class Fog::AWS::STS::Real
Public Class Methods
Initialize connection to STS
Notes¶ ↑
options parameter must include values for :aws_access_key_id and :aws_secret_access_key in order to create a connection
Examples¶ ↑
iam = STS.new( :aws_access_key_id => your_aws_access_key_id, :aws_secret_access_key => your_aws_secret_access_key )
Parameters¶ ↑
-
options<~Hash> - config arguments for connection. Defaults to {}.
Returns¶ ↑
# File lib/fog/aws/sts.rb, line 74 def initialize(options={}) @use_iam_profile = options[:use_iam_profile] @region = options[:region] || 'us-east-1' setup_credentials(options) @instrumentor = options[:instrumentor] @instrumentor_name = options[:instrumentor_name] || 'fog.aws.sts' @connection_options = options[:connection_options] || {} @host = options[:host] || "sts.#{@region}.amazonaws.com" @path = options[:path] || '/' @persistent = options[:persistent] || false @port = options[:port] || 443 @scheme = options[:scheme] || 'https' @connection = Fog::XML::Connection.new("#{@scheme}://#{@host}:#{@port}#{@path}", @persistent, @connection_options) end
Public Instance Methods
Assume Role
Parameters¶ ↑
-
role_session_name<~String> - An identifier for the assumed role.
-
role_arn<~String> - The ARN of the role the caller is assuming.
-
external_id<~String> - An optional unique identifier required by the assuming role's trust identity.
-
policy<~String> - An optional JSON policy document
-
duration<~Integer> - Duration (of seconds) for the assumed role credentials to be valid (default 3600)
Returns¶ ↑
-
response<~Excon::Response>:
-
body<~Hash>:
-
'Arn'<~String>: The ARN of the assumed role/user
-
'AccessKeyId'<~String>: The
AWS
access key of the temporary credentials for the assumed role -
'SecretAccessKey'<~String>: The
AWS
secret key of the temporary credentials for the assumed role -
'SessionToken'<~String>: The
AWS
session token of the temporary credentials for the assumed role -
'Expiration'<~Time>: The expiration time of the temporary credentials for the assumed role
-
-
See Also¶ ↑
docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
# File lib/fog/aws/requests/sts/assume_role.rb, line 29 def assume_role(role_session_name, role_arn, external_id=nil, policy=nil, duration=3600) request({ 'Action' => 'AssumeRole', 'RoleSessionName' => role_session_name, 'RoleArn' => role_arn, 'Policy' => policy && Fog::JSON.encode(policy), 'DurationSeconds' => duration, 'ExternalId' => external_id, :idempotent => true, :parser => Fog::Parsers::AWS::STS::AssumeRole.new }) end
Assume Role with SAML
Parameters¶ ↑
-
role_arn<~String> - The ARN of the role the caller is assuming.
-
principal_arn<~String> - The Amazon Resource Name (ARN) of the SAML provider in
IAM
that describes the IdP. -
saml_assertion<~String> - The base-64 encoded SAML authentication response provided by the IdP.
-
policy<~String> - An optional JSON policy document
-
duration<~Integer> - Duration (of seconds) for the assumed role credentials to be valid (default 3600)
Returns¶ ↑
-
response<~Excon::Response>:
-
body<~Hash>:
-
'Arn'<~String>: The ARN of the assumed role/user
-
'AccessKeyId'<~String>: The
AWS
access key of the temporary credentials for the assumed role -
'SecretAccessKey'<~String>: The
AWS
secret key of the temporary credentials for the assumed role -
'SessionToken'<~String>: The
AWS
session token of the temporary credentials for the assumed role -
'Expiration'<~Time>: The expiration time of the temporary credentials for the assumed role
-
-
See Also¶ ↑
docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
# File lib/fog/aws/requests/sts/assume_role_with_saml.rb, line 29 def assume_role_with_saml(role_arn, principal_arn, saml_assertion, policy=nil, duration=3600) request_unsigned({ 'Action' => 'AssumeRoleWithSAML', 'RoleArn' => role_arn, 'PrincipalArn' => principal_arn, 'SAMLAssertion' => saml_assertion, 'Policy' => policy && Fog::JSON.encode(policy), 'DurationSeconds' => duration, :idempotent => true, :parser => Fog::Parsers::AWS::STS::AssumeRoleWithSAML.new }) end
# File lib/fog/aws/requests/sts/assume_role_with_web_identity.rb, line 7 def assume_role_with_web_identity(role_arn, web_identity_token, role_session_name, options={}) request_unsigned( 'Action' => 'AssumeRoleWithWebIdentity', 'RoleArn' => role_arn, 'RoleSessionName' => role_session_name, 'WebIdentityToken' => web_identity_token, 'DurationSeconds' => options[:duration] || 3600, :idempotent => true, :parser => Fog::Parsers::AWS::STS::AssumeRoleWithWebIdentity.new ) end
Get federation token
Parameters¶ ↑
-
name<~String>: The name of the federated user.
Minimum length of 2. Maximum length of 32
-
policy<~String>: Optional policy that specifies the permissions
that are granted to the federated user Minimum length of 1. Maximum length of 2048
-
duration<~Integer>: Optional duration, in seconds, that the session
should last.
Returns¶ ↑
-
response<~Excon::Response>:
-
body<~Hash>:
-
'SessionToken'<~String> -
-
'SecretAccessKey'<~String> -
-
'Expiration'<~String> -
-
'AccessKeyId'<~String> -
-
'Arn'<~String> -
-
'FederatedUserId'<~String> -
-
'PackedPolicySize'<~String> -
-
'RequestId'<~String> - Id of the request
-
-
See Also¶ ↑
docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html
# File lib/fog/aws/requests/sts/get_federation_token.rb, line 32 def get_federation_token(name, policy, duration=43200) request({ 'Action' => 'GetFederationToken', 'Name' => name, 'Policy' => Fog::JSON.encode(policy), 'DurationSeconds' => duration, :idempotent => true, :parser => Fog::Parsers::AWS::STS::GetSessionToken.new }) end
# File lib/fog/aws/requests/sts/get_session_token.rb, line 7 def get_session_token(duration=43200) request({ 'Action' => 'GetSessionToken', 'DurationSeconds' => duration, :idempotent => true, :parser => Fog::Parsers::AWS::STS::GetSessionToken.new }) end
# File lib/fog/aws/sts.rb, line 91 def reload @connection.reset end
Private Instance Methods
# File lib/fog/aws/sts.rb, line 163 def _request(body, headers, idempotent, parser) @connection.request({ :body => body, :expects => 200, :idempotent => idempotent, :headers => headers, :method => 'POST', :parser => parser }) rescue Excon::Errors::HTTPStatusError => error match = Fog::AWS::Errors.match_error(error) raise if match.empty? raise case match[:code] when 'EntityAlreadyExists', 'KeyPairMismatch', 'LimitExceeded', 'MalformedCertificate', 'ValidationError' Fog::AWS::STS.const_get(match[:code]).slurp(error, match[:message]) else Fog::AWS::STS::Error.slurp(error, "#{match[:code]} => #{match[:message]}") end end
# File lib/fog/aws/sts.rb, line 108 def request(params) if (@signer == nil) raise AwsAccessKeysMissing.new("Can't make unsigned requests, need aws_access_key_id and aws_secret_access_key") end idempotent = params.delete(:idempotent) parser = params.delete(:parser) body, headers = Fog::AWS.signed_params_v4( params, { 'Content-Type' => 'application/x-www-form-urlencoded' }, { :method => 'POST', :aws_session_token => @aws_session_token, :signer => @signer, :host => @host, :path => @path, :port => @port, :version => '2011-06-15' } ) if @instrumentor @instrumentor.instrument("#{@instrumentor_name}.request", params) do _request(body, headers, idempotent, parser) end else _request(body, headers, idempotent, parser) end end
# File lib/fog/aws/sts.rb, line 139 def request_unsigned(params) idempotent = params.delete(:idempotent) parser = params.delete(:parser) params['Version'] = '2011-06-15' headers = { 'Content-Type' => 'application/x-www-form-urlencoded', 'Host' => @host } body = '' for key in params.keys.sort unless (value = params[key]).nil? body << "#{key}=#{Fog::AWS.escape(value.to_s)}&" end end body.chop! if @instrumentor @instrumentor.instrument("#{@instrumentor_name}.request", params) do _request(body, headers, idempotent, parser) end else _request(body, headers, idempotent, parser) end end
# File lib/fog/aws/sts.rb, line 97 def setup_credentials(options) @aws_access_key_id = options[:aws_access_key_id] @aws_secret_access_key = options[:aws_secret_access_key] @aws_session_token = options[:aws_session_token] @aws_credentials_expire_at = options[:aws_credentials_expire_at] if (@aws_access_key_id && @aws_secret_access_key) @signer = Fog::AWS::SignatureV4.new(@aws_access_key_id, @aws_secret_access_key, @region, 'sts') end end