Package org.springframework.vault.authentication

Class AwsIamAuthentication

java.lang.Object

org.springframework.vault.authentication.AwsIamAuthentication

All Implemented Interfaces:

AuthenticationStepsFactory, ClientAuthentication

public class AwsIamAuthentication
extends Object
implements ClientAuthentication, AuthenticationStepsFactory

AWS IAM authentication using signed HTTP requests to query the current identity.

AWS IAM authentication creates a signed HTTP request that is executed by Vault to get the identity of the signer using AWS STS GetCallerIdentity. A signature requires AwsCredentials to calculate the signature.

This authentication requires AWS' Java SDK to sign request parameters and calculate the signature key. Using an appropriate AwsCredentialsProvider allows authentication within AWS-EC2 instances with an assigned profile, within ECS and Lambda instances.

Since:

1.1

Author:

Mark Paluch

See Also:

• AwsIamAuthenticationOptions
• AwsCredentialsProvider
• VaultClient
• Auth Method: aws (IAM)
• AWS: GetCallerIdentity

Constructor Summary

Constructors

Constructor	Description
AwsIamAuthentication(AwsIamAuthenticationOptions options, VaultClient vaultClient)	Create a new AwsIamAuthentication specifying AwsIamAuthenticationOptions and a Vault VaultClient.
AwsIamAuthentication(AwsIamAuthenticationOptions options, RestClient vaultClient)	Create a new AwsIamAuthentication specifying AwsIamAuthenticationOptions and a Vault RestClient.
AwsIamAuthentication(AwsIamAuthenticationOptions options, RestOperations vaultRestOperations)	Deprecated. since 4.1, use AwsIamAuthentication(AwsIamAuthenticationOptions, VaultClient) instead.

Method Summary

Modifier and Type	Method	Description
static AuthenticationSteps	createAuthenticationSteps(AwsIamAuthenticationOptions options)	Create AuthenticationSteps for AWS-IAM authentication given AwsIamAuthenticationOptions.
protected static AuthenticationSteps	createAuthenticationSteps(AwsIamAuthenticationOptions options, software.amazon.awssdk.auth.credentials.AwsCredentials credentials, software.amazon.awssdk.regions.Region region)
protected static Map<String,String>	createRequestBody(AwsIamAuthenticationOptions options)	Create the request body to perform a Vault login using the AWS-IAM authentication method.
AuthenticationSteps	getAuthenticationSteps()	Get the AuthenticationSteps describing an authentication flow.
VaultToken	login()	Obtain a VaultToken for authenticated Vault access.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

AwsIamAuthentication

@Deprecated(since="4.1")
public AwsIamAuthentication(AwsIamAuthenticationOptions options,
 RestOperations vaultRestOperations)

Deprecated.

since 4.1, use AwsIamAuthentication(AwsIamAuthenticationOptions, VaultClient) instead.

Create a new AwsIamAuthentication specifying AwsIamAuthenticationOptions and a Vault RestOperations.

Parameters:

options - must not be null.

vaultRestOperations - must not be null.

AwsIamAuthentication

public AwsIamAuthentication(AwsIamAuthenticationOptions options,
 RestClient vaultClient)

Create a new AwsIamAuthentication specifying AwsIamAuthenticationOptions and a Vault RestClient.

Parameters:

options - must not be null.

vaultClient - must not be null.

AwsIamAuthentication

public AwsIamAuthentication(AwsIamAuthenticationOptions options,
 VaultClient vaultClient)

Create a new AwsIamAuthentication specifying AwsIamAuthenticationOptions and a Vault VaultClient.

Parameters:

options - must not be null.

vaultClient - must not be null.

Since:

4.1

Method Details

createAuthenticationSteps

public static AuthenticationSteps createAuthenticationSteps(AwsIamAuthenticationOptions options)

Create AuthenticationSteps for AWS-IAM authentication given AwsIamAuthenticationOptions. The resulting AuthenticationSteps reuse eagerly-fetched AwsCredentials to prevent blocking I/O during authentication.

Parameters:

options - must not be null.

Returns:

AuthenticationSteps for AWS-IAM authentication.

Since:

2.2

createAuthenticationSteps

protected static AuthenticationSteps createAuthenticationSteps(AwsIamAuthenticationOptions options,
 software.amazon.awssdk.auth.credentials.AwsCredentials credentials,
 software.amazon.awssdk.regions.Region region)

login

public VaultToken login()
                 throws VaultException

Description copied from interface: ClientAuthentication

Obtain a VaultToken for authenticated Vault access.

This method may perform an authentication request to Vault or return a cached or pre-configured token.

Specified by:

login in interface ClientAuthentication

Returns:

the Vault token for subsequent authenticated requests

Throws:

VaultLoginException - if authentication fails.

VaultException

See Also:

• LoginToken

getAuthenticationSteps

public AuthenticationSteps getAuthenticationSteps()

Description copied from interface: AuthenticationStepsFactory

Get the AuthenticationSteps describing an authentication flow.

Specified by:

getAuthenticationSteps in interface AuthenticationStepsFactory

Returns:

the AuthenticationSteps describing an authentication flow.

createRequestBody

protected static Map<String,String> createRequestBody(AwsIamAuthenticationOptions options)

Create the request body to perform a Vault login using the AWS-IAM authentication method.

Parameters:

options - must not be null.

Returns:

the map containing body key-value pairs.