pub struct AccessKeyStrategy<S = NoStore> { /* private fields */ }Expand description
An AuthStrategy that uses a static access key to authenticate against
a specific workspace.
The strategy is bound to a workspace CRN at construction. The region is
derived from the CRN — there is no separate region argument — so a
caller can’t accidentally point the strategy at one region while the
CRN says another.
The first call to get_token authenticates
with the server. Subsequent calls return the cached token until it
expires, at which point re-authentication happens automatically. Every
returned token is checked against the CRN; post-auth verification can
fail in two ways:
AuthError::WorkspaceMismatch— the JWT decoded cleanly but itsworkspaceclaim doesn’t match the CRN’s workspace ID.AuthError::InvalidToken— the JWT is malformed or missing theworkspaceclaim entirely, so verification can’t run.
Either outcome is preferred over silently letting the caller operate on a different workspace than they specified.
When constructed via AccessKeyStrategyBuilder::with_token_store, the
strategy also persists tokens through an external TokenStore so that
short-lived strategy instances (e.g. one per Edge Function request) can
share a cache and avoid re-authenticating every cold start.
§Example
use stack_auth::{AccessKey, AccessKeyStrategy};
use cts_common::Crn;
let crn: Crn = "crn:ap-southeast-2.aws:ZVATKW3VHMFG27DY".parse().unwrap();
let key: AccessKey = "CSAKmyKeyId.myKeySecret".parse().unwrap();
let strategy = AccessKeyStrategy::new(crn, key).unwrap();Implementations§
Source§impl AccessKeyStrategy
impl AccessKeyStrategy
Sourcepub fn new(workspace_crn: Crn, access_key: AccessKey) -> Result<Self, AuthError>
pub fn new(workspace_crn: Crn, access_key: AccessKey) -> Result<Self, AuthError>
Create a new AccessKeyStrategy for the given workspace CRN and
access key. The auth endpoint is resolved automatically via service
discovery using the region encoded in the CRN.
The CS_CTS_HOST environment variable, if set and non-empty,
overrides service discovery — useful for pointing the strategy at
a staging CTS or a local mock without changing the CRN.
A CRN with a service_name component (e.g.
crn:ap-southeast-2.aws:ZVATKW3VHMFG27DY:zerokms) is accepted; the
service_name is ignored. Only the region and workspace ID are
load-bearing for this strategy.
Sourcepub fn builder(
workspace_crn: Crn,
access_key: AccessKey,
) -> AccessKeyStrategyBuilder
pub fn builder( workspace_crn: Crn, access_key: AccessKey, ) -> AccessKeyStrategyBuilder
Return a builder for configuring an AccessKeyStrategy before construction.
§Example
use stack_auth::{AccessKey, AccessKeyStrategy};
use cts_common::Crn;
let crn: Crn = "crn:ap-southeast-2.aws:ZVATKW3VHMFG27DY".parse().unwrap();
let key: AccessKey = "CSAKmyKeyId.myKeySecret".parse().unwrap();
let strategy = AccessKeyStrategy::builder(crn, key)
.audience("my-audience")
.build()
.unwrap();Trait Implementations§
Source§impl<S: TokenStore> AuthStrategy for &AccessKeyStrategy<S>
impl<S: TokenStore> AuthStrategy for &AccessKeyStrategy<S>
Auto Trait Implementations§
impl<S = NoStore> !Freeze for AccessKeyStrategy<S>
impl<S = NoStore> !RefUnwindSafe for AccessKeyStrategy<S>
impl<S = NoStore> !UnwindSafe for AccessKeyStrategy<S>
impl<S> Send for AccessKeyStrategy<S>where
S: Send,
impl<S> Sync for AccessKeyStrategy<S>where
S: Sync,
impl<S> Unpin for AccessKeyStrategy<S>where
S: Unpin,
impl<S> UnsafeUnpin for AccessKeyStrategy<S>where
S: UnsafeUnpin,
Blanket Implementations§
impl<T> AuthStrategyBounds for T
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more