An authorisation environment containing AWS credentials, and potentially a reference which can be refreshed out-of-band as temporary credentials expire.

Attempt to fetch credentials in a way similar to the official AWS SDKs. The C++ SDK lists the following sequence:

• Check environment variables for keys provided directly (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optionally AWS_SESSION_TOKEN)
• Check credentials/config files for authentication information, respecting the AWS_PROFILE environment variable.
• Exchange a Web Identity for AWS Credentials using sts:AssumeRoleWithWebIdentity, respecting the AWS_WEB_IDENTITY_TOKEN_FILE, AWS_ROLE_ARN, and optionally the AWS_ROLE_SESSION_NAME environment variables.
• Retrieve credentials from the ECS Container Agent if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is set.

• If we think we're running on EC2, retrieve the first available IAM profile from the instance identity document, and use this to set the Placement. We attempt to resolve http://instance-data rather than directly retrieving http://169.254.169.254 for IAM profile information. This ensures that the DNS lookup terminates promptly if not running on EC2, but means that your VPC must have enableDnsSupport and enableDnsHostnames set.

  NOTE: This is not 100% consistent with the AWS SDKs, which does not attempt to query the ECS service if either AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI are set.

  See: https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/EC2ContainerCredentialsProviderWrapper.html

Compose a list of credential-providing functions by testing each until one returns successfully. If they throw AuthError, the next function in the chain will be tried. Throws CredentialChainExhausted if the list is exhausted.

Explicit access and secret keys.

Temporary credentials from a STS session consisting of the access key, secret key, and session token.

See: fromTemporarySession

Temporary credentials from a STS session consisting of the access key, secret key, session token, and expiration time.

See: fromSession

Retrieve access key, secret key and a session token from environment variables. We copy the behaviour of the SDKs and respect the following variables:

• AWS_ACCESS_KEY_ID (and its alternate name, AWS_ACCESS_KEY)
• AWS_SECRET_ACCESS_KEY (and its alternate name, AWS_SECRET_KEY)
• AWS_SESSION_TOKEN (if present)

Throws MissingEnvError if a required environment variable is empty or unset.

Retrieve credentials from the AWS config/credentials files, as Amazonka currently understands them:

• AWS recommends credentials do not live in the config file, but allows it.
• Sections in the config file start should either be named [default] or [profile foo]. Unprefixed [foo] currently "happens to work" but is not officially supported, to match the observed behaviour of the AWS SDK/CLI.
• Sections in the credentials file are always unprefixed - [default] or [foo].

See: the ConfigProfile type, to understand the methods Amazonka currently supports.

Loads the default config/credentials INI files and selects a profile by environment variable (AWS_PROFILE).

Throws MissingFileError if credFile is missing, or InvalidFileError if an error occurs during parsing.

This looks in in the HOME directory as determined by the directory library.

• Not Windows: $HOME/.aws/credentials
• Windows: %USERPROFILE%\.aws\credentials

Obtain credentials exposed to a task via the ECS container agent, as described in the IAM Roles for Tasks section of the AWS ECS documentation. The credentials are obtained by making a request to the given URL.

The ECS container agent provides an access key, secret key, session token, and expiration time. As these are temporary credentials, this function also starts a refresh thread that will periodically fetch fresh credentials before the current ones expire.

Obtain credentials from the ECS container agent, by querying http://169.254.170.2 at the path contained by the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.

Throws MissingEnvError if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable is not set or InvalidIAMError if the payload returned by the ECS container agent is not of the expected format.

NOTE: We do not currently respect the AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINTER_AUTHORIZATION_TOKEN environment variable. If you need support for these, please file a PR.

Assume a role using the sts:AssumeRole API.

This is a simplified interface suitable for most purposes, but if you need the full functionality of the sts:AssumeRole API, you will need to craft your own requests using amazonka-sts. If you do this, remember to use fetchAuthInBackground so that your application does not get stuck holding temporary credentials which have expired.

https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ Obtain temporary credentials from sts:AssumeRoleWithWebIdentity.

The STS service provides an access key, secret key, session token, and expiration time. Also spawns a refresh thread that will periodically fetch fresh credentials before the current ones expire.

The implementation is modelled on the C++ SDK: https://github.com/aws/aws-sdk-cpp/blob/6d6dcdbfa377393306bf79585f61baea524ac124/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp#L33

Obtain temporary credentials from sts:AssumeRoleWithWebIdentity, sourcing arguments from standard environment variables:

• AWS_WEB_IDENTITY_TOKEN_FILE

• AWS_ROLE_ARN

• AWS_ROLE_SESSION_NAME (optional)

Throws MissingEnvError if a required environment variable is empty or unset.

Retrieve the default IAM Profile from the local EC2 instance-data.

The default IAM profile is determined by Amazon as the first profile found in the response from: http://169.254.169.254/latest/meta-data/iam/security-credentials/

Throws RetrievalError if the HTTP call fails, or InvalidIAMError if the default IAM profile cannot be read.

Lookup a specific IAM Profile by name from the local EC2 instance-data.

Additionally starts a refresh thread for the given authentication environment.

The resulting IORef wrapper + timer is designed so that multiple concurrent accesses of AuthEnv from the AWS environment are not required to calculate expiry and sequentially queue to update it.

The forked timer ensures a singular owner and pre-emptive refresh of the temporary session credentials before expiration.

A weak reference is used to ensure that the forked thread will eventually terminate when Auth is no longer referenced.

If no session token or expiration time is present the credentials will be returned verbatim.

Assume a role using an SSO Token.

The user must have previously called aws sso login, and pass in the path to the cached token file, along with SSO region, account ID and role name. (fromFilePath understands the sso_ variables used by the official AWS CLI and will call fromSSO for you.) This function uses fetchAuthInBackground to refresh the credentials as long as the token in the sso/cache file is not expired. When it has, the user will need to aws sso login again.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

An access key ID.

For example: AKIAIOSFODNN7EXAMPLE

See: Understanding and Getting Your Security Credentials.

Secret access key credential.

For example: wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKE

See: Understanding and Getting Your Security Credentials.

A session token used by STS to temporarily authorise access to an AWS resource.

See: Temporary Security Credentials.

An error thrown when attempting to read AuthN/AuthZ information.

An environment with auth credentials. Most AWS requests need one of these, and you can create one with newEnv.

An environment with no auth credentials. Used for certain requests which need to be unsigned, like sts:AssumeRoleWithWebIdentity, and you can create one with newEnvNoAuth if you need it.

The environment containing the parameters required to make AWS requests.

This type tracks whether or not we have credentials at the type level, to avoid "presigning" requests when we lack auth information.