Rusoto has the ability to source AWS access credentials in a few different ways:
- Environment variables via
rusoto_core::EnvironmentProvider
(AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
) - AWS credentials file via
rusoto_core::ProfileProvider
- IAM ECS container profile via
rusoto_core::ContainerProvider
- IAM EC2 instance profile via
rusoto_core::InstanceMetadataProvider
There is also rusoto_core::ChainProvider
, which is a convenience for attempting to source access credentials using the methods above in order.
If credentials cannot be obtained through one method, it falls back to the next.
If all possibilites are exhausted, an error will be returned.
ProfileProvider
(and ChainProvider
) also allow you to specify a custom path to the credentials file and the name of the profile to use.
If not explicitly provided as arguments, the values for these two parameters are computed according to the following rules:
- location of credentials file: if set and not empty the value of the environment variable
AWS_SHARED_CREDENTIALS_FILE
otherwise"~/.aws/credentials"
. - profile name: if set and not empty the value of the environment variable
AWS_PROFILE
otherwise"default"
It's also possible to implement your own credentials sourcing mechanism by creating a type that implements rusoto_core::ProvideAwsCredentials
.
If your aws account belongs to an organization and you need to use sts:AssumeRole, you're probably looking for rusoto_sts::StsAssumeRoleSessionCredentialsProvider
. A simple program that uses sts:AssumeRole looks like this:
extern crate env_logger;
extern crate rusoto_core;
extern crate rusoto_ec2;
extern crate rusoto_sts;
use std::default::Default;
use rusoto_core::{Region, HttpClient};
use rusoto_ec2::{Ec2Client, Ec2, DescribeSpotInstanceRequestsRequest};
use rusoto_sts::{StsClient, StsAssumeRoleSessionCredentialsProvider};
fn main() {
let _ = env_logger::try_init();
let sts = StsClient::new(Region::EuWest1);
let provider = StsAssumeRoleSessionCredentialsProvider::new(
sts,
"arn:aws:iam::something:role/something".to_owned(),
"default".to_owned(),
None, None, None, None
);
let client = Ec2Client::new_with(HttpClient::new().unwrap(), provider, Region::UsEast1);
let sir_input = DescribeSpotInstanceRequestsRequest::default();
let x = client.describe_spot_instance_requests(sir_input).sync();
println!("{:?}", x);
}
Be careful that the current behavior of rusoto_sts::StsAssumeRoleSessionCredentialsProvider
needs to be used with rusoto_credential::AutoRefreshingProvider
as a wrapper to get advantage of using the already cached token of AssumeRole as it lives by default for 1 hour.
Current implementation is not using the cached token returned by the AssumeRole by default so it will be refreshed with every call to AWS resource.
This will affect the performance as well as the billing of AWS.
let provider = StsAssumeRoleSessionCredentialsProvider::new(
sts,
"arn:aws:iam::something:role/something".to_owned(),
"default".to_owned(),
None, None, None, None
);
let auto_refreshing_provider = rusoto_credential::AutoRefreshingProvider::new(provider);
Credentials obtained from environment variables and credential files expire ten minutes after being acquired and are refreshed on subsequent calls to credentials()
(a method from the ProvideAwsCredentials
trait).
IAM instance profile credentials are refreshed as needed.
Upon calling credentials()
it will see if they are expired or not.
If expired, it attempts to get new credentials from the metadata service.
If that fails it will return an error.
IAM credentials expiration time comes from the IAM metadata response.
Edit the relevant address
/IP locations in credential/src/container.rs and credential/src/instance_metadata.rs.
For local testing, you can use moe and set the string to this:
let mut address: String = "http://localhost:8080/latest/meta-data/iam/security-credentials".to_owned();