Expand description
Authentication and authorization primitives shared across services.
This module defines the opt-in modes for SigV4 signature verification and IAM policy enforcement, plus the reserved “root bypass” identity that short-circuits both checks when enabled.
Neither feature is enforced at this layer — the types are plumbed through
crate::dispatch::DispatchConfig and consulted later by dispatch and
service handlers once the corresponding batches land. See
/docs/reference/security (added in a later batch) for the user-facing
contract.
Structs§
- IamAction
- One IAM action that the dispatch layer should evaluate against the caller’s effective policy set.
- Parse
IamMode Error - Parse error for
IamModefrom string. - Principal
- Identity of the caller making a request, once its credentials have been
resolved. Attached to
crate::service::AwsRequest::principalso handlers can make identity-based decisions without re-parsing the Authorization header. - Resolved
Credential - Credentials resolved from an access key ID.
Enums§
- IamDecision
- Result of evaluating a request against an identity’s effective policy
set. Abstract over the concrete evaluator [
Decision] infakecloud-iam::evaluatorsofakecloud-corecan consume it without depending onfakecloud-iam. - IamMode
- How IAM identity policies are evaluated for incoming requests.
- Principal
Type - Kind of principal a set of credentials resolves to.
Traits§
- Credential
Resolver - Abstraction over “given an access key ID, return the secret and resolved
principal.” Implemented by the IAM crate against
IamState; the core crate depends only on the trait so there’s no circular dependency. - IamPolicy
Evaluator - Abstraction over “given a principal and an action, say Allow / Deny”.
Implemented by
fakecloud-iamagainstIamState+ the Phase 1 evaluator. Dispatch calls this for every request whenFAKECLOUD_IAM != offand the target service opts into enforcement.
Functions§
- is_
root_ bypass - Reserved root-identity convention.