-
Notifications
You must be signed in to change notification settings - Fork 10
eulalie.creds
The functions in Eulalie which communicate with remote services generally accept
a creds argument. creds is always a map containing :access-key &
:secret-key, and, optionally :token, :region & :endpoint.
Unastonishingly, this is argument is named :creds in the lower-level request
maps.
This namespace contains utility functions for retrieving credentials via the environment, and via instance metadata (when running on EC2)
Unless given explicit credentials, and in the absence of environment variables, the offical AWS SDK retrieves the default IAM role that's associated with the current EC2 instance, and hands this off to AWS when making requests.
What may be non-obvious is the means by which the client communications its intention to use a particular IAM role: via credentials which look a lot like root account credentials, with the exception of carrying a token and expiry.
Whenever talking about credentials (or creds), eulalie doesn't mean
root (i.e. undelimited) account credentials specifically - rather a map of data
which refers either to an IAM role, or a root account.
- As per the AWS SDK, if
:regionisn't supplied, the default region for the given service will be used. In general, this is:us-east-1. - If
:endpointis absent, it'll revert to the default endpoint for the service and region.
(env)- Constructs a credentials map by reading the,
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables, as well asAWS_SESSION_TOKEN, if set. - Useful when running on Lambda, or setting env vars by convention
(iam)
(iam role-name)- Returns a credentials map which will be resolved (at request time) into the current instance credentials for the given IAM role (or the default role, if no argument is provided)
- Credentials will be cached until expiry, and then re-fetched
- To immediately resolve the credentials prior to your application's initial service request, use
eulalie.creds/refresh!