class Aws::ProcessCredentials

A credential provider that executes a given process and attempts to read its stdout to receive a JSON payload containing the credentials.

credentials = Aws::ProcessCredentials.new(['/usr/bin/credential_proc'])
ec2 = Aws::EC2::Client.new(credentials: credentials)

Arguments should be provided as strings in the array, for example:

process = ['/usr/bin/credential_proc', 'arg1', 'arg2']
credentials = Aws::ProcessCredentials.new(process)
ec2 = Aws::EC2::Client.new(credentials: credentials)

Automatically handles refreshing credentials if an Expiration time is provided in the credentials payload.

@see docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

Public Class Methods

new(process) click to toggle source

Creates a new ProcessCredentials object, which allows an external process to be used as a credential provider.

@param [Array<String>, String] process An array of strings including

the process name and its arguments to execute, or a single string to be
executed by the shell (deprecated and insecure).
Calls superclass method Aws::RefreshingCredentials::new
# File lib/aws-sdk-core/process_credentials.rb, line 31
def initialize(process)
  if process.is_a?(String)
    warn('Passing a single string to Aws::ProcessCredentials.new '\
         'is insecure, please use use an array of system arguments instead')
  end
  @process = process
  @credentials = credentials_from_process
  @async_refresh = false

  super
end

Private Instance Methods

_parse_payload_format_v1(creds_json) click to toggle source
# File lib/aws-sdk-core/process_credentials.rb, line 73
def _parse_payload_format_v1(creds_json)
  creds = Credentials.new(
    creds_json['AccessKeyId'],
    creds_json['SecretAccessKey'],
    creds_json['SessionToken'],
    account_id: creds_json['AccountId']
  )

  @expiration = creds_json['Expiration'] ? Time.iso8601(creds_json['Expiration']) : nil
  return creds if creds.set?

  raise Errors::InvalidProcessCredentialsPayload.new(
    'Invalid payload for JSON credentials version 1'
  )
end
credentials_from_process() click to toggle source
# File lib/aws-sdk-core/process_credentials.rb, line 45
def credentials_from_process
  r, w = IO.pipe
  success = system(*@process, out: w)
  w.close
  raw_out = r.read
  r.close

  unless success
    raise Errors::InvalidProcessCredentialsPayload.new(
      'credential_process provider failure, the credential process had '\
      'non zero exit status and failed to provide credentials'
    )
  end

  begin
    creds_json = Aws::Json.load(raw_out)
  rescue Aws::Json::ParseError
    raise Errors::InvalidProcessCredentialsPayload.new('Invalid JSON response')
  end

  payload_version = creds_json['Version']
  return _parse_payload_format_v1(creds_json) if payload_version == 1

  raise Errors::InvalidProcessCredentialsPayload.new(
    "Invalid version #{payload_version} for credentials payload"
  )
end
near_expiration?(expiration_length) click to toggle source
# File lib/aws-sdk-core/process_credentials.rb, line 93
def near_expiration?(expiration_length)
  # are we within 5 minutes of expiration?
  @expiration && (Time.now.to_i + expiration_length) > @expiration.to_i
end
refresh() click to toggle source
# File lib/aws-sdk-core/process_credentials.rb, line 89
def refresh
  @credentials = credentials_from_process
end