File Coverage

blib/lib/Paws/Credential/AssumeRoleWebIdentity.pm

Criterion	Covered	Total	%
statement	12	36	33.3
branch	0	8	0.0
condition			n/a
subroutine	4	9	44.4
pod	0	3	0.0
total	16	56	28.5

line	stmt	bran	sub	pod	time	code
1						package Paws::Credential::AssumeRoleWebIdentity;
2
3	1		1		1882	use Moose;
	1				479219
	1				7
4	1		1		8403	use DateTime::Format::ISO8601;
	1				623693
	1				47
5	1		1		1328	use Paws::Credential::None;
	1				23436
	1				648
6
7						with 'Paws::Credential';
8
9						our $VERSION = "0.0.3";
10
11						has expiration => (
12						is => 'rw',
13						isa => 'Int',
14						lazy => 1,
15						default => sub { 0 }
16						);
17
18						has RoleArn => (
19						is => 'rw',
20						isa => 'Str',
21						lazy => 1,
22						default => sub { $ENV{'AWS_ROLE_ARN'} }
23						);
24
25						has WebIdentityTokenFile => (
26						is => 'rw',
27						isa => 'Str',
28						lazy => 1,
29						default => sub { $ENV{'AWS_WEB_IDENTITY_TOKEN_FILE'} }
30						);
31
32						has sts_region => (
33						is => 'ro',
34						isa => 'Str\|Undef',
35						default => sub { undef }
36						);
37
38						has sts => (
39						is => 'ro',
40						isa => 'Paws::STS',
41						lazy => 1,
42						default => sub {
43						my $self = shift;
44						Paws->service('STS',
45						region => $self->sts_region
46						);
47						}
48						);
49
50						has RoleSessionName => (
51						is => 'rw',
52						isa => 'Str',
53						default => sub {
54						return sprintf('paws-session-%s', time())
55						}
56						);
57
58						has DurationSeconds => (
59						is => 'rw',
60						isa => 'Maybe[Int]'
61						);
62
63						has actual_creds => (
64						is => 'rw',
65						isa => 'Object'
66						);
67
68						sub _web_identity_token {
69	0		0			my $self = shift;
70
71	0	0				return unless -e $self->WebIdentityTokenFile;
72
73	0	0				open my $fh, '<', $self->WebIdentityTokenFile or
74						die "Not able to open WebIdentityTokenFile: $!";
75	0					my $token = do { local $/; <$fh> };
	0
	0
76	0					close $fh;
77
78	0					return $token;
79						}
80
81						sub access_key {
82	0		0	0		my $self = shift;
83	0					$self->_refresh;
84
85	0					return $self->actual_creds->AccessKeyId;
86						}
87
88						sub secret_key {
89	0		0	0		my $self = shift;
90	0					$self->_refresh;
91
92	0					return $self->actual_creds->SecretAccessKey;
93						}
94
95						sub session_token {
96	0		0	0		my $self = shift;
97	0					$self->_refresh;
98
99	0					return $self->actual_creds->SessionToken;
100						}
101
102						sub _refresh {
103	0		0			my $self = shift;
104	0	0				return if $self->expiration - 240 >= time;
105
106	0					my $token = $self->_web_identity_token();
107	0	0				my $result = $self->sts->AssumeRoleWithWebIdentity(
108						RoleSessionName => $self->RoleSessionName,
109						RoleArn => $self->RoleArn,
110						WebIdentityToken => $token,
111						(defined $self->DurationSeconds) ? (DurationSeconds => $self->DurationSeconds) : (),
112						);
113	0					my $creds = $self->actual_creds($result->Credentials);
114
115	0					my $expiration = $result->Credentials->Expiration;
116	0					$self->expiration(
117						DateTime::Format::ISO8601->parse_datetime($expiration)->epoch
118						);
119						}
120
121	1		1		17	no Moose;
	1				5
	1				12
122						1;
123
124						__END__
125
126						# ABSTRACT: The AssumeRoleWebIdentity provider is used to obtain temporary credentials with an OIDC web identity token file.
127
128						=encoding UTF-8
129
130						=head1 NAME
131
132						Paws::Credential::AssumeRoleWebIdentity
133
134						=head1 SYNOPSIS
135
136						use Paws::Credential::AssumeRoleWebIdentity;
137
138						my $paws = Paws->new(config => {
139						credentials => Paws::Credential::AssumeRoleWebIdentity->new(
140						DurationSeconds => 900,
141						RoleArn => 'arn:....',
142						WebIdentityTokenFile => '/var/run/secrets/eks.amazonaws.com/serviceaccount/token'
143						)
144						});
145
146						=head1 DESCRIPTION
147
148						The AssumeRoleWebIdentity provider is used to obtain temporary credentials with an OIDC web identity token file.
149
150						You can use this credential provider to obtain credentials when using AWS EKS and eks.amazonaws.com/role-arn annotation.
151
152						Credentials are refreshed with a re-call to STS when they before gets expired
153
154						=head2 DurationSeconds: Int (optional)
155
156						The number of seconds for which the credentials will be valid
157
158						=head2 WebIdentityTokenFile: Str (optional)
159
160						Path to web identity token file. Default: $ENV{'AWS_WEB_IDENTITY_TOKEN_FILE'}
161
162						=head2 RoleArn: Str
163
164						The arn of the role to be assumed. Default: $ENV{'AWS_ROLE_ARN'}
165
166						=head2 RoleSessionName: Str (optional)
167
168						The name of the session (will appear in CloudTrail logs, for example). Default: paws-session-time();
169
170						=head1 LICENSE
171
172						Copyright (C) Prajith P.
173
174						This library is free software; you can redistribute it and/or modify
175						it under the same terms as Perl itself.
176
177						=head1 AUTHOR
178
179						Prajith P
180
181						=cut
182