use std::borrow::Cow;
use aws_credential_types::provider::{self, future, ProvideCredentials};
use aws_credential_types::Credentials;
use tracing::Instrument;
use crate::environment::credentials::EnvironmentVariableCredentialsProvider;
use crate::meta::credentials::CredentialsProviderChain;
use crate::meta::region::ProvideRegion;
use crate::provider_config::ProviderConfig;
#[cfg(feature = "rustls")]
pub async fn default_provider() -> impl ProvideCredentials {
DefaultCredentialsChain::builder().build().await
}
#[derive(Debug)]
pub struct DefaultCredentialsChain {
provider_chain: CredentialsProviderChain,
}
impl DefaultCredentialsChain {
pub fn builder() -> Builder {
Builder::default()
}
async fn credentials(&self) -> provider::Result {
self.provider_chain
.provide_credentials()
.instrument(tracing::debug_span!("provide_credentials", provider = %"default_chain"))
.await
}
}
impl ProvideCredentials for DefaultCredentialsChain {
fn provide_credentials<'a>(&'a self) -> future::ProvideCredentials<'a>
where
Self: 'a,
{
future::ProvideCredentials::new(self.credentials())
}
fn fallback_on_interrupt(&self) -> Option<Credentials> {
self.provider_chain.fallback_on_interrupt()
}
}
#[derive(Debug, Default)]
pub struct Builder {
profile_file_builder: crate::profile::credentials::Builder,
web_identity_builder: crate::web_identity_token::Builder,
imds_builder: crate::imds::credentials::Builder,
ecs_builder: crate::ecs::Builder,
region_override: Option<Box<dyn ProvideRegion>>,
region_chain: crate::default_provider::region::Builder,
conf: Option<ProviderConfig>,
}
impl Builder {
pub fn region(mut self, region: impl ProvideRegion + 'static) -> Self {
self.set_region(Some(region));
self
}
pub fn set_region(&mut self, region: Option<impl ProvideRegion + 'static>) -> &mut Self {
self.region_override = region.map(|provider| Box::new(provider) as _);
self
}
pub fn with_custom_credential_source(
mut self,
name: impl Into<Cow<'static, str>>,
provider: impl ProvideCredentials + 'static,
) -> Self {
self.profile_file_builder = self
.profile_file_builder
.with_custom_provider(name, provider);
self
}
pub fn profile_name(mut self, name: &str) -> Self {
self.profile_file_builder = self.profile_file_builder.profile_name(name);
self.region_chain = self.region_chain.profile_name(name);
self
}
pub fn imds_client(mut self, client: crate::imds::Client) -> Self {
self.imds_builder = self.imds_builder.imds_client(client);
self
}
pub fn configure(mut self, config: ProviderConfig) -> Self {
self.region_chain = self.region_chain.configure(&config);
self.conf = Some(config);
self
}
pub async fn build(self) -> DefaultCredentialsChain {
let region = match self.region_override {
Some(provider) => provider.region().await,
None => self.region_chain.build().region().await,
};
let conf = self.conf.unwrap_or_default().with_region(region);
let env_provider = EnvironmentVariableCredentialsProvider::new_with_env(conf.env());
let profile_provider = self.profile_file_builder.configure(&conf).build();
let web_identity_token_provider = self.web_identity_builder.configure(&conf).build();
let imds_provider = self.imds_builder.configure(&conf).build();
let ecs_provider = self.ecs_builder.configure(&conf).build();
let provider_chain = CredentialsProviderChain::first_try("Environment", env_provider)
.or_else("Profile", profile_provider)
.or_else("WebIdentityToken", web_identity_token_provider)
.or_else("EcsContainer", ecs_provider)
.or_else("Ec2InstanceMetadata", imds_provider);
DefaultCredentialsChain { provider_chain }
}
}
#[cfg(test)]
mod test {
use crate::default_provider::credentials::DefaultCredentialsChain;
use crate::test_case::{StaticTestProvider, TestEnvironment};
use aws_credential_types::provider::ProvideCredentials;
use aws_smithy_async::time::StaticTimeSource;
use std::time::UNIX_EPOCH;
macro_rules! make_test {
($name:ident $(#[$m:meta])*) => {
make_test!($name, execute, $(#[$m])*);
};
(update: $name:ident) => {
make_test!($name, execute_and_update);
};
(live: $name:ident) => {
make_test!($name, execute_from_live_traffic);
};
($name:ident, $func:ident, $(#[$m:meta])*) => {
make_test!($name, $func, std::convert::identity $(, #[$m])*);
};
($name:ident, builder: $provider_config_builder:expr) => {
make_test!($name, execute, $provider_config_builder);
};
($name:ident, $func:ident, $provider_config_builder:expr $(, #[$m:meta])*) => {
$(#[$m])*
#[tokio::test]
async fn $name() {
let _ = crate::test_case::TestEnvironment::from_dir(
concat!(
"./test-data/default-credential-provider-chain/",
stringify!($name)
),
crate::test_case::test_credentials_provider(|config| {
async move {
crate::default_provider::credentials::Builder::default()
.configure(config)
.build()
.await
.provide_credentials()
.await
}
}),
)
.await
.unwrap()
.map_provider_config($provider_config_builder)
.$func()
.await;
}
};
}
make_test!(prefer_environment);
make_test!(profile_static_keys);
make_test!(profile_static_keys_case_insensitive);
make_test!(web_identity_token_env);
make_test!(web_identity_source_profile_no_env);
make_test!(web_identity_token_invalid_jwt);
make_test!(web_identity_token_source_profile);
make_test!(web_identity_token_profile);
make_test!(profile_name);
make_test!(profile_overrides_web_identity);
make_test!(environment_variables_blank);
make_test!(imds_token_fail);
make_test!(imds_no_iam_role);
make_test!(imds_default_chain_error);
make_test!(imds_default_chain_success, builder: |config| {
config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
});
make_test!(imds_assume_role);
make_test!(imds_config_with_no_creds, builder: |config| {
config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
});
make_test!(imds_disabled);
make_test!(imds_default_chain_retries, builder: |config| {
config.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
});
make_test!(ecs_assume_role);
make_test!(ecs_credentials);
make_test!(ecs_credentials_invalid_profile);
make_test!(eks_pod_identity_credentials);
#[cfg(not(windows))]
make_test!(eks_pod_identity_no_token_file);
#[cfg(not(feature = "sso"))]
make_test!(sso_assume_role #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
#[cfg(feature = "sso")]
make_test!(sso_assume_role);
#[cfg(not(any(feature = "sso", windows)))]
make_test!(sso_no_token_file #[should_panic(expected = "This behavior requires following cargo feature(s) enabled: sso")]);
#[cfg(all(feature = "sso", not(windows)))]
make_test!(sso_no_token_file);
#[cfg(feature = "credentials-sso")]
make_test!(e2e_fips_and_dual_stack_sso);
#[tokio::test]
async fn profile_name_override() {
let provider_config = TestEnvironment::<crate::test_case::Credentials, ()>::from_dir(
"./test-data/default-credential-provider-chain/profile_static_keys",
StaticTestProvider::new(|_| unreachable!()),
)
.await
.unwrap()
.provider_config()
.clone();
let creds = DefaultCredentialsChain::builder()
.profile_name("secondary")
.configure(provider_config)
.build()
.await
.provide_credentials()
.await
.expect("creds should load");
assert_eq!(creds.access_key_id(), "correct_key_secondary");
}
#[tokio::test]
#[cfg(feature = "client-hyper")]
async fn no_providers_configured_err() {
use crate::provider_config::ProviderConfig;
use aws_credential_types::provider::error::CredentialsError;
use aws_smithy_async::rt::sleep::TokioSleep;
use aws_smithy_runtime::client::http::hyper_014::HyperClientBuilder;
use aws_smithy_runtime::client::http::test_util::NeverTcpConnector;
tokio::time::pause();
let conf = ProviderConfig::no_configuration()
.with_http_client(HyperClientBuilder::new().build(NeverTcpConnector::new()))
.with_time_source(StaticTimeSource::new(UNIX_EPOCH))
.with_sleep_impl(TokioSleep::new());
let provider = DefaultCredentialsChain::builder()
.configure(conf)
.build()
.await;
let creds = provider
.provide_credentials()
.await
.expect_err("no providers enabled");
assert!(
matches!(creds, CredentialsError::CredentialsNotLoaded { .. }),
"should be NotLoaded: {:?}",
creds
)
}
}