Struct Session 

pub struct Session {

    pub id: String,
    pub created_at: DateTime<Utc>,
    pub expires_at: DateTime<Utc>,
    pub ttl_seconds: u64,
    pub budget: Option<f64>,
    pub policy: ScopedPolicy,
    pub status: SessionStatus,
    pub role_arn: String,
    pub command: Vec<String>,
    pub access_key_id: Option<String>,
    pub provider: CloudProvider,
    pub agent_id: Option<String>,
    pub principal_id: Option<String>,
    pub tags: HashMap<String, String>,
}

Represents an active agent credential session.

Fields

id: String

created_at: DateTime<Utc>

expires_at: DateTime<Utc>

ttl_seconds: u64

budget: Option<f64>

policy: ScopedPolicy

status: SessionStatus

role_arn: String

Provider-agnostic principal identifier despite the AWS-centric field name.

• AWS: IAM role ARN (e.g. arn:aws:iam::123456789012:role/MyRole)
• GCP: Service account email (e.g. my-sa@project.iam.gserviceaccount.com)
• Azure: Subscription ID or principal (e.g. 00000000-0000-0000-0000-000000000000)

The field is named role_arn for historical reasons and backwards serialization compatibility. New code should use the Session::principal_id helper method instead of accessing this field directly. JSON deserialization also accepts the alias "role_principal" to ease migration in tooling that wants provider-neutral field names.

command: Vec<String>

access_key_id: Option<String>

AWS access key for this session (populated after credential creation).

provider: CloudProvider

Cloud provider (defaults to AWS for backwards compat).

agent_id: Option<String>

Agent identity (from AUDEX_AGENT_ID env var) — tracks which AI agent/model issued the request.

principal_id: Option<String>

Azure principal ID (client ID or user object ID) to disambiguate sessions on the same subscription but different identities.

tags: HashMap<String, String>

User-supplied key:value tags for audit filtering and STS session tags.

Implementations

impl Session

pub fn new( ttl: Duration, budget: Option<f64>, policy: ScopedPolicy, role_arn: String, command: Vec<String>, ) -> Self

pub fn new_gcp( ttl: Duration, budget: Option<f64>, policy: ScopedPolicy, service_account: String, command: Vec<String>, ) -> Self

pub fn new_azure( ttl: Duration, budget: Option<f64>, policy: ScopedPolicy, subscription_id: String, command: Vec<String>, ) -> Self

pub fn short_id(&self) -> &str

Return the first 8 characters of the session ID for display, or the full ID if it is shorter than 8 characters. Avoids panics from direct session.id[..8] slicing on corrupt/hand-edited session files.

pub fn is_expired(&self) -> bool

pub fn remaining_seconds(&self) -> i64

pub fn complete(&mut self)

pub fn expire(&mut self)

pub fn revoke(&mut self)

pub fn fail(&mut self)

pub fn principal_id(&self) -> &str

Returns the provider-agnostic principal identifier for this session.

This is a migration-path accessor for the role_arn field, which stores different things depending on the cloud provider (IAM role ARN for AWS, service account email for GCP, subscription/principal ID for Azure). When the optional principal_id field is populated (e.g. for Azure service-principal disambiguation), that value is returned instead. Prefer this method over accessing role_arn directly in new code.

Trait Implementations

impl Clone for Session

fn clone(&self) -> Session

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Session

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for Session

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for Session

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.