Class: Google::Auth::ExternalAccount::AwsCredentials

Inherits:

Object

• Object
• Google::Auth::ExternalAccount::AwsCredentials

Extended by:

CredentialsLoader

Includes:

BaseCredentials, ExternalAccountUtils

Defined in:

lib/googleauth/external_account/aws_credentials.rb

Overview

This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and then exchanging the credentials for a short-lived Google Cloud access token.

Constant Summary

IMDSV2_TOKEN_EXPIRATION_IN_SECONDS =

Constant for imdsv2 session token expiration in seconds

300

Constants included from CredentialsLoader

CredentialsLoader::ACCOUNT_TYPE_VAR, CredentialsLoader::AWS_ACCESS_KEY_ID_VAR, CredentialsLoader::AWS_DEFAULT_REGION_VAR, CredentialsLoader::AWS_REGION_VAR, CredentialsLoader::AWS_SECRET_ACCESS_KEY_VAR, CredentialsLoader::AWS_SESSION_TOKEN_VAR, CredentialsLoader::CLIENT_EMAIL_VAR, CredentialsLoader::CLIENT_ID_VAR, CredentialsLoader::CLIENT_SECRET_VAR, CredentialsLoader::CLOUD_SDK_CLIENT_ID, CredentialsLoader::CREDENTIALS_FILE_NAME, CredentialsLoader::ENV_VAR, CredentialsLoader::GCLOUD_CONFIG_COMMAND, CredentialsLoader::GCLOUD_POSIX_COMMAND, CredentialsLoader::GCLOUD_WINDOWS_COMMAND, CredentialsLoader::NOT_FOUND_ERROR, CredentialsLoader::PRIVATE_KEY_VAR, CredentialsLoader::PROJECT_ID_VAR, CredentialsLoader::REFRESH_TOKEN_VAR, CredentialsLoader::SYSTEM_DEFAULT_ERROR, CredentialsLoader::WELL_KNOWN_ERROR, CredentialsLoader::WELL_KNOWN_PATH

Constants included from ExternalAccountUtils

ExternalAccountUtils::CLOUD_RESOURCE_MANAGER

Constants included from BaseCredentials

BaseCredentials::EXTERNAL_ACCOUNT_JSON_TYPE, BaseCredentials::IAM_SCOPE, BaseCredentials::STS_GRANT_TYPE, BaseCredentials::STS_REQUESTED_TOKEN_TYPE

Constants included from BaseClient

BaseClient::AUTH_METADATA_KEY

Instance Attribute Summary

• #client_id ⇒ Object readonly

  Will always be nil, but method still gets used.

Attributes included from BaseCredentials

#access_token, #expires_at, #universe_domain

Instance Method Summary

• #initialize(options = {}) ⇒ AwsCredentials constructor

  A new instance of AwsCredentials.

• #retrieve_subject_token! ⇒ string

  Retrieves the subject token using the credential_source object.

Methods included from CredentialsLoader

from_env, from_system_default_path, from_well_known_path, load_gcloud_project_id, make_creds

Methods included from ExternalAccountUtils

#normalize_timestamp, #project_id, #project_number, #service_account_email

Methods included from BaseCredentials

#expires_within?, #fetch_access_token!, #is_workforce_pool?

Methods included from Helpers::Connection

connection

Methods included from BaseClient

#apply, #apply!, #expires_within?, #needs_access_token?, #notify_refresh_listeners, #on_refresh, #updater_proc

Constructor Details

#initialize(options = {}) ⇒ AwsCredentials

Returns a new instance of AwsCredentials.

# File 'lib/googleauth/external_account/aws_credentials.rb', line 37

def initialize options = {}
  base_setup options

  @audience = options[:audience]
  @credential_source = options[:credential_source] || {}
  @environment_id = @credential_source[:environment_id]
  @region_url = @credential_source[:region_url]
  @credential_verification_url = @credential_source[:url]
  @regional_cred_verification_url = @credential_source[:regional_cred_verification_url]
  @imdsv2_session_token_url = @credential_source[:imdsv2_session_token_url]

  # These will be lazily loaded when needed, or will raise an error if not provided
  @region = nil
  @request_signer = nil
  @imdsv2_session_token = nil
  @imdsv2_session_token_expiry = nil
end

Instance Attribute Details

#client_id ⇒ Object (readonly)

Will always be nil, but method still gets used.

# File 'lib/googleauth/external_account/aws_credentials.rb', line 35

def client_id
  @client_id
end

Instance Method Details

#retrieve_subject_token! ⇒ string

Retrieves the subject token using the credential_source object. The subject token is a serialized AWS GetCallerIdentity signed request.

The logic is summarized as:

Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server availability-zone if not found in the environment variable.

Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server security-credentials endpoint.

When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to be determined by # calling the security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name

Generate the signed request to AWS STS GetCallerIdentity action.

Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS.

Returns:

• (string) —

  The retrieved subject token.

# File 'lib/googleauth/external_account/aws_credentials.rb', line 78

def retrieve_subject_token!
  if @request_signer.nil?
    @region = region
    @request_signer = AwsRequestSigner.new @region
  end

  request = {
    method: "POST",
    url: @regional_cred_verification_url.sub("{region}", @region)
  }

  request_options = @request_signer.generate_signed_request fetch_security_credentials, request

  request_headers = request_options[:headers]
  request_headers["x-goog-cloud-target-resource"] = @audience

  aws_signed_request = {
    headers: [],
    method: request_options[:method],
    url: request_options[:url]
  }

  aws_signed_request[:headers] = request_headers.keys.sort.map do |key|
    { key: key, value: request_headers[key] }
  end

  uri_escape aws_signed_request.to_json
end