aws_gleam_runtime - v0.1.0

aws/internal/providers/sts

STS AssumeRole provider.

The plain AssumeRole flow — distinct from AssumeRoleWithWebIdentity in sts_web_identity.gleam — needs the caller to already hold credentials that have permission to assume the target role. The caller’s credentials sign the STS request via SigV4; STS hands back temporary credentials for the assumed role.

This is what the shared-config role_arn / source_profile chain uses under the hood: resolve credentials for the source profile, then call AssumeRole from those into the role declared on the outer profile.

Wire format is the same form-encoded Action=AssumeRole&Version= 2011-06-15&... shape used by every Query-protocol STS API. We hand- roll it here rather than going through the typed STS client because the credential-chain bootstrap path has to be free of any dependency on a signed Client (chicken-and-egg).

Types

Error

</> 
pub type Error {
  Misconfigured(reason: String)
  Failed(reason: String)
}

Constructors 

  • Misconfigured(reason: String)

    Required configuration absent. Chain falls through.

  • Failed(reason: String)

    STS responded with non-2xx or a malformed body.

Options

</>

AssumeRole inputs.

  • endpoint is the STS endpoint URL — defaults to the global https://sts.amazonaws.com/; pass a regional URL when assuming into a partition / region that requires it.
  • role_arn is the role to assume.
  • role_session_name shows up in CloudTrail.
  • duration_seconds caps the assumed-role session lifetime (STS clamps to the role’s MaxSessionDuration).
  • external_id is the optional third-party trust-policy token; set it when the role’s trust policy requires sts:ExternalId.
pub type Options {
  Options(
    endpoint: String,
    region: String,
    role_arn: String,
    role_session_name: String,
    duration_seconds: Int,
    external_id: option.Option(String),
  )
}

Constructors 

  • Options(
  endpoint: String,
  region: String,
  role_arn: String,
  role_session_name: String,
  duration_seconds: Int,
  external_id: option.Option(String),
)

StsCredentials

</> 
pub type StsCredentials {
  StsCredentials(
    access_key_id: String,
    secret_access_key: String,
    session_token: String,
    expires_at: Int,
  )
}

Constructors 

  • StsCredentials(
  access_key_id: String,
  secret_access_key: String,
  session_token: String,
  expires_at: Int,
)

Values

default_duration_seconds

</> 
pub const default_duration_seconds: Int

Default DurationSeconds STS clamps to whatever the role’s MaxSessionDuration allows. One hour is the conservative default every other AWS SDK uses.

default_endpoint

</> 
pub const default_endpoint: String

Default STS endpoint for the AssumeRole call. Regional endpoints are available; this matches the global default the AWS CLI uses.

default_options

</> 
pub fn default_options(
  role_arn role_arn: String,
  role_session_name role_session_name: String,
) -> Options

Build options for a default AssumeRole call: global endpoint, one-hour duration, no external id. Add overrides through Options(..opts, ...).

fetch

</> 
pub fn fetch(
  send send: fn(request.Request(BitArray)) -> Result(
    response.Response(BitArray),
    http_send.HttpError,
  ),
  source source: sigv4.SigningCredentials,
  options options: Options,
  timestamp timestamp: fn() -> String,
) -> Result(StsCredentials, Error)
Search Document