pub struct ProfileFileCredentialsProvider { /* private fields */ }
Expand description
AWS Profile based credentials provider
This credentials provider will load credentials from ~/.aws/config
and ~/.aws/credentials
.
The locations of these files are configurable via environment variables, see below.
Generally, this will be constructed via the default provider chain, however, it can be manually constructed with the builder:
use aws_config::profile::ProfileFileCredentialsProvider;
let provider = ProfileFileCredentialsProvider::builder().build();
Note: Profile providers, when called, will load and parse the profile from the file system only once. Parsed file contents will be cached indefinitely.
This provider supports several different credentials formats:
§Credentials defined explicitly within the file
[default]
aws_access_key_id = 123
aws_secret_access_key = 456
§Assume Role Credentials loaded from a credential source
[default]
role_arn = arn:aws:iam::123456789:role/RoleA
credential_source = Environment
NOTE: Currently only the Environment
credential source is supported although it is possible to
provide custom sources:
use aws_credential_types::provider::{self, future, ProvideCredentials};
use aws_config::profile::ProfileFileCredentialsProvider;
#[derive(Debug)]
struct MyCustomProvider;
impl MyCustomProvider {
async fn load_credentials(&self) -> provider::Result {
todo!()
}
}
impl ProvideCredentials for MyCustomProvider {
fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials where Self: 'a {
future::ProvideCredentials::new(self.load_credentials())
}
}
let provider = ProfileFileCredentialsProvider::builder()
.with_custom_provider("Custom", MyCustomProvider)
.build();
}
§Assume role credentials from a source profile
[default]
role_arn = arn:aws:iam::123456789:role/RoleA
source_profile = base
[profile base]
aws_access_key_id = 123
aws_secret_access_key = 456
Other more complex configurations are possible, consult test-data/assume-role-tests.json
.
§Credentials loaded from an external process
[default]
credential_process = /opt/bin/awscreds-custom --username helen
An external process can be used to provide credentials.
§Loading Credentials from SSO
[default]
sso_start_url = https://example.com/start
sso_region = us-east-2
sso_account_id = 123456789011
sso_role_name = readOnly
region = us-west-2
SSO can also be used as a source profile for assume role chains.
§Location of Profile Files
- The location of the config file will be loaded from the
AWS_CONFIG_FILE
environment variable with a fallback to~/.aws/config
- The location of the credentials file will be loaded from the
AWS_SHARED_CREDENTIALS_FILE
environment variable with a fallback to~/.aws/credentials
The location of these files can also be customized programmatically using ProfileFiles
.
§Home directory resolution
Home directory resolution is implemented to match the behavior of the CLI & Python. ~
is only
used for home directory resolution when it:
- Starts the path
- Is followed immediately by
/
or a platform specific separator. (On windows,~/
and~\
both resolve to the home directory.
When determining the home directory, the following environment variables are checked:
HOME
on all platformsUSERPROFILE
on Windows- The concatenation of
HOMEDRIVE
andHOMEPATH
on Windows ($HOMEDRIVE$HOMEPATH
)