, the credentials never expired.

                                                                  func (*StaticProvider) Retrieve

                                                                  func (s *StaticProvider) Retrieve() (Value, error)

                                                                    Retrieve returns the credentials or error if the credentials are invalid.

                                                                    type Value

                                                                    type Value struct {
                                                                    	// AWS Access key ID
                                                                    	AccessKeyID string
                                                                    
                                                                    	// AWS Secret Access Key
                                                                    	SecretAccessKey string
                                                                    
                                                                    	// AWS Session Token
                                                                    	SessionToken string
                                                                    
                                                                    	// Provider used to get credentials
                                                                    	ProviderName string
                                                                    }

                                                                      A Value is the AWS credentials value for individual credential fields.

                                                                      Directories

                                                                      Path Synopsis
                                                                      Package endpointcreds provides support for retrieving credentials from an arbitrary HTTP endpoint.
                                                                      Package endpointcreds provides support for retrieving credentials from an arbitrary HTTP endpoint.
                                                                      Package plugincreds implements a credentials provider sourced from a Go plugin.
                                                                      Package plugincreds implements a credentials provider sourced from a Go plugin.
                                                                      Package stscreds are credential Providers to retrieve STS AWS credentials.
                                                                      Package stscreds are credential Providers to retrieve STS AWS credentials.