aws.py - OpenGrok cross reference for /aosp_15_r20/external/python/google-auth-library-python/google/auth/aws.py

Lines Matching full:aws
15 """AWS Credentials and AWS Signature V4 Request Signer.
18 Web Services (AWS) workloads. These credentials are recommended over the
19 use of service account credentials in AWS as they do not involve the management
22 AWS Credentials are initialized using external_account arguments which are
30 `AWS Signature Version 4`_ request signing algorithm.
32 AWS Credentials use serialized signed requests to the
33 `AWS STS GetCallerIdentity`_ API that can be exchanged for Google access tokens
36 .. _AWS Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
37 .. _AWS STS GetCallerIdentity: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIde…
62 # AWS Signature Version 4 signing algorithm identifier.
64 # The termination string for the AWS credential scope value as defined in
65 # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
67 # The AWS authorization header name for the security session token if available.
69 # The AWS authorization header name for the auto-generated date.
74     """Implements an AWS request signer based on the AWS Signature Version 4 signing
76     https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
80         """Instantiates an AWS request signer used to compute authenticated signed
81         requests to AWS APIs based on the AWS Signature Version 4 signing process.
84             region_name (str): The AWS region to use.
98         an AWS API. This follows the steps described at:
99         https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
103                 the AWS security credentials.
104             url (str): The AWS service URL containing the canonical URI and
110                 additional headers needed for the requested AWS API.
113             Mapping[str, str]: The AWS signed request dictionary object.
115         # Get AWS credentials.
131             raise ValueError("Invalid AWS service URL")
169     https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
218     AWS Signature Version 4 based on:
219     https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
222         key (str): The AWS secret access key.
224         region_name (str): The AWS region.
225         service_name (str): The AWS service name, eg. sts.
249     """Generates the authentication header map needed for generating the AWS
253         host (str): The AWS service URL hostname.
254         canonical_uri (str): The AWS service URL path name.
255         canonical_querystring (str): The AWS service URL query string.
257         region (str): The AWS region.
258         access_key (str): The AWS access key ID.
259         secret_key (str): The AWS secret access key.
260         security_token (Optional[str]): The AWS security session token. This is
265             additional headers needed for the requested AWS API.
268         Mapping[str, str]: The AWS authentication header dictionary object.
283     # Add AWS session token if available.
308     # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
322     # https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
330     # https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
336     # https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html
349     """AWS external account credentials.
350     This is used to exchange serialized AWS signature v4 signed requests to
351     AWS STS GetCallerIdentity service for Google access tokens.
367         """Instantiates an AWS workload external account credentials object.
419         matches = re.match(r"^(aws)([\d]+)$", self._environment_id)
425         if env_id != "aws" or self._cred_verification_url is None:
426             raise ValueError("No valid AWS 'credential_source' provided")
429                 "aws version '{}' is not supported in the current build.".format(
436         The subject token is a serialized `AWS GetCallerIdentity signed request`_.
440         Retrieve the AWS region from the AWS_REGION or AWS_DEFAULT_REGION
441         environment variable or from the AWS metadata server availability-zone
444         Check AWS credentials in environment variables. If not found, retrieve
445         from the AWS metadata server security-credentials endpoint.
447         When retrieving AWS credentials from the metadata server
448         security-credentials endpoint, the AWS role needs to be determined by
452         Generate the signed request to AWS STS GetCallerIdentity action.
458             https://cloud.google.com/iam/docs/access-resources-aws#exchange-token
467         # the current AWS region.
472         # Retrieve the AWS security credentials needed to generate the signed
475         # Generate the signed request to AWS STS GetCallerIdentity API.
501         # Serialize AWS signed request.
520         """Retrieves the current AWS region from either the AWS_REGION or
521         AWS_DEFAULT_REGION environment variable or from the AWS metadata server.
526             url (str): The AWS metadata server region URL.
529             str: The current AWS region.
533                 retrieving the AWS region.
535         # The AWS metadata server is not available in some AWS environments
536         # such as AWS lambda. Instead, it is available via environment
547             raise exceptions.RefreshError("Unable to determine AWS region")
559                 "Unable to retrieve AWS region", response_body
567         """Retrieves the AWS security credentials required for signing AWS
568         requests from either the AWS security credentials environment variables
569         or from the AWS metadata server.
576             Mapping[str, str]: The AWS security credentials dictionary object.
580                 retrieving the AWS security credentials.
584         # https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
611         """Retrieves the AWS security credentials required for signing AWS
612         requests from the AWS metadata server.
617             role_name (str): The AWS role name required by the AWS metadata
622             Mapping[str, str]: The AWS metadata server security credentials
627                 retrieving the AWS security credentials.
645                 "Unable to retrieve AWS security credentials", response_body
653         """Retrieves the AWS role currently attached to the current AWS
654         workload by querying the AWS metadata server. This is needed for the
655         AWS metadata server security credentials endpoint in order to retrieve
656         the AWS security credentials needed to sign requests to AWS APIs.
663             str: The AWS role name.
667                 retrieving the AWS role name.
671                 "Unable to determine the AWS metadata server security credentials endpoint"
684                 "Unable to retrieve AWS role name", response_body
691         """Creates an AWS Credentials instance from parsed external account info.
694             info (Mapping[str, str]): The AWS external account info in Google
699             google.auth.aws.Credentials: The constructed credentials.
720         """Creates an AWS Credentials instance from an external account json file.
723             filename (str): The path to the AWS external account json file.
727             google.auth.aws.Credentials: The constructed credentials.