pub struct BackendCredentials {
pub access_key_id: String,
pub secret_access_key: String,
pub session_token: String,
pub expiration: DateTime<Utc>,
}Expand description
The backend credential value type — its fields, secret-redacting Debug, and
BucketConfig injection (BackendCredentials::apply_to) — is owned by
multistore core (next to the BucketConfig it injects into, and its
sibling TemporaryCredentials). It is re-exported here so this crate is the
single front door: callers import the type from multistore-oidc-provider
and need not name core’s types module.
Bearer-only backends (Azure/GCP) leave access_key_id/secret_access_key
empty and carry the token in session_token.
Short-lived credentials obtained by federating the proxy’s OIDC identity
into a backend cloud’s STS (e.g. AWS AssumeRoleWithWebIdentity), used to
sign requests to the backend object store.
Distinct from TemporaryCredentials, which the proxy’s own STS mints for
callers: those carry the proxy’s authorization model (allowed_scopes,
assumed_role_id, source_identity), whereas these carry only what an
object-store client needs to sign, plus the expiry so the caller can cache
and refresh them.
Fields§
§access_key_id: StringTemporary access key id (AWS ASIA…).
secret_access_key: StringTemporary secret access key.
session_token: StringSession token that must accompany requests using these credentials.
expiration: DateTime<Utc>When these credentials expire.
Implementations§
Source§impl BackendCredentials
impl BackendCredentials
Sourcepub fn apply_to(&self, config: &mut BucketConfig)
pub fn apply_to(&self, config: &mut BucketConfig)
Inject these credentials into a BucketConfig so the multistore
backend signs requests with them instead of going anonymous.
Sets the canonical S3 option keys (access_key_id, secret_access_key,
and token — the alias object_store maps to the session token and that
BucketConfig’s Debug redacts) and clears skip_signature so the
backend signs.
This governs only outbound (backend) signing. It deliberately leaves
BucketConfig::anonymous_access untouched: that flag controls
inbound authorization (whether proxy callers may read the bucket
unauthenticated), which is orthogonal — a bucket can be public to
anonymous callers yet served from a private backend the proxy signs into.
Trait Implementations§
Source§impl Clone for BackendCredentials
impl Clone for BackendCredentials
Source§fn clone(&self) -> BackendCredentials
fn clone(&self) -> BackendCredentials
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreAuto Trait Implementations§
impl Freeze for BackendCredentials
impl RefUnwindSafe for BackendCredentials
impl Send for BackendCredentials
impl Sync for BackendCredentials
impl Unpin for BackendCredentials
impl UnsafeUnpin for BackendCredentials
impl UnwindSafe for BackendCredentials
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more