blob: 5c61a118e21ddd7764b1d6a4d2c1096f14be2441 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
<?php
namespace Aws\Credentials;
use Aws\Exception\CredentialsException;
use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Promise\PromiseInterface;
use Psr\Http\Message\ResponseInterface;
/**
* Credential provider that fetches credentials with GET request.
* ECS environment variable is used in constructing request URI.
*/
class EcsCredentialProvider
{
const SERVER_URI = 'http://169.254.170.2';
const ENV_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
const ENV_FULL_URI = "AWS_CONTAINER_CREDENTIALS_FULL_URI";
const ENV_AUTH_TOKEN = "AWS_CONTAINER_AUTHORIZATION_TOKEN";
const ENV_TIMEOUT = 'AWS_METADATA_SERVICE_TIMEOUT';
/** @var callable */
private $client;
/** @var float|mixed */
private $timeout;
/**
* The constructor accepts following options:
* - timeout: (optional) Connection timeout, in seconds, default 1.0
* - client: An EcsClient to make request from
*
* @param array $config Configuration options
*/
public function __construct(array $config = [])
{
$timeout = getenv(self::ENV_TIMEOUT);
if (!$timeout) {
$timeout = isset($_SERVER[self::ENV_TIMEOUT])
? $_SERVER[self::ENV_TIMEOUT]
: (isset($config['timeout']) ? $config['timeout'] : 1.0);
}
$this->timeout = (float) $timeout;
$this->client = isset($config['client'])
? $config['client']
: \Aws\default_http_handler();
}
/**
* Load ECS credentials
*
* @return PromiseInterface
*/
public function __invoke()
{
$client = $this->client;
$request = new Request('GET', self::getEcsUri());
$headers = $this->setHeaderForAuthToken();
return $client(
$request,
[
'timeout' => $this->timeout,
'proxy' => '',
'headers' => $headers
]
)->then(function (ResponseInterface $response) {
$result = $this->decodeResult((string) $response->getBody());
return new Credentials(
$result['AccessKeyId'],
$result['SecretAccessKey'],
$result['Token'],
strtotime($result['Expiration'])
);
})->otherwise(function ($reason) {
$reason = is_array($reason) ? $reason['exception'] : $reason;
$msg = $reason->getMessage();
throw new CredentialsException(
"Error retrieving credential from ECS ($msg)"
);
});
}
private function getEcsAuthToken()
{
return getenv(self::ENV_AUTH_TOKEN);
}
public function setHeaderForAuthToken(){
$authToken = self::getEcsAuthToken();
$headers = [];
if(!empty($authToken))
$headers = ['Authorization' => $authToken];
return $headers;
}
/**
* Fetch credential URI from ECS environment variable
*
* @return string Returns ECS URI
*/
private function getEcsUri()
{
$credsUri = getenv(self::ENV_URI);
if ($credsUri === false) {
$credsUri = isset($_SERVER[self::ENV_URI]) ? $_SERVER[self::ENV_URI] : '';
}
if(empty($credsUri)){
$credFullUri = getenv(self::ENV_FULL_URI);
if($credFullUri === false){
$credFullUri = isset($_SERVER[self::ENV_FULL_URI]) ? $_SERVER[self::ENV_FULL_URI] : '';
}
if(!empty($credFullUri))
return $credFullUri;
}
return self::SERVER_URI . $credsUri;
}
private function decodeResult($response)
{
$result = json_decode($response, true);
if (!isset($result['AccessKeyId'])) {
throw new CredentialsException('Unexpected ECS credential value');
}
return $result;
}
}
|
