Last active
March 12, 2020 12:45
-
-
Save zetafish/bea49cae9abe7e6dec937abed305d0ca to your computer and use it in GitHub Desktop.
Implement default credentials provider that supports AWS_WEB_IDENTITY_TOKEN for use with cognitect's aws libs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ns zetafish.aws.credentials | |
| (:require [clojure.java.io :as io] | |
| [clojure.tools.logging :as log] | |
| [cognitect.aws.client.api :as aws] | |
| [cognitect.aws.credentials :as credentials])) | |
| (defn- web-identity-token-credentials-provider | |
| "Returns credentials from AWS_WEB_IDENTITY_TOKEN_FILE. See also: | |
| https://github.com/cognitect-labs/aws-api/blob/master/examples/assume_role_example.clj | |
| https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-core/src/main/java/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.java" | |
| [] | |
| (let [role-arn (System/getenv "AWS_ROLE_ARN") | |
| f (io/file (System/getenv "AWS_WEB_IDENTITY_TOKEN_FILE")) | |
| session #(str "session-" (System/currentTimeMillis)) | |
| sts (aws/client {:api :sts | |
| :region "eu-west-1" | |
| :credentials-provider (credentials/basic-credentials-provider | |
| {:access-key-id "FAKE" | |
| :secret-access-key "FAKE"})})] | |
| (credentials/cached-credentials-with-auto-refresh | |
| (reify credentials/CredentialsProvider | |
| (fetch [_] | |
| (when (.exists f) | |
| (try | |
| (let [token (slurp f)] | |
| (when-let [creds (:Credentials | |
| (aws/invoke sts | |
| {:op :AssumeRoleWithWebIdentity | |
| :request {:RoleArn role-arn | |
| :RoleSessionName (session) | |
| :WebIdentityToken token}}))] | |
| {:aws/access-key-id (:AccessKeyId creds) | |
| :aws/secret-access-key (:SecretAccessKey creds) | |
| :aws/session-token (:SessionToken creds) | |
| ::credentials/ttl (credentials/calculate-ttl creds)})) | |
| (catch Throwable t | |
| (log/error t "Error fetching credentials"))))))))) | |
| (defn default-credentials-provider | |
| "Modified version of the `credentials/default-credentials-provider` | |
| to support Web Identity Tokens." | |
| [http-client] | |
| (credentials/chain-credentials-provider | |
| [(credentials/environment-credentials-provider) | |
| (credentials/system-property-credentials-provider) | |
| (credentials/profile-credentials-provider) | |
| (web-identity-token-credentials-provider) | |
| (credentials/container-credentials-provider http-client) | |
| (credentials/instance-profile-credentials-provider http-client)])) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {:paths ["."] | |
| :deps {com.cognitect.aws/api {:mvn/version "0.8.445"} | |
| com.cognitect.aws/endpoints {:mvn/version "1.1.11.732"} | |
| com.cognitect.aws/sts {:mvn/version "773.2.578.0"}}} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment