AwsCredentialVendor¶
AwsCredentialVendor is used to vend S3 bucket credentials for CredentialOperations (to vend credentials for s3:// storage scheme).
AwsCredentialVendor uses server.properties configuration file for S3 bucket security configurations.
AWS Security Token Service (STS)
AwsCredentialVendor uses AWS Security Token Service (STS) to request temporary, limited-privilege security credentials:
- An access key ID
- A secret access key
- A security (or session) token
S3 Configurations¶
AwsCredentialVendor initializes s3Configurations based on server.properties configuration file.
This s3Configurations is used to look up S3StorageConfigs to vend S3 bucket credentials.
Vend Credentials¶
vendAwsCredentials looks up the S3 bucket (of the given CredentialContext) in the S3 Configurations.
BaseException
vendAwsCredentials reports a BaseException when the given storage base could not be found:
If a session token is defined, vendAwsCredentials returns a "static session" Credentials with the following:
Otherwise (with no session token defined), vendAwsCredentials gets an AWS STS client to assume a role with the following:
| Property | Value |
|---|---|
| Amazon Resource Name (ARN) of the role to assume | Role ARN |
| IAM policy | IAM policy for the privileges and the locations |
| Assumed Role Session | uc-[randomUUID] |
| Duration | 1 hour |
In the end, vendAwsCredentials requests the StsClient for the temporary security credentials (an access key ID, a secret access key, and a security (or session) token).
vendAwsCredentials is used when:
CredentialOperationsis requested to vend AWS credentials