| Copyright | (c) 2013-2023 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | provisional |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
| Language | Haskell2010 |
Amazonka.Auth.ConfigFile
Description
Retrieve authentication credentials from AWS config/credentials files.
Synopsis
- fromFilePath :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Text -> FilePath -> FilePath -> Env' withAuth -> m Env
- mergeConfigs :: HashMap Text [(Text, Text)] -> HashMap Text [(Text, Text)] -> HashMap Text (HashMap Text Text)
- parseConfigProfile :: HashMap Text Text -> Maybe (ConfigProfile, Maybe Region)
- data ConfigProfile
- data CredentialSource
- fromFileEnv :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Env' withAuth -> m Env
- configPathRelative :: String -> IO String
Documentation
Arguments
| :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) | |
| => Text | Profile name |
| -> FilePath | Credentials file |
| -> FilePath | Config file |
| -> Env' withAuth | |
| -> m Env |
Retrieve credentials from the AWS config/credentials files, as Amazonka currently understands them:
- AWS recommends credentials do not live in the config file, but allows it. You should instead define them in the credentials file.
- You can set
role_arntogether with eithersource_profile,credential_source, orweb_identity_token_file. Unlike the standard SDK we only supportrole_session_nameforweb_identity_token_fileand not the other AssumeRole methods. This might be fixed in the future. - If you set
role_arnandsource_profile, the source profile's credentials will be used to assume the role. - If you set
role_arnandcredential_source, the credentials are retrieved from the specified source. The source can be one ofEnvironment,Ec2InstanceMetadata, orEcsContainer. - If you set
role_arnandweb_identity_token_file, the OIDC token in the file will be used to assume the role. You can also setrole_session_nameto specify the name of the session. - You can finally also configure assuming a role using AWS Identity Center
(Formerly AWS SSO) by setting
sso_start_url,sso_region,sso_account_id, andsso_role_namein your profile section. Amazonka currently does not initiate the SSO login flow, so you will have to do that yourself using the AWS CLI. Amazonka will then look in~/.aws/sso/cachefor a cached token. - We currently only support
LegacySSO profiles and do not support setting common SSO settings in a[sso-session name]section or support token refresh. So use the following guide to set up your AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-legacy.html - Sections in the config file start should either be named
[default]or[profile foo]. Unprefixed[foo]currently "happens to work" but is not officially supported, to match the observed behaviour of the AWS SDK/CLI. - Sections in the credentials file are always unprefixed -
[default]or[foo].
See: the ConfigProfile type, to understand the methods Amazonka
currently supports.
parseConfigProfile :: HashMap Text Text -> Maybe (ConfigProfile, Maybe Region) Source #
data ConfigProfile Source #
Constructors
| ExplicitKeys AuthEnv | Recognizes |
| AssumeRoleFromProfile Text Text | Recognizes |
| AssumeRoleFromCredentialSource Text CredentialSource | Recognizes |
| AssumeRoleWithWebIdentity Text (Maybe Text) FilePath | Recognizes |
| AssumeRoleViaSSO Text Region Text Text | Recognizes |
Instances
data CredentialSource Source #
Constructors
| Environment | |
| Ec2InstanceMetadata | |
| EcsContainer |
Instances
| Generic CredentialSource Source # | |||||
Defined in Amazonka.Auth.ConfigFile Associated Types
Methods from :: CredentialSource -> Rep CredentialSource x # to :: Rep CredentialSource x -> CredentialSource # | |||||
| Show CredentialSource Source # | |||||
Defined in Amazonka.Auth.ConfigFile Methods showsPrec :: Int -> CredentialSource -> ShowS # show :: CredentialSource -> String # showList :: [CredentialSource] -> ShowS # | |||||
| Eq CredentialSource Source # | |||||
Defined in Amazonka.Auth.ConfigFile Methods (==) :: CredentialSource -> CredentialSource -> Bool # (/=) :: CredentialSource -> CredentialSource -> Bool # | |||||
| type Rep CredentialSource Source # | |||||
Defined in Amazonka.Auth.ConfigFile type Rep CredentialSource = D1 ('MetaData "CredentialSource" "Amazonka.Auth.ConfigFile" "amazonka-2.0-2bCDfcageaLEnU0WAFn9CF" 'False) (C1 ('MetaCons "Environment" 'PrefixI 'False) (U1 :: Type -> Type) :+: (C1 ('MetaCons "Ec2InstanceMetadata" 'PrefixI 'False) (U1 :: Type -> Type) :+: C1 ('MetaCons "EcsContainer" 'PrefixI 'False) (U1 :: Type -> Type))) | |||||
fromFileEnv :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Env' withAuth -> m Env Source #
Loads the default config/credentials INI files and selects a
profile by environment variable (AWS_PROFILE).
Throws MissingFileError if credFile is missing, or InvalidFileError
if an error occurs during parsing.
If AWS_SHARED_CREDENTIALS_FILE is set, it will be used instead of looking
for .aws/credentials in the HOME directory
If AWS_CONFIG_FILE is set, it will be used instead of looking for
.aws/config in the HOME directory.
If AWS_PROFILE is set, it will be used instead of the default profile
This looks in in the HOME directory as determined by the
directory library.
- Not Windows:
$HOME/.aws/credentials - Windows:
%USERPROFILE%\.aws\credentials