feat(aws): Adds support for AWS_CREDENTIAL_EXPIRATION environment variable (#5002)
feat(aws): supports AWS_CREDENTIAL_EXPIRATION environment variable Adds support for the AWS_CREDENTIAL_EXPIRATION environment variable which was adopted as the standard way to set the expiration for temporary credentials. The existing AWS_SESSION_EXPIRATION environment variable is not dropped for backwards compatibility. See https://github.com/aws/aws-cli/pull/7398
This commit is contained in:
parent
58d401acef
commit
74ce7fdbee
|
@ -1775,7 +1775,7 @@
|
||||||
"definitions": {
|
"definitions": {
|
||||||
"AwsConfig": {
|
"AwsConfig": {
|
||||||
"title": "AWS",
|
"title": "AWS",
|
||||||
"description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` env var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.",
|
"description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION` var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.",
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"properties": {
|
"properties": {
|
||||||
"format": {
|
"format": {
|
||||||
|
|
|
@ -18,7 +18,8 @@ use std::collections::HashMap;
|
||||||
///
|
///
|
||||||
/// When using [aws-vault](https://github.com/99designs/aws-vault) the profile
|
/// When using [aws-vault](https://github.com/99designs/aws-vault) the profile
|
||||||
/// is read from the `AWS_VAULT` env var and the credentials expiration date
|
/// is read from the `AWS_VAULT` env var and the credentials expiration date
|
||||||
/// is read from the `AWS_SESSION_EXPIRATION` env var.
|
/// is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION`
|
||||||
|
/// var.
|
||||||
///
|
///
|
||||||
/// When using [awsu](https://github.com/kreuzwerker/awsu) the profile
|
/// When using [awsu](https://github.com/kreuzwerker/awsu) the profile
|
||||||
/// is read from the `AWSU_PROFILE` env var.
|
/// is read from the `AWSU_PROFILE` env var.
|
||||||
|
|
|
@ -121,7 +121,11 @@ fn get_credentials_duration(
|
||||||
aws_profile: Option<&Profile>,
|
aws_profile: Option<&Profile>,
|
||||||
aws_creds: &AwsCredsFile,
|
aws_creds: &AwsCredsFile,
|
||||||
) -> Option<i64> {
|
) -> Option<i64> {
|
||||||
let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWSUME_EXPIRATION"];
|
let expiration_env_vars = [
|
||||||
|
"AWS_CREDENTIAL_EXPIRATION",
|
||||||
|
"AWS_SESSION_EXPIRATION",
|
||||||
|
"AWSUME_EXPIRATION",
|
||||||
|
];
|
||||||
let expiration_date = if let Some(expiration_date) = expiration_env_vars
|
let expiration_date = if let Some(expiration_date) = expiration_env_vars
|
||||||
.iter()
|
.iter()
|
||||||
.find_map(|env_var| context.get_env(env_var))
|
.find_map(|env_var| context.get_env(env_var))
|
||||||
|
@ -636,8 +640,11 @@ credential_process = /opt/bin/awscreds-retriever
|
||||||
fn expiration_date_set() {
|
fn expiration_date_set() {
|
||||||
use chrono::{DateTime, NaiveDateTime, SecondsFormat, Utc};
|
use chrono::{DateTime, NaiveDateTime, SecondsFormat, Utc};
|
||||||
|
|
||||||
|
let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWS_CREDENTIAL_EXPIRATION"];
|
||||||
|
expiration_env_vars.iter().for_each(|env_var| {
|
||||||
let now_plus_half_hour: DateTime<Utc> = chrono::DateTime::from_utc(
|
let now_plus_half_hour: DateTime<Utc> = chrono::DateTime::from_utc(
|
||||||
NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0).unwrap(),
|
NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0)
|
||||||
|
.unwrap(),
|
||||||
Utc,
|
Utc,
|
||||||
);
|
);
|
||||||
|
|
||||||
|
@ -646,7 +653,7 @@ credential_process = /opt/bin/awscreds-retriever
|
||||||
.env("AWS_REGION", "ap-northeast-2")
|
.env("AWS_REGION", "ap-northeast-2")
|
||||||
.env("AWS_ACCESS_KEY_ID", "dummy")
|
.env("AWS_ACCESS_KEY_ID", "dummy")
|
||||||
.env(
|
.env(
|
||||||
"AWS_SESSION_EXPIRATION",
|
env_var,
|
||||||
now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true),
|
now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true),
|
||||||
)
|
)
|
||||||
.collect();
|
.collect();
|
||||||
|
@ -658,6 +665,7 @@ credential_process = /opt/bin/awscreds-retriever
|
||||||
));
|
));
|
||||||
|
|
||||||
assert_eq!(expected, actual);
|
assert_eq!(expected, actual);
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
|
|
Loading…
Reference in New Issue