1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
use std::fmt;
use std::fmt::{Debug, Formatter};
use std::sync::Arc;
use std::time::SystemTime;
use zeroize::Zeroizing;
/// AWS SDK Credentials
///
/// An opaque struct representing credentials that may be used in an AWS SDK, modeled on
/// the [CRT credentials implementation](https://github.com/awslabs/aws-c-auth/blob/main/source/credentials.c).
///
/// When `Credentials` is dropped, its contents are zeroed in memory. Credentials uses an interior Arc to ensure
/// that even when cloned, credentials don't exist in multiple memory locations.
#[derive(Clone, Eq, PartialEq)]
pub struct Credentials(Arc<Inner>);
#[derive(Clone, Eq, PartialEq)]
struct Inner {
access_key_id: Zeroizing<String>,
secret_access_key: Zeroizing<String>,
session_token: Zeroizing<Option<String>>,
/// Credential Expiry
///
/// A SystemTime at which the credentials should no longer be used because they have expired.
/// The primary purpose of this value is to allow credentials to communicate to the caching
/// provider when they need to be refreshed.
///
/// If these credentials never expire, this value will be set to `None`
expires_after: Option<SystemTime>,
provider_name: &'static str,
}
impl Debug for Credentials {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result {
let mut creds = f.debug_struct("Credentials");
creds
.field("provider_name", &self.0.provider_name)
.field("access_key_id", &self.0.access_key_id.as_str())
.field("secret_access_key", &"** redacted **");
if let Some(expiry) = self.expiry() {
// TODO: format the expiry nicely
creds.field("expires_after", &expiry);
}
creds.finish()
}
}
#[cfg(feature = "hardcoded-credentials")]
const STATIC_CREDENTIALS: &str = "Static";
impl Credentials {
/// Creates `Credentials`.
///
/// This is intended to be used from a custom credentials provider implementation.
/// It is __NOT__ secure to hardcode credentials into your application.
pub fn new(
access_key_id: impl Into<String>,
secret_access_key: impl Into<String>,
session_token: Option<String>,
expires_after: Option<SystemTime>,
provider_name: &'static str,
) -> Self {
Credentials(Arc::new(Inner {
access_key_id: Zeroizing::new(access_key_id.into()),
secret_access_key: Zeroizing::new(secret_access_key.into()),
session_token: Zeroizing::new(session_token),
expires_after,
provider_name,
}))
}
/// Creates `Credentials` from hardcoded access key, secret key, and session token.
///
/// _Note: In general, you should prefer to use the credential providers that come
/// with the AWS SDK to get credentials. It is __NOT__ secure to hardcode credentials
/// into your application. If you're writing a custom credentials provider, then
/// use [`Credentials::new`] instead of this._
///
/// This function requires the `hardcoded-credentials` feature to be enabled.
///
/// [`Credentials`](crate::Credentials) implement
/// [`ProvideCredentials`](crate::credentials::ProvideCredentials) directly, so no custom provider
/// implementation is required when wiring these up to a client:
/// ```rust
/// use aws_types::Credentials;
/// # mod dynamodb {
/// # use aws_types::credentials::ProvideCredentials;
/// # pub struct Config;
/// # impl Config {
/// # pub fn builder() -> Self {
/// # Config
/// # }
/// # pub fn credentials_provider(self, provider: impl ProvideCredentials + 'static) -> Self {
/// # self
/// # }
/// # }
/// # }
///
/// let my_creds = Credentials::from_keys("akid", "secret_key", None);
/// let conf = dynamodb::Config::builder().credentials_provider(my_creds);
/// ```
#[cfg(feature = "hardcoded-credentials")]
pub fn from_keys(
access_key_id: impl Into<String>,
secret_access_key: impl Into<String>,
session_token: Option<String>,
) -> Self {
Self::new(
access_key_id,
secret_access_key,
session_token,
None,
STATIC_CREDENTIALS,
)
}
/// Returns the access key ID.
pub fn access_key_id(&self) -> &str {
&self.0.access_key_id
}
/// Returns the secret access key.
pub fn secret_access_key(&self) -> &str {
&self.0.secret_access_key
}
/// Returns the time when the credentials will expire.
pub fn expiry(&self) -> Option<SystemTime> {
self.0.expires_after
}
/// Returns a mutable reference to the time when the credentials will expire.
pub fn expiry_mut(&mut self) -> &mut Option<SystemTime> {
&mut Arc::make_mut(&mut self.0).expires_after
}
/// Returns the session token.
pub fn session_token(&self) -> Option<&str> {
self.0.session_token.as_deref()
}
}