class Fog::AWS::STS::Real

Public Class Methods

new(options={}) click to toggle source

Initialize connection to STS

Notes

options parameter must include values for :aws_access_key_id and :aws_secret_access_key in order to create a connection

Examples

iam = STS.new(
 :aws_access_key_id => your_aws_access_key_id,
 :aws_secret_access_key => your_aws_secret_access_key
)

Parameters

  • options<~Hash> - config arguments for connection. Defaults to {}.

Returns

  • STS object with connection to AWS.

# File lib/fog/aws/sts.rb, line 74
def initialize(options={})

  @use_iam_profile = options[:use_iam_profile]
  @region     = options[:region]      || 'us-east-1'
  setup_credentials(options)
  @instrumentor       = options[:instrumentor]
  @instrumentor_name  = options[:instrumentor_name] || 'fog.aws.sts'
  @connection_options     = options[:connection_options] || {}

  @host       = options[:host]        || "sts.#{@region}.amazonaws.com"
  @path       = options[:path]        || '/'
  @persistent = options[:persistent]  || false
  @port       = options[:port]        || 443
  @scheme     = options[:scheme]      || 'https'
  @connection = Fog::XML::Connection.new("#{@scheme}://#{@host}:#{@port}#{@path}", @persistent, @connection_options)
end

Public Instance Methods

assume_role(role_session_name, role_arn, external_id=nil, policy=nil, duration=3600) click to toggle source

Assume Role

Parameters

  • role_session_name<~String> - An identifier for the assumed role.

  • role_arn<~String> - The ARN of the role the caller is assuming.

  • external_id<~String> - An optional unique identifier required by the assuming role's trust identity.

  • policy<~String> - An optional JSON policy document

  • duration<~Integer> - Duration (of seconds) for the assumed role credentials to be valid (default 3600)

Returns

  • response<~Excon::Response>:

    • body<~Hash>:

      • 'Arn'<~String>: The ARN of the assumed role/user

      • 'AccessKeyId'<~String>: The AWS access key of the temporary credentials for the assumed role

      • 'SecretAccessKey'<~String>: The AWS secret key of the temporary credentials for the assumed role

      • 'SessionToken'<~String>: The AWS session token of the temporary credentials for the assumed role

      • 'Expiration'<~Time>: The expiration time of the temporary credentials for the assumed role

See Also

docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

# File lib/fog/aws/requests/sts/assume_role.rb, line 29
def assume_role(role_session_name, role_arn, external_id=nil, policy=nil, duration=3600)
  request({
    'Action'          => 'AssumeRole',
    'RoleSessionName' => role_session_name,
    'RoleArn'         => role_arn,
    'Policy'          => policy && Fog::JSON.encode(policy),
    'DurationSeconds' => duration,
    'ExternalId'      => external_id,
    :idempotent       => true,
    :parser           => Fog::Parsers::AWS::STS::AssumeRole.new
  })
end
assume_role_with_saml(role_arn, principal_arn, saml_assertion, policy=nil, duration=3600) click to toggle source

Assume Role with SAML

Parameters

  • role_arn<~String> - The ARN of the role the caller is assuming.

  • principal_arn<~String> - The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

  • saml_assertion<~String> - The base-64 encoded SAML authentication response provided by the IdP.

  • policy<~String> - An optional JSON policy document

  • duration<~Integer> - Duration (of seconds) for the assumed role credentials to be valid (default 3600)

Returns

  • response<~Excon::Response>:

    • body<~Hash>:

      • 'Arn'<~String>: The ARN of the assumed role/user

      • 'AccessKeyId'<~String>: The AWS access key of the temporary credentials for the assumed role

      • 'SecretAccessKey'<~String>: The AWS secret key of the temporary credentials for the assumed role

      • 'SessionToken'<~String>: The AWS session token of the temporary credentials for the assumed role

      • 'Expiration'<~Time>: The expiration time of the temporary credentials for the assumed role

See Also

docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

# File lib/fog/aws/requests/sts/assume_role_with_saml.rb, line 29
def assume_role_with_saml(role_arn, principal_arn, saml_assertion, policy=nil, duration=3600)
  request_unsigned({
    'Action'          => 'AssumeRoleWithSAML',
    'RoleArn'         => role_arn,  
    'PrincipalArn'    => principal_arn,
    'SAMLAssertion'   => saml_assertion,
    'Policy'          => policy && Fog::JSON.encode(policy),
    'DurationSeconds' => duration,
    :idempotent       => true,
    :parser           => Fog::Parsers::AWS::STS::AssumeRoleWithSAML.new
  })
end
assume_role_with_web_identity(role_arn, web_identity_token, role_session_name, options={}) click to toggle source
# File lib/fog/aws/requests/sts/assume_role_with_web_identity.rb, line 7
def assume_role_with_web_identity(role_arn, web_identity_token, role_session_name, options={})
  request_unsigned(
    'Action'            => 'AssumeRoleWithWebIdentity',
    'RoleArn'           => role_arn,
    'RoleSessionName'   => role_session_name,
    'WebIdentityToken'  => web_identity_token,
    'DurationSeconds'   => options[:duration] || 3600,
    :idempotent         => true,
    :parser             => Fog::Parsers::AWS::STS::AssumeRoleWithWebIdentity.new
  )
end
get_federation_token(name, policy, duration=43200) click to toggle source

Get federation token

Parameters

  • name<~String>: The name of the federated user.

    Minimum length of 2. Maximum length of 32
    
  • policy<~String>: Optional policy that specifies the permissions

    that are granted to the federated user
    Minimum length of 1. Maximum length of 2048
    
  • duration<~Integer>: Optional duration, in seconds, that the session

    should last.

Returns

  • response<~Excon::Response>:

    • body<~Hash>:

      • 'SessionToken'<~String> -

      • 'SecretAccessKey'<~String> -

      • 'Expiration'<~String> -

      • 'AccessKeyId'<~String> -

      • 'Arn'<~String> -

      • 'FederatedUserId'<~String> -

      • 'PackedPolicySize'<~String> -

      • 'RequestId'<~String> - Id of the request

See Also

docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html

# File lib/fog/aws/requests/sts/get_federation_token.rb, line 32
def get_federation_token(name, policy, duration=43200)
  request({
    'Action'          => 'GetFederationToken',
    'Name'            => name,
    'Policy'          => Fog::JSON.encode(policy),
    'DurationSeconds' => duration,
    :idempotent       => true,
    :parser           => Fog::Parsers::AWS::STS::GetSessionToken.new
  })
end
get_session_token(duration=43200) click to toggle source
# File lib/fog/aws/requests/sts/get_session_token.rb, line 7
def get_session_token(duration=43200)
  request({
    'Action'          => 'GetSessionToken',
    'DurationSeconds' => duration,
    :idempotent       => true,
    :parser           => Fog::Parsers::AWS::STS::GetSessionToken.new
  })
end
reload() click to toggle source
# File lib/fog/aws/sts.rb, line 91
def reload
  @connection.reset
end

Private Instance Methods

_request(body, headers, idempotent, parser) click to toggle source
# File lib/fog/aws/sts.rb, line 163
def _request(body, headers, idempotent, parser)
  @connection.request({
    :body       => body,
    :expects    => 200,
    :idempotent => idempotent,
    :headers    => headers,
    :method     => 'POST',
    :parser     => parser
  })
rescue Excon::Errors::HTTPStatusError => error
  match = Fog::AWS::Errors.match_error(error)
  raise if match.empty?
  raise case match[:code]
        when 'EntityAlreadyExists', 'KeyPairMismatch', 'LimitExceeded', 'MalformedCertificate', 'ValidationError'
          Fog::AWS::STS.const_get(match[:code]).slurp(error, match[:message])
        else
          Fog::AWS::STS::Error.slurp(error, "#{match[:code]} => #{match[:message]}")
        end
end
request(params) click to toggle source
# File lib/fog/aws/sts.rb, line 108
def request(params)
  if (@signer == nil)
    raise AwsAccessKeysMissing.new("Can't make unsigned requests, need aws_access_key_id and aws_secret_access_key")
  end

  idempotent  = params.delete(:idempotent)
  parser      = params.delete(:parser)

  body, headers = Fog::AWS.signed_params_v4(
    params,
    { 'Content-Type' => 'application/x-www-form-urlencoded' },
    {
      :method             => 'POST',
      :aws_session_token  => @aws_session_token,
      :signer             => @signer,
      :host               => @host,
      :path               => @path,
      :port               => @port,
      :version            => '2011-06-15'
    }
  )

  if @instrumentor
    @instrumentor.instrument("#{@instrumentor_name}.request", params) do
      _request(body, headers, idempotent, parser)
    end
  else
    _request(body, headers, idempotent, parser)
  end
end
request_unsigned(params) click to toggle source
# File lib/fog/aws/sts.rb, line 139
def request_unsigned(params)
  idempotent  = params.delete(:idempotent)
  parser      = params.delete(:parser)

  params['Version'] = '2011-06-15'

  headers = { 'Content-Type' => 'application/x-www-form-urlencoded', 'Host' => @host }
  body = ''
  for key in params.keys.sort
    unless (value = params[key]).nil?
      body << "#{key}=#{Fog::AWS.escape(value.to_s)}&"
    end
  end
  body.chop!

  if @instrumentor
    @instrumentor.instrument("#{@instrumentor_name}.request", params) do
      _request(body, headers, idempotent, parser)
    end
  else
    _request(body, headers, idempotent, parser)
  end
end
setup_credentials(options) click to toggle source
# File lib/fog/aws/sts.rb, line 97
def setup_credentials(options)
  @aws_access_key_id      = options[:aws_access_key_id]
  @aws_secret_access_key  = options[:aws_secret_access_key]
  @aws_session_token      = options[:aws_session_token]
  @aws_credentials_expire_at = options[:aws_credentials_expire_at]

  if (@aws_access_key_id && @aws_secret_access_key)
    @signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, @region, 'sts')
  end
end