Reference documentation and code samples for the googleauth class Google::Auth::ExternalAccount::AwsCredentials.
This module handles the retrieval of credentials from Google Cloud by utilizing the AWS EC2 metadata service and then exchanging the credentials for a short-lived Google Cloud access token.
Inherits
- Object
Extended By
Includes
Methods
#client_id
def client_id()Will always be nil, but method still gets used.
#initialize
def initialize(options = {}) -> AwsCredentials- (AwsCredentials) — a new instance of AwsCredentials
#retrieve_subject_token!
def retrieve_subject_token!() -> stringRetrieves the subject token using the credential_source object. The subject token is a serialized AWS GetCallerIdentity signed request.
The logic is summarized as:
Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION environment variable or from the AWS metadata server availability-zone if not found in the environment variable.
Check AWS credentials in environment variables. If not found, retrieve from the AWS metadata server security-credentials endpoint.
When retrieving AWS credentials from the metadata server security-credentials endpoint, the AWS role needs to be determined by # calling the security-credentials endpoint without any argument. Then the credentials can be retrieved via: security-credentials/role_name
Generate the signed request to AWS STS GetCallerIdentity action.
Inject x-goog-cloud-target-resource into header and serialize the signed request. This will be the subject-token to pass to GCP STS.
- (string) — The retrieved subject token.
Constants
IMDSV2_TOKEN_EXPIRATION_IN_SECONDS
value: 300
Constant for imdsv2 session token expiration in seconds