rusoto_credential 0.3.0

AWS credential tooling
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

use std::env;
use std::io::Read;
use std::time::Duration as StdDuration;

use hyper::Client;
use hyper::header::Connection;
use serde_json::{self, Value};

use {
    AwsCredentials,
    CredentialsError,
    ProvideAwsCredentials,
    extract_string_value_from_json,
};

const AWS_CREDENTIALS_PROVIDER_IP: &'static str = "169.254.170.2";

/// Provides AWS credentials from a task's IAM role.
#[derive(Debug)]
pub struct ContainerProvider;

impl ProvideAwsCredentials for ContainerProvider {
    // TODO: backoff and retry on failure.
    fn credentials(&self) -> Result<AwsCredentials, CredentialsError> {
        let aws_container_credentials_relative_uri = match env::var("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") {
            Ok(v) => v,
            Err(_) => return Err(CredentialsError::new("No AWS_CONTAINER_CREDENTIALS_RELATIVE_URI in environment")),
        };

        let address: String = format!("http://{}{}", AWS_CREDENTIALS_PROVIDER_IP, aws_container_credentials_relative_uri);

        let mut client = Client::new();
        client.set_read_timeout(Some(StdDuration::from_secs(15)));
        let mut response = match client.get(&address)
            .header(Connection::close()).send()
        {
            Ok(response) => response,
            Err(_) => return Err(CredentialsError::new("Couldn't connect to credentials provider")), // add why?
        };

        let mut body = String::new();
        if response.read_to_string(&mut body).is_err() {
            return Err(CredentialsError::new("Didn't get a parsable response body from the credentials provider"));
        }

        let credentials = try!(parse_credentials_response(&body));

        Ok(credentials)
    }
}

fn parse_credentials_response(response: &str) -> Result<AwsCredentials, CredentialsError> {
    let json_object: Value = match serde_json::from_str(response) {
        Ok(v) => v,
        Err(_) => return Err(CredentialsError::new("Couldn't parse credentials response body.")),
    };

    let access_key_id = try!(extract_string_value_from_json(&json_object, "AccessKeyId"));
    let secret_access_key = try!(extract_string_value_from_json(&json_object, "SecretAccessKey"));
    let token = try!(extract_string_value_from_json(&json_object, "Token"));
    let expiration = try!(extract_string_value_from_json(&json_object, "Expiration"));

    let expiration = try!(expiration.parse());

    Ok(AwsCredentials::new(
        access_key_id,
        secret_access_key,
        Some(token),
        expiration,
    ))
}

#[cfg(test)]
mod tests {
    use std::io::Read;
    use std::fs::{self, File};
    use std::path::Path;

    use super::parse_credentials_response;

    #[test]
    fn parse_iam_task_credentials_sample_response() {
        fn read_file_to_string(file_path: &Path) -> String {
            match fs::metadata(file_path) {
                Ok(metadata) => if !metadata.is_file() {
                    panic!("Couldn't open file");
                },
                Err(_) => panic!("Couldn't stat file"),
            };

            let mut file = File::open(file_path).unwrap();
            let mut result = String::new();
            file.read_to_string(&mut result).ok();

            result
        }

        let response = read_file_to_string(
            Path::new("tests/sample-data/iam_task_credentials_sample_response")
        );

        let credentials = parse_credentials_response(&response);

        assert!(credentials.is_ok());
        let credentials = credentials.unwrap();

        assert_eq!(credentials.aws_access_key_id(), "AKIAIOSFODNN7EXAMPLE");
        assert_eq!(credentials.aws_secret_access_key(), "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
    }
}