Class AwsIamAuthentication
java.lang.Object
org.springframework.vault.authentication.AwsIamAuthentication
- All Implemented Interfaces:
AuthenticationStepsFactory,ClientAuthentication
public class AwsIamAuthentication
extends Object
implements ClientAuthentication, AuthenticationStepsFactory
AWS IAM authentication using signed HTTP requests to query the current identity.
AWS IAM authentication creates a signed HTTP request that is
executed by Vault to get the identity of the signer using AWS STS
GetCallerIdentity. A signature requires
AwsCredentials to calculate the
signature.
This authentication requires AWS' Java SDK to sign request parameters and calculate the
signature key. Using an appropriate
AwsCredentialsProvider allows
authentication within AWS-EC2 instances with an assigned profile, within ECS and Lambda
instances.
- Since:
- 1.1
- Author:
- Mark Paluch
- See Also:
-
AwsIamAuthenticationOptionsAwsCredentialsProviderRestOperations- Auth Backend: aws (IAM)
- AWS: GetCallerIdentity
-
Constructor Summary
ConstructorsConstructorDescriptionAwsIamAuthentication(AwsIamAuthenticationOptions options, RestOperations vaultRestOperations) Create a newAwsIamAuthenticationspecifyingAwsIamAuthenticationOptions, a Vault and an AWS-Metadata-specificRestOperations. -
Method Summary
Modifier and TypeMethodDescriptionstatic AuthenticationStepsCreates aAuthenticationStepsfor AWS-IAM authentication givenAwsIamAuthenticationOptions.protected static AuthenticationStepscreateAuthenticationSteps(AwsIamAuthenticationOptions options, software.amazon.awssdk.auth.credentials.AwsCredentials credentials, software.amazon.awssdk.regions.Region region) Create the request body to perform a Vault login using the AWS-IAM authentication method.Get theAuthenticationStepsdescribing an authentication flow.login()Return aVaultToken.
-
Constructor Details
-
AwsIamAuthentication
public AwsIamAuthentication(AwsIamAuthenticationOptions options, RestOperations vaultRestOperations) Create a newAwsIamAuthenticationspecifyingAwsIamAuthenticationOptions, a Vault and an AWS-Metadata-specificRestOperations.- Parameters:
options- must not be null.vaultRestOperations- must not be null.
-
-
Method Details
-
createAuthenticationSteps
Creates aAuthenticationStepsfor AWS-IAM authentication givenAwsIamAuthenticationOptions. The resultingAuthenticationStepsreuse eagerly-fetchedAwsCredentialsto prevent blocking I/O during authentication.- Parameters:
options- must not be null.- Returns:
AuthenticationStepsfor AWS-IAM authentication.- Since:
- 2.2
-
createAuthenticationSteps
protected static AuthenticationSteps createAuthenticationSteps(AwsIamAuthenticationOptions options, software.amazon.awssdk.auth.credentials.AwsCredentials credentials, software.amazon.awssdk.regions.Region region) -
login
Description copied from interface:ClientAuthenticationReturn aVaultToken. This method can optionally log into Vault to obtain atoken.- Specified by:
loginin interfaceClientAuthentication- Returns:
- a
VaultToken. - Throws:
VaultException
-
getAuthenticationSteps
Description copied from interface:AuthenticationStepsFactoryGet theAuthenticationStepsdescribing an authentication flow.- Specified by:
getAuthenticationStepsin interfaceAuthenticationStepsFactory- Returns:
- the
AuthenticationStepsdescribing an authentication flow.
-
createRequestBody
Create the request body to perform a Vault login using the AWS-IAM authentication method.- Parameters:
options- must not be null.- Returns:
- the map containing body key-value pairs.
-