Credential chain

WORKSPACE

@@ -350,6 +350,7 @@ stack_snapshot(
         "unliftio",  # keep
         "unordered-containers",  # keep
         "uuid",
+        "vector",
         "xml-conduit",
         "xml-types",
         "yaml",

examples/src/APIGateway.hs

@@ -16,7 +16,7 @@ import System.IO
 main :: Region -> IO Method
 main r = do
   lgr <- newLogger Trace stdout
-  env <- newEnv Discover <&> set envLogger lgr . set envRegion r
+  env <- newEnv discover <&> set envLogger lgr . set envRegion r
   runResourceT $ do
     restApi <- send env (newCreateRestApi "myApi")
     let Just apiId = restApi ^. field @"id"

examples/src/DynamoDB.hs

@@ -37,7 +37,7 @@ printTables region secure host port = do
   let dynamo = setEndpoint secure host port DynamoDB.defaultService
 
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . configure dynamo . within region
+  env <- newEnv discover <&> set envLogger lgr . configure dynamo . within region
 
   runResourceT $ do
     say $ "Listing all tables in region " <> toText region
@@ -65,7 +65,7 @@ insertItem region secure host port table item = do
   let dynamo = setEndpoint secure host port DynamoDB.defaultService
 
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . within region . configure dynamo
+  env <- newEnv discover <&> set envLogger lgr . within region . configure dynamo
 
   runResourceT $ do
     say $

examples/src/EC2.hs

@@ -19,7 +19,7 @@ import System.IO
 instanceOverview :: Region -> IO ()
 instanceOverview r = do
   lgr <- newLogger Info stdout
-  env <- newEnv Discover <&> set envLogger lgr . within r
+  env <- newEnv discover <&> set envLogger lgr . within r
 
   let pp x =
         mconcat

examples/src/ExceptionSemantics.hs

@@ -27,7 +27,7 @@ exceptions ::
   IO ()
 exceptions r n = do
   lgr <- newLogger Info stdout
-  env <- newEnv Discover <&> set envLogger lgr . within r
+  env <- newEnv discover <&> set envLogger lgr . within r
 
   let scan = newScan n & field @"attributesToGet" ?~ "foo" :| []
 

examples/src/S3.hs

@@ -30,7 +30,7 @@ getPresignedURL ::
   IO ByteString
 getPresignedURL r b k = do
   lgr <- newLogger Trace stdout
-  env <- newEnv Discover <&> set envLogger lgr . set envRegion r
+  env <- newEnv discover <&> set envLogger lgr . set envRegion r
   ts <- getCurrentTime
   runResourceT $ presignURL env ts 60 (newGetObject b k)
 
@@ -40,7 +40,7 @@ listAll ::
   IO ()
 listAll r = do
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . set envRegion r
+  env <- newEnv discover <&> set envLogger lgr . set envRegion r
 
   let val :: ToText a => Maybe a -> Text
       val = maybe "Nothing" toText
@@ -71,7 +71,7 @@ getFile ::
   IO ()
 getFile r b k f = do
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . set envRegion r
+  env <- newEnv discover <&> set envLogger lgr . set envRegion r
 
   runResourceT $ do
     rs <- send env (newGetObject b k)
@@ -98,7 +98,7 @@ putChunkedFile ::
   IO ()
 putChunkedFile r b k c f = do
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set #_envLogger lgr . set #_envRegion r
+  env <- newEnv discover <&> set #_envLogger lgr . set #_envRegion r
 
   runResourceT $ do
     bdy <- chunkedFile c f
@@ -121,7 +121,7 @@ tagBucket ::
   IO ()
 tagBucket r bkt xs = do
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . set envRegion r
+  env <- newEnv discover <&> set envLogger lgr . set envRegion r
 
   let tags = map (uncurry newTag) xs
       kv t = toText (t ^. #key) <> "=" <> (t ^. #value)

examples/src/SQS.hs

@@ -27,7 +27,7 @@ roundTrip ::
   IO ()
 roundTrip r name xs = do
   lgr <- newLogger Debug stdout
-  env <- newEnv Discover <&> set envLogger lgr . within r
+  env <- newEnv discover <&> set envLogger lgr . within r
 
   let say = liftIO . Text.putStrLn
 

lib/amazonka/BUILD.bazel

@@ -7,6 +7,13 @@ haskell_library(
         "src/Amazonka.hs",
         "src/Amazonka/Auth.hs",
         "src/Amazonka/Auth.hs-boot",  # keep
+        "src/Amazonka/Auth/Background.hs",
+        "src/Amazonka/Auth/ConfigFile.hs",
+        "src/Amazonka/Auth/Container.hs",
+        "src/Amazonka/Auth/Exception.hs",
+        "src/Amazonka/Auth/InstanceProfile.hs",
+        "src/Amazonka/Auth/Keys.hs",
+        "src/Amazonka/Auth/STS.hs",
         "src/Amazonka/EC2/Metadata.hs",
         "src/Amazonka/Env.hs",
         "src/Amazonka/HTTP.hs",
@@ -84,6 +91,7 @@ haskell_library(
         "@stackage//:bytestring",
         "@stackage//:conduit",
         "@stackage//:directory",
+        "@stackage//:exceptions",
         "@stackage//:http-client",
         "@stackage//:http-conduit",
         "@stackage//:http-types",
@@ -94,6 +102,7 @@ haskell_library(
         "@stackage//:text",
         "@stackage//:time",
         "@stackage//:transformers",
+        "@stackage//:unordered-containers",
         "@stackage//:uuid",
     ],
 )

lib/amazonka/CHANGELOG.md

@@ -3,6 +3,34 @@
 ## [2.0.0](https://github.com/brendanhay/amazonka/tree/2.0.0)
 Released: **?**, Compare: [2.0.0-rc1](https://github.com/brendanhay/amazonka/compare/2.0.0-rc1...2.0.0)
 
+### Major Changes
+
+- The authentication code in `amazonka` got a full rewrite in PR [\#746](https://github.com/brendanhay/amazonka/pull/746).
+
+  - On Windows, the {credential,config} files are read from `%USERPROFILE%\\.aws\\{credentials,config}` to [match the AWS SDK](https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/creds-file.html#creds-file-general-info).
+  - `newEnv` now takes a function of type `EnvNoAuth -> m Env`, which is to fetch credentials in an appropriate manner
+  - The `Credentials` type has been removed, you should instead use the following functions corresponding to the departed constructor. All are exported by `Amazonka.Auth`:
+
+    | Old Name          | New Name                     | Args/Comment                                                                                                                                                                                                                                            |
+    |-------------------|------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+    | `FromKeys`        | `fromKeys`                   | `AccessKey`, `SecretKey`.                                                                                                                                                                                                                               |
+    | `FromSession`     | `fromSession`                | `AccessKey`, `SecretKey`, `SessionToken`.                                                                                                                                                                                                               |
+    |                   | `fromTemporarySession`       | `AccessKey`, `SecretKey`, `SessionToken`, `UTCTime` (expiry time). Likely not useful.                                                                                                                                                                   |
+    |                   | `fromKeysEnv`                | None - reads `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and optionally `AWS_SESSION_TOKEN`.                                                                                                                                                          |
+    | `FromEnv`         |                              | Removed - took up named environment variables for access key id/secret access key/session token/expiry time.                                                                                                                                            |
+    | `FromProfile`     | `fromNamedInstanceProfile`   | `Text` - looks up a named instance profile from the Instance Meta-Data Service (IMDS).                                                                                                                                                                  |
+    |                   | `fromDefaultInstanceProfile` | None - selects the first instance profile, like the `discover` process does as one of its steps.                                                                                                                                                        |
+    | `FromFile`        | `fromFilePath`               | `Text` (profile name), `FilePath` (credentials file), `FilePath` (config file). **Significantly improved** - now respects the `role_arn` setting in config files, alongside either `source_profile`, `credential_source`, or `web_identity_token_file`. |
+    |                   | `fromFileEnv`                | None - read config files from their default location, and respects the `AWS_PROFILE` environment variable.                                                                                                                                              |
+    |                   | `fromAssumedRole`            | `Text` (role arn), `Text` (role session name). Assumes a role using `sts:AssumeRole`.                                                                                                                                                                   |
+    |                   | `fromWebIdentity`            | `FilePath` (web identity token file), `Text` (role arn), `Maybe Text` (role session name). Assumes a role using `sts:AssumeRoleWithWebIdentity`.                                                                                                        |
+    | `FromWebIdentity` | `fromWebIdentityEnv`         | None - reads `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_ARN`, and `AWS_ROLE_SESSION_NAME`.                                                                                                                                                                |
+    |                   | `fromContainer`              | `Text` (absolute url to query the ECS Container Agent).                                                                                                                                                                                                 |
+    | `FromContainer`   | `fromContainerEnv`           | None - reads `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`.                                                                                                                                                                                                  |
+    | `Discover`        | `discover`                   | A rough mimic of the offical SDK, trying several methods in sequence.                                                                                                                                                                                   |
+
+  - The `Amazonka.Auth.runCredentialChain` function allows you to build your own custom credential chains.
+
 ### Changed
 
 - `amazonka-dynamodb`: Mark various fields as required

lib/amazonka/amazonka.cabal

@@ -78,6 +78,13 @@ library
   exposed-modules:
     Amazonka
     Amazonka.Auth
+    Amazonka.Auth.Background
+    Amazonka.Auth.ConfigFile
+    Amazonka.Auth.Container
+    Amazonka.Auth.Exception
+    Amazonka.Auth.InstanceProfile
+    Amazonka.Auth.Keys
+    Amazonka.Auth.STS
     Amazonka.EC2.Metadata
     Amazonka.Env
     Amazonka.HTTP
@@ -88,19 +95,21 @@ library
     Amazonka.Data, Amazonka.Types, Amazonka.Bytes, Amazonka.Endpoint, Amazonka.Crypto
 
   build-depends:
-    , amazonka-core  ^>=2.0
-    , amazonka-sts   ^>=2.0
-    , bytestring     >=0.10.8
-    , conduit        >=1.3
-    , directory      >=1.2
-    , http-client    >=0.5     && <0.8
-    , http-conduit   >=2.3     && <3
-    , http-types     >=0.12
-    , ini            >=0.3.5
-    , lens           >=4
-    , resourcet      >=1.1
-    , retry          >=0.7.6.2
-    , text           >=1.1
-    , time           >=1.9
-    , transformers   >=0.2
-    , uuid           >=1.2.6   && <1.4
+    , amazonka-core         ^>=2.0
+    , amazonka-sts          ^>=2.0
+    , bytestring            >=0.10.8
+    , conduit               >=1.3
+    , directory             >=1.2
+    , exceptions            ^>=0.10.4
+    , http-client           >=0.5      && <0.8
+    , http-conduit          >=2.3      && <3
+    , http-types            >=0.12
+    , ini                   >=0.3.5
+    , lens                  >=4
+    , resourcet             >=1.1
+    , retry                 >=0.7.6.2
+    , text                  >=1.1
+    , time                  >=1.9
+    , transformers          >=0.2
+    , unordered-containers  ^>=0.2.14.0
+    , uuid                  >=1.2.6    && <1.4

lib/amazonka/src/Amazonka.hs

@@ -21,12 +21,10 @@ module Amazonka
     Env.EnvNoAuth,
     Env.newEnv,
     Env.newEnvNoAuth,
-    Env.newEnvWith,
     Env.envAuthMaybe,
 
     -- ** Service Configuration
     -- $service
-    Env.authenticate,
     Env.override,
     Env.configure,
     Env.within,
@@ -48,7 +46,7 @@ module Amazonka
     AccessKey (..),
     SecretKey (..),
     SessionToken (..),
-    Credentials (..),
+    discover,
     -- $discovery
 
     -- ** Supported Regions
@@ -150,7 +148,6 @@ import qualified Amazonka.Crypto as Crypto
 import qualified Amazonka.Data.Body as Body
 import qualified Amazonka.EC2.Metadata as EC2
 import qualified Amazonka.Endpoint as Endpoint
-import Amazonka.Env (Env)
 import qualified Amazonka.Env as Env
 import qualified Amazonka.Error as Error
 import qualified Amazonka.HTTP as HTTP
@@ -202,14 +199,14 @@ import qualified Network.HTTP.Client as Client
 --     logger <- AWS.newLogger AWS.Debug IO.stdout
 --
 --     -- To specify configuration preferences, 'newEnv' is used to create a new
---     -- configuration environment. The 'Credentials' parameter is used to specify
+--     -- configuration environment. The argument to 'newEnv' is used to specify the
 --     -- mechanism for supplying or retrieving AuthN/AuthZ information.
---     -- In this case 'Discover' will cause the library to try a number of options such
+--     -- In this case 'discover' will cause the library to try a number of options such
 --     -- as default environment variables, or an instance's IAM Profile and identity document:
---     discover <- AWS.newEnv AWS.Discover
+--     discoveredEnv <- AWS.newEnv AWS.discover
 --
 --     let env =
---             discover
+--             discoveredEnv
 --                 { AWS._envLogger = logger
 --                 , AWS._envRegion = AWS.Frankfurt
 --                 }
@@ -230,9 +227,14 @@ import qualified Network.HTTP.Client as Client
 -- AuthN/AuthZ information is handled similarly to other AWS SDKs. You can read
 -- some of the options available <http://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs here>.
 --
--- When running on an EC2 instance and using 'FromProfile' or 'Discover', a thread
--- is forked which transparently handles the expiry and subsequent refresh of IAM
--- profile information. See 'Amazonka.Auth.fromProfileName' for more information.
+-- Authentication methods which return short-lived credentials (e.g., when running on
+-- an EC2 instance) fork a background thread which transparently handles the expiry
+-- and subsequent refresh of IAM profile information. See
+-- 'Amazonka.Auth.Background.fetchAuthInBackground' for more information.
+--
+-- /See:/ "Amazonka.Auth", if you want to commit to specific authentication methods.
+--
+-- /See:/ 'Amazonka.Auth.runCredentialChain' if you want to build your own credential chain.
 
 -- $sending
 -- To send a request you need to create a value of the desired operation type using
@@ -296,7 +298,7 @@ import qualified Network.HTTP.Client as Client
 --
 -- The updated configuration is then passed to the 'Env' during setup:
 --
--- > env <- AWS.configure dynamo <$> AWS.newEnv AWS.Discover
+-- > env <- AWS.configure dynamo <$> AWS.newEnv AWS.discover
 -- >
 -- > AWS.runResourceT $ do
 -- >     -- This S3 operation will communicate with remote AWS APIs.
@@ -310,7 +312,7 @@ import qualified Network.HTTP.Client as Client
 --
 -- You can also scope the service configuration modifications to specific actions:
 --
--- > env <- AWS.newEnv AWS.Discover
+-- > env <- AWS.newEnv AWS.discover
 -- >
 -- > AWS.runResourceT $ do
 -- >     -- Service operations here will communicate with AWS, even remote DynamoDB.