aws_config

Module web_identity_token

source
Expand description

Load Credentials from Web Identity Tokens

Web identity tokens can be loaded from file. The path may be set in one of three ways:

  1. Environment Variables
  2. AWS profile defined in ~/.aws/config
  3. Static configuration via static_configuration

Note: WebIdentityTokenCredentialsProvider is part of the default provider chain. Unless you need specific behavior or configuration overrides, it is recommended to use the default chain instead of using this provider directly. This client should be considered a “low level” client as it does not include caching or profile-file resolution when used in isolation.

§Environment Variable Configuration

WebIdentityTokenCredentialProvider will load the following environment variables:

  • AWS_WEB_IDENTITY_TOKEN_FILE: required, location to find the token file containing a JWT token
  • AWS_ROLE_ARN: required, role ARN to assume
  • AWS_ROLE_SESSION_NAME: optional: Session name to use when assuming the role

§AWS Profile Configuration

Note: Configuration of the web identity token provider via a shared profile is only supported when using the ProfileFileCredentialsProvider.

Web identity token credentials can be loaded from ~/.aws/config in two ways:

  1. Directly:
[profile default]
role_arn = arn:aws:iam::1234567890123:role/RoleA
web_identity_token_file = /token.jwt
  1. As a source profile for another role:
[profile default]
role_arn = arn:aws:iam::123456789:role/RoleA
source_profile = base

[profile base]
role_arn = arn:aws:iam::123456789012:role/s3-reader
web_identity_token_file = /token.jwt

§Examples

Web Identity Token providers are part of the default chain. However, they may be directly constructed if you don’t want to use the default provider chain. Unless overridden with static_configuration, the provider will load configuration from environment variables.

use aws_config::web_identity_token::WebIdentityTokenCredentialsProvider;
use aws_config::provider_config::ProviderConfig;
let provider = WebIdentityTokenCredentialsProvider::builder()
    .configure(&ProviderConfig::with_default_region().await)
    .build();

Structs§