Expand description
Ecs Credentials Provider
This credential provider is frequently used with an AWS-provided credentials service (e.g. IAM Roles for tasks). However, it’s possible to use environment variables to configure this provider to use your own credentials sources.
This provider is part of the default credentials chain.
§Configuration
First: It will check the value of $AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
. It will use this
to construct a URI rooted at http://169.254.170.2
. For example, if the value of the environment
variable was /credentials
, the SDK would look for credentials at http://169.254.170.2/credentials
.
Next: It will check the value of $AWS_CONTAINER_CREDENTIALS_FULL_URI
. This specifies the full
URL to load credentials. The URL MUST satisfy one of the following three properties:
- The URL begins with
https
- The URL refers to an allowed IP address. If a URL contains a domain name instead of an IP address,
a DNS lookup will be performed. ALL resolved IP addresses MUST refer to an allowed IP address, or
the credentials provider will return
CredentialsError::InvalidConfiguration
. Valid IP addresses are: a) Loopback interfaces b) The ECS Task Metadata V2 address ie 169.254.170.2. c) EKS Pod Identity addresses ie 169.254.170.23 or fd00:ec2::23
Next: It will check the value of $AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
. If this is set,
the filename specified will be read, and the value passed in the Authorization
header. If the file
cannot be read, an error is returned.
Finally: It will check the value of $AWS_CONTAINER_AUTHORIZATION_TOKEN
. If this is set, the
value will be passed in the Authorization
header.
§Credentials Format
Credentials MUST be returned in a JSON format:
{
"AccessKeyId" : "MUA...",
"SecretAccessKey" : "/7PC5om....",
"Token" : "AQoDY....=",
"Expiration" : "2016-02-25T06:03:31Z"
}
Credentials errors MAY be returned with a code
and message
field:
{
"code": "ErrorCode",
"message": "Helpful error message."
}
Structs§
- Builder for
EcsCredentialsProvider
- Credential provider for ECS and generalized HTTP credentials
- Invalid Full URI