Class: Katalyst::GoogleApis::Credentials

Inherits:

Google::Auth::ExternalAccount::AwsCredentials

• Object
• Google::Auth::ExternalAccount::AwsCredentials
• Katalyst::GoogleApis::Credentials

Defined in:

app/services/katalyst/google_apis/credentials.rb

Defined Under Namespace

Classes: Config

Instance Method Summary

• #fetch_security_credentials ⇒ Object

  Override the default implementation that only supports EC2 credentials.

• #initialize ⇒ Credentials constructor

  A new instance of Credentials.

• #region ⇒ Object

Constructor Details

#initialize ⇒ Credentials

Returns a new instance of Credentials.

# File 'app/services/katalyst/google_apis/credentials.rb', line 9

def initialize(**)
  super(Config.new(**).to_h)

  @aws_provider = ::Aws::CredentialProviderChain.new.resolve
end

Instance Method Details

#fetch_security_credentials ⇒ Object

Override the default implementation that only supports EC2 credentials.

# File 'app/services/katalyst/google_apis/credentials.rb', line 16

def fetch_security_credentials
  # Note: Aws::CredentialProviderChain is a private API, but because it is
  # consumed directly by AWS utilities we assume it's stable.
  # This approach would not be required if Google's base class supported
  # resolving credentials from ECS environments.
  credentials = @aws_provider.credentials

  # Short-lived credentials for the AWS ECS instance role
  # These are used to authenticate the call to Google Cloud to authenticate
  # to the GC service account using OIDC based on the AWS ECS identity.
  {
    access_key_id:     credentials.access_key_id,
    secret_access_key: credentials.secret_access_key,
    session_token:     credentials.session_token,
  }
end

#region ⇒ Object

# File 'app/services/katalyst/google_apis/credentials.rb', line 33

def region
  @region ||= case @aws_provider
              when ::Aws::SSOCredentials
                @aws_provider.client.config.region
              else
                ENV.fetch("AWS_REGION", nil)
              end
end