| Copyright | (c) 2013-2023 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | provisional |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
| Language | Haskell2010 |
Amazonka.Auth
Description
Explicitly specify your Amazon AWS security credentials, or retrieve them from the underlying OS.
The format of environment variables and the credentials file follows the official AWS SDK guidelines.
Synopsis
- data Auth
- withAuth :: MonadIO m => Auth -> (AuthEnv -> m a) -> m a
- discover :: forall m (withAuth :: Type -> Type). (MonadCatch m, MonadIO m, Foldable withAuth) => Env' withAuth -> m Env
- runCredentialChain :: MonadCatch m => [a -> m b] -> a -> m b
- fromKeys :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> Env' withAuth -> Env
- fromSession :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> SessionToken -> Env' withAuth -> Env
- fromTemporarySession :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> SessionToken -> UTCTime -> Env' withAuth -> Env
- fromKeysEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env
- fromFilePath :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Text -> FilePath -> FilePath -> Env' withAuth -> m Env
- fromFileEnv :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Env' withAuth -> m Env
- fromContainer :: forall m (withAuth :: Type -> Type). MonadIO m => Text -> Env' withAuth -> m Env
- fromContainerEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env
- fromAssumedRole :: MonadIO m => Text -> Text -> Env -> m Env
- fromWebIdentity :: forall m (withAuth :: Type -> Type). MonadIO m => FilePath -> Text -> Maybe Text -> Env' withAuth -> m Env
- fromWebIdentityEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env
- fromDefaultInstanceProfile :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env
- fromNamedInstanceProfile :: forall m (withAuth :: Type -> Type). MonadIO m => Text -> Env' withAuth -> m Env
- fromSSO :: forall m (withAuth :: Type -> Type). MonadIO m => FilePath -> Region -> Text -> Text -> Env' withAuth -> m Env
- newtype AccessKey = AccessKey ByteString
- newtype SecretKey = SecretKey ByteString
- newtype SessionToken = SessionToken ByteString
- class AsAuthError a where
- data AuthError
- type Env = Env' Identity
- type EnvNoAuth = Env' (Proxy :: Type -> Type)
- data Env' (withAuth :: Type -> Type) = Env {}
Authentication
Retrieving Authentication
An authorisation environment containing AWS credentials, and potentially a reference which can be refreshed out-of-band as temporary credentials expire.
Instances
| ToLog Auth | |
Defined in Amazonka.Types Methods build :: Auth -> ByteStringBuilder Source # | |
Automatically Fetching Credentials
discover :: forall m (withAuth :: Type -> Type). (MonadCatch m, MonadIO m, Foldable withAuth) => Env' withAuth -> m Env Source #
Attempt to fetch credentials in a way similar to the official AWS SDKs. The C++ SDK lists the following sequence:
- Check environment variables for keys provided directly
(
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, optionallyAWS_SESSION_TOKEN) - Check credentials/config files for authentication information,
respecting the
AWS_PROFILEenvironment variable. - Exchange a Web Identity for AWS Credentials using
sts:AssumeRoleWithWebIdentity, respecting theAWS_WEB_IDENTITY_TOKEN_FILE,AWS_ROLE_ARN, and optionally theAWS_ROLE_SESSION_NAMEenvironment variables. - Retrieve credentials from the ECS Container Agent if the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIenvironment variable is set. Attempt to retrieve the first available IAM profile from the instance identity document, by trying to contact an IMDS at http://169.254.169.254. On success, also use this to set the
Region.NOTE: This is not 100% consistent with the AWS SDKs, which does not attempt to query the ECS service if either
AWS_CONTAINER_CREDENTIALS_RELATIVE_URIorAWS_CONTAINER_CREDENTIALS_FULL_URIare set.
Credential Providers
runCredentialChain :: MonadCatch m => [a -> m b] -> a -> m b Source #
Compose a list of credential-providing functions by testing each
until one returns successfully. If they throw AuthError, the next
function in the chain will be tried. Throws
CredentialChainExhausted if the list is exhausted.
fromKeys :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> Env' withAuth -> Env Source #
Explicit access and secret keys.
fromSession :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> SessionToken -> Env' withAuth -> Env Source #
Temporary credentials from a STS session consisting of the access key, secret key, and session token.
See: fromTemporarySession
fromTemporarySession :: forall (withAuth :: Type -> Type). AccessKey -> SecretKey -> SessionToken -> UTCTime -> Env' withAuth -> Env Source #
Temporary credentials from a STS session consisting of the access key, secret key, session token, and expiration time.
See: fromSession
fromKeysEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env Source #
Retrieve access key, secret key and a session token from environment variables. We copy the behaviour of the SDKs and respect the following variables:
AWS_ACCESS_KEY_ID(and its alternate name,AWS_ACCESS_KEY)AWS_SECRET_ACCESS_KEY(and its alternate name,AWS_SECRET_KEY)AWS_SESSION_TOKEN(if present)
Throws MissingEnvError if a required environment variable is
empty or unset.
Arguments
| :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) | |
| => Text | Profile name |
| -> FilePath | Credentials file |
| -> FilePath | Config file |
| -> Env' withAuth | |
| -> m Env |
Retrieve credentials from the AWS config/credentials files, as Amazonka currently understands them:
- AWS recommends credentials do not live in the config file, but allows it. You should instead define them in the credentials file.
- You can set
role_arntogether with eithersource_profile,credential_source, orweb_identity_token_file. Unlike the standard SDK we only supportrole_session_nameforweb_identity_token_fileand not the other AssumeRole methods. This might be fixed in the future. - If you set
role_arnandsource_profile, the source profile's credentials will be used to assume the role. - If you set
role_arnandcredential_source, the credentials are retrieved from the specified source. The source can be one ofEnvironment,Ec2InstanceMetadata, orEcsContainer. - If you set
role_arnandweb_identity_token_file, the OIDC token in the file will be used to assume the role. You can also setrole_session_nameto specify the name of the session. - You can finally also configure assuming a role using AWS Identity Center
(Formerly AWS SSO) by setting
sso_start_url,sso_region,sso_account_id, andsso_role_namein your profile section. Amazonka currently does not initiate the SSO login flow, so you will have to do that yourself using the AWS CLI. Amazonka will then look in~/.aws/sso/cachefor a cached token. - We currently only support
LegacySSO profiles and do not support setting common SSO settings in a[sso-session name]section or support token refresh. So use the following guide to set up your AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-legacy.html - Sections in the config file start should either be named
[default]or[profile foo]. Unprefixed[foo]currently "happens to work" but is not officially supported, to match the observed behaviour of the AWS SDK/CLI. - Sections in the credentials file are always unprefixed -
[default]or[foo].
See: the ConfigProfile type, to understand the methods Amazonka
currently supports.
fromFileEnv :: forall m (withAuth :: Type -> Type). (MonadIO m, Foldable withAuth) => Env' withAuth -> m Env Source #
Loads the default config/credentials INI files and selects a
profile by environment variable (AWS_PROFILE).
Throws MissingFileError if credFile is missing, or InvalidFileError
if an error occurs during parsing.
If AWS_SHARED_CREDENTIALS_FILE is set, it will be used instead of looking
for .aws/credentials in the HOME directory
If AWS_CONFIG_FILE is set, it will be used instead of looking for
.aws/config in the HOME directory.
If AWS_PROFILE is set, it will be used instead of the default profile
This looks in in the HOME directory as determined by the
directory library.
- Not Windows:
$HOME/.aws/credentials - Windows:
%USERPROFILE%\.aws\credentials
Arguments
| :: forall m (withAuth :: Type -> Type). MonadIO m | |
| => Text | Absolute URL |
| -> Env' withAuth | |
| -> m Env |
Obtain credentials exposed to a task via the ECS container agent, as described in the IAM Roles for Tasks section of the AWS ECS documentation. The credentials are obtained by making a request to the given URL.
The ECS container agent provides an access key, secret key, session token, and expiration time. As these are temporary credentials, this function also starts a refresh thread that will periodically fetch fresh credentials before the current ones expire.
fromContainerEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env Source #
Obtain credentials from the ECS container agent, by querying
http://169.254.170.2 at the path contained by the
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
Throws MissingEnvError if the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
environment variable is not set or InvalidIAMError if the payload returned
by the ECS container agent is not of the expected format.
NOTE: We do not currently respect the
AWS_CONTAINER_CREDENTIALS_FULL_URI or AWS_CONTAINTER_AUTHORIZATION_TOKEN
environment variable. If you need support for these, please file a PR.
Assume a role using the sts:AssumeRole API.
This is a simplified interface suitable for most purposes, but if
you need the full functionality of the sts:AssumeRole API, you
will need to craft your own requests using amazonka-sts. If you
do this, remember to use fetchAuthInBackground so that your
application does not get stuck holding temporary credentials which
have expired.
Arguments
| :: forall m (withAuth :: Type -> Type). MonadIO m | |
| => FilePath | Path to token file |
| -> Text | Role ARN |
| -> Maybe Text | Role Session Name |
| -> Env' withAuth | |
| -> m Env |
https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
Obtain temporary credentials from sts:AssumeRoleWithWebIdentity.
The STS service provides an access key, secret key, session token, and expiration time. Also spawns a refresh thread that will periodically fetch fresh credentials before the current ones expire.
The implementation is modelled on the C++ SDK: https://github.com/aws/aws-sdk-cpp/blob/6d6dcdbfa377393306bf79585f61baea524ac124/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp#L33
fromWebIdentityEnv :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env Source #
Obtain temporary credentials from
sts:AssumeRoleWithWebIdentity, sourcing arguments from standard
environment variables:
AWS_WEB_IDENTITY_TOKEN_FILE
AWS_ROLE_ARN
AWS_ROLE_SESSION_NAME(optional)
Throws MissingEnvError if a required environment variable is
empty or unset.
fromDefaultInstanceProfile :: forall m (withAuth :: Type -> Type). MonadIO m => Env' withAuth -> m Env Source #
Retrieve the default IAM Profile from the local EC2 instance-data.
The default IAM profile is determined by Amazon as the first profile found
in the response from:
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Throws RetrievalError if the HTTP call fails, or InvalidIAMError if
the default IAM profile cannot be read.
fromNamedInstanceProfile :: forall m (withAuth :: Type -> Type). MonadIO m => Text -> Env' withAuth -> m Env Source #
Lookup a specific IAM Profile by name from the local EC2 instance-data.
Additionally starts a refresh thread for the given authentication environment.
The resulting IORef wrapper + timer is designed so that multiple concurrent
accesses of AuthEnv from the AWS environment are not required to calculate
expiry and sequentially queue to update it.
The forked timer ensures a singular owner and pre-emptive refresh of the temporary session credentials before expiration.
A weak reference is used to ensure that the forked thread will eventually
terminate when Auth is no longer referenced.
If no session token or expiration time is present the credentials will be returned verbatim.
Arguments
| :: forall m (withAuth :: Type -> Type). MonadIO m | |
| => FilePath | |
| -> Region | |
| -> Text | Account ID |
| -> Text | Role Name |
| -> Env' withAuth | |
| -> m Env |
Assume a role using an SSO Token.
The user must have previously called aws sso login, and pass in the path to
the cached token file, along with SSO region, account ID and role name.
(fromFilePath understands the sso_ variables
used by the official AWS CLI and will call fromSSO for you.) This function
uses fetchAuthInBackground to refresh the credentials as long as the token
in the sso/cache file is not expired. When it has, the user will need to
aws sso login again.
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
Keys
An access key ID.
For example: AKIAIOSFODNN7EXAMPLE
Constructors
| AccessKey ByteString |
Instances
Secret access key credential.
For example: wJalrXUtnFEMIK7MDENGbPxRfiCYEXAMPLEKE
Constructors
| SecretKey ByteString |
Instances
| FromJSON SecretKey | |||||
| ToJSON SecretKey | |||||
| ToByteString SecretKey | |||||
Defined in Amazonka.Types Methods toBS :: SecretKey -> ByteString Source # | |||||
| FromText SecretKey | |||||
| ToText SecretKey | |||||
| FromXML SecretKey | |||||
| ToXML SecretKey | |||||
| NFData SecretKey | |||||
Defined in Amazonka.Types | |||||
| IsString SecretKey | |||||
Defined in Amazonka.Types Methods fromString :: String -> SecretKey # | |||||
| Generic SecretKey | |||||
Defined in Amazonka.Types Associated Types
| |||||
| Eq SecretKey | |||||
| Hashable SecretKey | |||||
| type Rep SecretKey | |||||
Defined in Amazonka.Types type Rep SecretKey = D1 ('MetaData "SecretKey" "Amazonka.Types" "amazonka-core-2.0-Lr9QBP0zdJb4HQ0AAGpJJr" 'True) (C1 ('MetaCons "SecretKey" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) | |||||
newtype SessionToken Source #
A session token used by STS to temporarily authorise access to an AWS resource.
Constructors
| SessionToken ByteString |
Instances
| FromJSON SessionToken | |||||
Defined in Amazonka.Types Methods parseJSON :: Value -> Parser SessionToken Source # parseJSONList :: Value -> Parser [SessionToken] Source # | |||||
| ToJSON SessionToken | |||||
Defined in Amazonka.Types Methods toJSON :: SessionToken -> Value Source # toEncoding :: SessionToken -> Encoding Source # toJSONList :: [SessionToken] -> Value Source # toEncodingList :: [SessionToken] -> Encoding Source # omitField :: SessionToken -> Bool Source # | |||||
| ToByteString SessionToken | |||||
Defined in Amazonka.Types Methods toBS :: SessionToken -> ByteString Source # | |||||
| FromText SessionToken | |||||
Defined in Amazonka.Types | |||||
| ToText SessionToken | |||||
Defined in Amazonka.Types Methods toText :: SessionToken -> Text Source # | |||||
| FromXML SessionToken | |||||
Defined in Amazonka.Types | |||||
| ToXML SessionToken | |||||
Defined in Amazonka.Types Methods toXML :: SessionToken -> XML Source # | |||||
| NFData SessionToken | |||||
Defined in Amazonka.Types Methods rnf :: SessionToken -> () # | |||||
| IsString SessionToken | |||||
Defined in Amazonka.Types Methods fromString :: String -> SessionToken # | |||||
| Generic SessionToken | |||||
Defined in Amazonka.Types Associated Types
| |||||
| Eq SessionToken | |||||
Defined in Amazonka.Types | |||||
| Hashable SessionToken | |||||
Defined in Amazonka.Types | |||||
| type Rep SessionToken | |||||
Defined in Amazonka.Types type Rep SessionToken = D1 ('MetaData "SessionToken" "Amazonka.Types" "amazonka-core-2.0-Lr9QBP0zdJb4HQ0AAGpJJr" 'True) (C1 ('MetaCons "SessionToken" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 ByteString))) | |||||
Handling Errors
class AsAuthError a where Source #
Minimal complete definition
Methods
_AuthError :: Prism' a AuthError Source #
A general authentication error.
_RetrievalError :: Prism' a HttpException Source #
An error occured while communicating over HTTP with the local metadata endpoint.
_MissingEnvError :: Prism' a Text Source #
The named environment variable was not found.
_MissingFileError :: Prism' a FilePath Source #
The specified credentials file could not be found.
_InvalidFileError :: Prism' a Text Source #
An error occured parsing the credentials file.
_InvalidIAMError :: Prism' a Text Source #
The specified IAM profile could not be found or deserialised.
Instances
| AsAuthError AuthError Source # | |
Defined in Amazonka.Auth.Exception | |
| AsAuthError SomeException Source # | |
Defined in Amazonka.Auth.Exception | |
An error thrown when attempting to read AuthN/AuthZ information.
Constructors
| RetrievalError HttpException | |
| MissingEnvError Text | |
| MissingFileError FilePath | |
| InvalidFileError Text | |
| InvalidIAMError Text | |
| CredentialChainExhausted | |
| AuthServiceError ServiceError | |
| OtherAuthError SomeException |
Instances
| AsAuthError AuthError Source # | |||||
Defined in Amazonka.Auth.Exception | |||||
| ToLog AuthError Source # | |||||
Defined in Amazonka.Auth.Exception Methods build :: AuthError -> ByteStringBuilder Source # | |||||
| Exception AuthError Source # | |||||
Defined in Amazonka.Auth.Exception Methods toException :: AuthError -> SomeException # fromException :: SomeException -> Maybe AuthError # displayException :: AuthError -> String # backtraceDesired :: AuthError -> Bool # | |||||
| Generic AuthError Source # | |||||
Defined in Amazonka.Auth.Exception Associated Types
| |||||
| Show AuthError Source # | |||||
| type Rep AuthError Source # | |||||
Defined in Amazonka.Auth.Exception type Rep AuthError = D1 ('MetaData "AuthError" "Amazonka.Auth.Exception" "amazonka-2.0-2bCDfcageaLEnU0WAFn9CF" 'False) (((C1 ('MetaCons "RetrievalError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 HttpException)) :+: C1 ('MetaCons "MissingEnvError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) :+: (C1 ('MetaCons "MissingFileError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 FilePath)) :+: C1 ('MetaCons "InvalidFileError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)))) :+: ((C1 ('MetaCons "InvalidIAMError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)) :+: C1 ('MetaCons "CredentialChainExhausted" 'PrefixI 'False) (U1 :: Type -> Type)) :+: (C1 ('MetaCons "AuthServiceError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 ServiceError)) :+: C1 ('MetaCons "OtherAuthError" 'PrefixI 'False) (S1 ('MetaSel ('Nothing :: Maybe Symbol) 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 SomeException))))) | |||||
Env'
type Env = Env' Identity Source #
An environment with auth credentials. Most AWS requests need one
of these, and you can create one with newEnv.
type EnvNoAuth = Env' (Proxy :: Type -> Type) Source #
An environment with no auth credentials. Used for certain
requests which need to be unsigned, like
sts:AssumeRoleWithWebIdentity, and you can create one with
newEnvNoAuth if you need it.
data Env' (withAuth :: Type -> Type) Source #
The environment containing the parameters required to make AWS requests.
This type tracks whether or not we have credentials at the type level, to avoid "presigning" requests when we lack auth information.
Constructors
| Env | |
Instances
| Generic (Env' withAuth) Source # | |||||
Defined in Amazonka.Env Associated Types
| |||||
| type Rep (Env' withAuth) Source # | |||||
Defined in Amazonka.Env type Rep (Env' withAuth) = D1 ('MetaData "Env'" "Amazonka.Env" "amazonka-2.0-2bCDfcageaLEnU0WAFn9CF" 'False) (C1 ('MetaCons "Env" 'PrefixI 'True) ((S1 ('MetaSel ('Just "region") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Region) :*: (S1 ('MetaSel ('Just "logger") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Logger) :*: S1 ('MetaSel ('Just "hooks") 'NoSourceUnpackedness 'SourceLazy 'DecidedLazy) (Rec0 Hooks))) :*: ((S1 ('MetaSel ('Just "retryCheck") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Int -> HttpException -> Bool)) :*: S1 ('MetaSel ('Just "overrides") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Service -> Service))) :*: (S1 ('MetaSel ('Just "manager") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Manager) :*: S1 ('MetaSel ('Just "auth") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (withAuth Auth)))))) | |||||