feat(aws): Adds support for AWS_CREDENTIAL_EXPIRATION environment variable (#5002)

feat(aws): supports AWS_CREDENTIAL_EXPIRATION environment variable

Adds support for the AWS_CREDENTIAL_EXPIRATION environment variable
which was adopted as the standard way to set the expiration for
temporary credentials. The existing AWS_SESSION_EXPIRATION environment
variable is not dropped for backwards compatibility.

See https://github.com/aws/aws-cli/pull/7398
This commit is contained in:
Harry Hodge 2023-03-20 20:56:12 +00:00 committed by GitHub
parent 58d401acef
commit 74ce7fdbee
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 23 deletions

View File

@ -1775,7 +1775,7 @@
"definitions": { "definitions": {
"AwsConfig": { "AwsConfig": {
"title": "AWS", "title": "AWS",
"description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` env var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.", "description": "The `aws` module shows the current AWS region and profile and an expiration timer when using temporary credentials. The output of the module uses the `AWS_REGION`, `AWS_DEFAULT_REGION`, and `AWS_PROFILE` env vars and the `~/.aws/config` and `~/.aws/credentials` files as required.\n\nThe module will display a profile only if its credentials are present in `~/.aws/credentials` or if a `credential_process` or `sso_start_url` are defined in `~/.aws/config`. Alternatively, having any of the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_SESSION_TOKEN` env vars defined will also suffice. If the option `force_display` is set to `true`, all available information will be displayed even if no credentials per the conditions above are detected.\n\nWhen using [aws-vault](https://github.com/99designs/aws-vault) the profile is read from the `AWS_VAULT` env var and the credentials expiration date is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION` var.\n\nWhen using [awsu](https://github.com/kreuzwerker/awsu) the profile is read from the `AWSU_PROFILE` env var.\n\nWhen using [`AWSume`](https://awsu.me) the profile is read from the `AWSUME_PROFILE` env var and the credentials expiration date is read from the `AWSUME_EXPIRATION` env var.",
"type": "object", "type": "object",
"properties": { "properties": {
"format": { "format": {

View File

@ -18,7 +18,8 @@ use std::collections::HashMap;
/// ///
/// When using [aws-vault](https://github.com/99designs/aws-vault) the profile /// When using [aws-vault](https://github.com/99designs/aws-vault) the profile
/// is read from the `AWS_VAULT` env var and the credentials expiration date /// is read from the `AWS_VAULT` env var and the credentials expiration date
/// is read from the `AWS_SESSION_EXPIRATION` env var. /// is read from the `AWS_SESSION_EXPIRATION` or `AWS_CREDENTIAL_EXPIRATION`
/// var.
/// ///
/// When using [awsu](https://github.com/kreuzwerker/awsu) the profile /// When using [awsu](https://github.com/kreuzwerker/awsu) the profile
/// is read from the `AWSU_PROFILE` env var. /// is read from the `AWSU_PROFILE` env var.

View File

@ -121,7 +121,11 @@ fn get_credentials_duration(
aws_profile: Option<&Profile>, aws_profile: Option<&Profile>,
aws_creds: &AwsCredsFile, aws_creds: &AwsCredsFile,
) -> Option<i64> { ) -> Option<i64> {
let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWSUME_EXPIRATION"]; let expiration_env_vars = [
"AWS_CREDENTIAL_EXPIRATION",
"AWS_SESSION_EXPIRATION",
"AWSUME_EXPIRATION",
];
let expiration_date = if let Some(expiration_date) = expiration_env_vars let expiration_date = if let Some(expiration_date) = expiration_env_vars
.iter() .iter()
.find_map(|env_var| context.get_env(env_var)) .find_map(|env_var| context.get_env(env_var))
@ -636,8 +640,11 @@ credential_process = /opt/bin/awscreds-retriever
fn expiration_date_set() { fn expiration_date_set() {
use chrono::{DateTime, NaiveDateTime, SecondsFormat, Utc}; use chrono::{DateTime, NaiveDateTime, SecondsFormat, Utc};
let expiration_env_vars = ["AWS_SESSION_EXPIRATION", "AWS_CREDENTIAL_EXPIRATION"];
expiration_env_vars.iter().for_each(|env_var| {
let now_plus_half_hour: DateTime<Utc> = chrono::DateTime::from_utc( let now_plus_half_hour: DateTime<Utc> = chrono::DateTime::from_utc(
NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0).unwrap(), NaiveDateTime::from_timestamp_opt(chrono::Local::now().timestamp() + 1800, 0)
.unwrap(),
Utc, Utc,
); );
@ -646,7 +653,7 @@ credential_process = /opt/bin/awscreds-retriever
.env("AWS_REGION", "ap-northeast-2") .env("AWS_REGION", "ap-northeast-2")
.env("AWS_ACCESS_KEY_ID", "dummy") .env("AWS_ACCESS_KEY_ID", "dummy")
.env( .env(
"AWS_SESSION_EXPIRATION", env_var,
now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true), now_plus_half_hour.to_rfc3339_opts(SecondsFormat::Secs, true),
) )
.collect(); .collect();
@ -658,6 +665,7 @@ credential_process = /opt/bin/awscreds-retriever
)); ));
assert_eq!(expected, actual); assert_eq!(expected, actual);
});
} }
#[test] #[test]