in local-container-endpoints/handlers/credentials_handler.go [218:269]
func (service *CredentialService) getTemporaryCredentials() (*CredentialResponse, error) {
// check if the current session already was built on temp creds
// because temp creds do not have the power to call GetSessionToken
if service.isCurrentSessionTemporary() {
credVal, err := service.currentSession.Config.Credentials.Get()
if err != nil {
return nil, errors.Wrap(err, "Current session is based on temporary credentials, but they were not retrieved.")
}
logrus.Debug("Current session contains temporary credentials")
response := CredentialResponse{
AccessKeyID: credVal.AccessKeyID,
SecretAccessKey: credVal.SecretAccessKey,
Token: credVal.SessionToken,
}
expiration, err := service.currentSession.Config.Credentials.ExpiresAt()
// It is valid for a credential provider to not return an expiration;
// however, we need to have an expiration if a token is present to
// satsify various client SDKs. In this case, we return an expiration
// timestamp a fixed point in the future.
// https://github.com/awslabs/amazon-ecs-local-container-endpoints/issues/26
if err != nil && len(response.Token) > 0 {
expiration, err = getSharedTokenExpiration()
}
if err == nil {
response.Expiration = expiration.Format(CredentialExpirationTimeFormat)
}
return &response, nil
}
// current session is not temp creds, so we can call GetSessionToken
creds, err := service.stsClient.GetSessionToken(&sts.GetSessionTokenInput{
DurationSeconds: aws.Int64(temporaryCredentialsDurationInS),
})
if err != nil {
return nil, err
}
response := CredentialResponse{
AccessKeyID: aws.StringValue(creds.Credentials.AccessKeyId),
SecretAccessKey: aws.StringValue(creds.Credentials.SecretAccessKey),
Token: aws.StringValue(creds.Credentials.SessionToken),
Expiration: creds.Credentials.Expiration.Format(CredentialExpirationTimeFormat),
}
return &response, nil
}