12 "github.com/aws/aws-sdk-go/aws"
13 "github.com/aws/aws-sdk-go/aws/awserr"
14 "github.com/aws/aws-sdk-go/aws/client"
15 "github.com/aws/aws-sdk-go/aws/corehandlers"
16 "github.com/aws/aws-sdk-go/aws/credentials"
17 "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
18 "github.com/aws/aws-sdk-go/aws/defaults"
19 "github.com/aws/aws-sdk-go/aws/endpoints"
20 "github.com/aws/aws-sdk-go/aws/request"
23 // A Session provides a central location to create service clients from and
24 // store configurations and request handlers for those services.
26 // Sessions are safe to create service clients concurrently, but it is not safe
27 // to mutate the Session concurrently.
29 // The Session satisfies the service client's client.ClientConfigProvider.
32 Handlers request.Handlers
35 // New creates a new instance of the handlers merging in the provided configs
36 // on top of the SDK's default configurations. Once the Session is created it
37 // can be mutated to modify the Config or Handlers. The Session is safe to be
38 // read concurrently, but it should not be written to concurrently.
40 // If the AWS_SDK_LOAD_CONFIG environment is set to a truthy value, the New
41 // method could now encounter an error when loading the configuration. When
42 // The environment variable is set, and an error occurs, New will return a
43 // session that will fail all requests reporting the error that occurred while
44 // loading the session. Use NewSession to get the error when creating the
47 // If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value
48 // the shared config file (~/.aws/config) will also be loaded, in addition to
49 // the shared credentials file (~/.aws/credentials). Values set in both the
50 // shared config, and shared credentials will be taken from the shared
53 // Deprecated: Use NewSession functions to create sessions instead. NewSession
54 // has the same functionality as New except an error can be returned when the
55 // func is called instead of waiting to receive an error until a request is made.
56 func New(cfgs ...*aws.Config) *Session {
57 // load initial config from environment
58 envCfg := loadEnvConfig()
60 if envCfg.EnableSharedConfig {
61 s, err := newSession(Options{}, envCfg, cfgs...)
63 // Old session.New expected all errors to be discovered when
64 // a request is made, and would report the errors then. This
65 // needs to be replicated if an error occurs while creating
67 msg := "failed to create session with AWS_SDK_LOAD_CONFIG enabled. " +
68 "Use session.NewSession to handle errors occurring during session creation."
70 // Session creation failed, need to report the error and prevent
71 // any requests from succeeding.
72 s = &Session{Config: defaults.Config()}
73 s.Config.MergeIn(cfgs...)
74 s.Config.Logger.Log("ERROR:", msg, "Error:", err)
75 s.Handlers.Validate.PushBack(func(r *request.Request) {
82 return deprecatedNewSession(cfgs...)
85 // NewSession returns a new Session created from SDK defaults, config files,
86 // environment, and user provided config files. Once the Session is created
87 // it can be mutated to modify the Config or Handlers. The Session is safe to
88 // be read concurrently, but it should not be written to concurrently.
90 // If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value
91 // the shared config file (~/.aws/config) will also be loaded in addition to
92 // the shared credentials file (~/.aws/credentials). Values set in both the
93 // shared config, and shared credentials will be taken from the shared
94 // credentials file. Enabling the Shared Config will also allow the Session
95 // to be built with retrieving credentials with AssumeRole set in the config.
97 // See the NewSessionWithOptions func for information on how to override or
98 // control through code how the Session will be created. Such as specifying the
99 // config profile, and controlling if shared config is enabled or not.
100 func NewSession(cfgs ...*aws.Config) (*Session, error) {
102 opts.Config.MergeIn(cfgs...)
104 return NewSessionWithOptions(opts)
107 // SharedConfigState provides the ability to optionally override the state
108 // of the session's creation based on the shared config being enabled or
110 type SharedConfigState int
113 // SharedConfigStateFromEnv does not override any state of the
114 // AWS_SDK_LOAD_CONFIG env var. It is the default value of the
115 // SharedConfigState type.
116 SharedConfigStateFromEnv SharedConfigState = iota
118 // SharedConfigDisable overrides the AWS_SDK_LOAD_CONFIG env var value
119 // and disables the shared config functionality.
122 // SharedConfigEnable overrides the AWS_SDK_LOAD_CONFIG env var value
123 // and enables the shared config functionality.
127 // Options provides the means to control how a Session is created and what
128 // configuration values will be loaded.
130 type Options struct {
131 // Provides config values for the SDK to use when creating service clients
132 // and making API requests to services. Any value set in with this field
133 // will override the associated value provided by the SDK defaults,
134 // environment or config files where relevant.
136 // If not set, configuration values from from SDK defaults, environment,
137 // config will be used.
140 // Overrides the config profile the Session should be created from. If not
141 // set the value of the environment variable will be loaded (AWS_PROFILE,
142 // or AWS_DEFAULT_PROFILE if the Shared Config is enabled).
144 // If not set and environment variables are not set the "default"
145 // (DefaultSharedConfigProfile) will be used as the profile to load the
146 // session config from.
149 // Instructs how the Session will be created based on the AWS_SDK_LOAD_CONFIG
150 // environment variable. By default a Session will be created using the
151 // value provided by the AWS_SDK_LOAD_CONFIG environment variable.
153 // Setting this value to SharedConfigEnable or SharedConfigDisable
154 // will allow you to override the AWS_SDK_LOAD_CONFIG environment variable
155 // and enable or disable the shared config functionality.
156 SharedConfigState SharedConfigState
158 // When the SDK's shared config is configured to assume a role with MFA
159 // this option is required in order to provide the mechanism that will
160 // retrieve the MFA token. There is no default value for this field. If
161 // it is not set an error will be returned when creating the session.
163 // This token provider will be called when ever the assumed role's
164 // credentials need to be refreshed. Within the context of service clients
165 // all sharing the same session the SDK will ensure calls to the token
166 // provider are atomic. When sharing a token provider across multiple
167 // sessions additional synchronization logic is needed to ensure the
168 // token providers do not introduce race conditions. It is recommend to
169 // share the session where possible.
171 // stscreds.StdinTokenProvider is a basic implementation that will prompt
172 // from stdin for the MFA token code.
174 // This field is only used if the shared configuration is enabled, and
175 // the config enables assume role wit MFA via the mfa_serial field.
176 AssumeRoleTokenProvider func() (string, error)
178 // Reader for a custom Credentials Authority (CA) bundle in PEM format that
179 // the SDK will use instead of the default system's root CA bundle. Use this
180 // only if you want to replace the CA bundle the SDK uses for TLS requests.
182 // Enabling this option will attempt to merge the Transport into the SDK's HTTP
183 // client. If the client's Transport is not a http.Transport an error will be
184 // returned. If the Transport's TLS config is set this option will cause the SDK
185 // to overwrite the Transport's TLS config's RootCAs value. If the CA
186 // bundle reader contains multiple certificates all of them will be loaded.
188 // The Session option CustomCABundle is also available when creating sessions
189 // to also enable this feature. CustomCABundle session option field has priority
190 // over the AWS_CA_BUNDLE environment variable, and will be used if both are set.
191 CustomCABundle io.Reader
194 // NewSessionWithOptions returns a new Session created from SDK defaults, config files,
195 // environment, and user provided config files. This func uses the Options
196 // values to configure how the Session is created.
198 // If the AWS_SDK_LOAD_CONFIG environment variable is set to a truthy value
199 // the shared config file (~/.aws/config) will also be loaded in addition to
200 // the shared credentials file (~/.aws/credentials). Values set in both the
201 // shared config, and shared credentials will be taken from the shared
202 // credentials file. Enabling the Shared Config will also allow the Session
203 // to be built with retrieving credentials with AssumeRole set in the config.
205 // // Equivalent to session.New
206 // sess := session.Must(session.NewSessionWithOptions(session.Options{}))
208 // // Specify profile to load for the session's config
209 // sess := session.Must(session.NewSessionWithOptions(session.Options{
210 // Profile: "profile_name",
213 // // Specify profile for config and region for requests
214 // sess := session.Must(session.NewSessionWithOptions(session.Options{
215 // Config: aws.Config{Region: aws.String("us-east-1")},
216 // Profile: "profile_name",
219 // // Force enable Shared Config support
220 // sess := session.Must(session.NewSessionWithOptions(session.Options{
221 // SharedConfigState: session.SharedConfigEnable,
223 func NewSessionWithOptions(opts Options) (*Session, error) {
225 if opts.SharedConfigState == SharedConfigEnable {
226 envCfg = loadSharedEnvConfig()
228 envCfg = loadEnvConfig()
231 if len(opts.Profile) > 0 {
232 envCfg.Profile = opts.Profile
235 switch opts.SharedConfigState {
236 case SharedConfigDisable:
237 envCfg.EnableSharedConfig = false
238 case SharedConfigEnable:
239 envCfg.EnableSharedConfig = true
242 // Only use AWS_CA_BUNDLE if session option is not provided.
243 if len(envCfg.CustomCABundle) != 0 && opts.CustomCABundle == nil {
244 f, err := os.Open(envCfg.CustomCABundle)
246 return nil, awserr.New("LoadCustomCABundleError",
247 "failed to open custom CA bundle PEM file", err)
250 opts.CustomCABundle = f
253 return newSession(opts, envCfg, &opts.Config)
256 // Must is a helper function to ensure the Session is valid and there was no
257 // error when calling a NewSession function.
259 // This helper is intended to be used in variable initialization to load the
260 // Session and configuration at startup. Such as:
262 // var sess = session.Must(session.NewSession())
263 func Must(sess *Session, err error) *Session {
271 func deprecatedNewSession(cfgs ...*aws.Config) *Session {
272 cfg := defaults.Config()
273 handlers := defaults.Handlers()
275 // Apply the passed in configs so the configuration can be applied to the
276 // default credential chain
278 if cfg.EndpointResolver == nil {
279 // An endpoint resolver is required for a session to be able to provide
280 // endpoints for service client configurations.
281 cfg.EndpointResolver = endpoints.DefaultResolver()
283 cfg.Credentials = defaults.CredChain(cfg, handlers)
285 // Reapply any passed in configs to override credentials if set
298 func newSession(opts Options, envCfg envConfig, cfgs ...*aws.Config) (*Session, error) {
299 cfg := defaults.Config()
300 handlers := defaults.Handlers()
302 // Get a merged version of the user provided config to determine if
304 userCfg := &aws.Config{}
305 userCfg.MergeIn(cfgs...)
307 // Order config files will be loaded in with later files overwriting
308 // previous config file values.
309 cfgFiles := []string{envCfg.SharedConfigFile, envCfg.SharedCredentialsFile}
310 if !envCfg.EnableSharedConfig {
311 // The shared config file (~/.aws/config) is only loaded if instructed
312 // to load via the envConfig.EnableSharedConfig (AWS_SDK_LOAD_CONFIG).
313 cfgFiles = cfgFiles[1:]
316 // Load additional config from file(s)
317 sharedCfg, err := loadSharedConfig(envCfg.Profile, cfgFiles)
322 if err := mergeConfigSrcs(cfg, userCfg, envCfg, sharedCfg, handlers, opts); err != nil {
333 // Setup HTTP client with custom cert bundle if enabled
334 if opts.CustomCABundle != nil {
335 if err := loadCustomCABundle(s, opts.CustomCABundle); err != nil {
343 func loadCustomCABundle(s *Session, bundle io.Reader) error {
344 var t *http.Transport
345 switch v := s.Config.HTTPClient.Transport.(type) {
346 case *http.Transport:
349 if s.Config.HTTPClient.Transport != nil {
350 return awserr.New("LoadCustomCABundleError",
351 "unable to load custom CA bundle, HTTPClient's transport unsupported type", nil)
355 t = &http.Transport{}
358 p, err := loadCertPool(bundle)
362 if t.TLSClientConfig == nil {
363 t.TLSClientConfig = &tls.Config{}
365 t.TLSClientConfig.RootCAs = p
367 s.Config.HTTPClient.Transport = t
372 func loadCertPool(r io.Reader) (*x509.CertPool, error) {
373 b, err := ioutil.ReadAll(r)
375 return nil, awserr.New("LoadCustomCABundleError",
376 "failed to read custom CA bundle PEM file", err)
379 p := x509.NewCertPool()
380 if !p.AppendCertsFromPEM(b) {
381 return nil, awserr.New("LoadCustomCABundleError",
382 "failed to load custom CA bundle PEM file", err)
388 func mergeConfigSrcs(cfg, userCfg *aws.Config, envCfg envConfig, sharedCfg sharedConfig, handlers request.Handlers, sessOpts Options) error {
389 // Merge in user provided configuration
392 // Region if not already set by user
393 if len(aws.StringValue(cfg.Region)) == 0 {
394 if len(envCfg.Region) > 0 {
395 cfg.WithRegion(envCfg.Region)
396 } else if envCfg.EnableSharedConfig && len(sharedCfg.Region) > 0 {
397 cfg.WithRegion(sharedCfg.Region)
401 // Configure credentials if not already set
402 if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
403 if len(envCfg.Creds.AccessKeyID) > 0 {
404 cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
407 } else if envCfg.EnableSharedConfig && len(sharedCfg.AssumeRole.RoleARN) > 0 && sharedCfg.AssumeRoleSource != nil {
409 cfgCp.Credentials = credentials.NewStaticCredentialsFromCreds(
410 sharedCfg.AssumeRoleSource.Creds,
412 if len(sharedCfg.AssumeRole.MFASerial) > 0 && sessOpts.AssumeRoleTokenProvider == nil {
413 // AssumeRole Token provider is required if doing Assume Role
415 return AssumeRoleTokenProviderNotSetError{}
417 cfg.Credentials = stscreds.NewCredentials(
420 Handlers: handlers.Copy(),
422 sharedCfg.AssumeRole.RoleARN,
423 func(opt *stscreds.AssumeRoleProvider) {
424 opt.RoleSessionName = sharedCfg.AssumeRole.RoleSessionName
426 // Assume role with external ID
427 if len(sharedCfg.AssumeRole.ExternalID) > 0 {
428 opt.ExternalID = aws.String(sharedCfg.AssumeRole.ExternalID)
431 // Assume role with MFA
432 if len(sharedCfg.AssumeRole.MFASerial) > 0 {
433 opt.SerialNumber = aws.String(sharedCfg.AssumeRole.MFASerial)
434 opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
438 } else if len(sharedCfg.Creds.AccessKeyID) > 0 {
439 cfg.Credentials = credentials.NewStaticCredentialsFromCreds(
443 // Fallback to default credentials provider, include mock errors
444 // for the credential chain so user can identify why credentials
445 // failed to be retrieved.
446 cfg.Credentials = credentials.NewCredentials(&credentials.ChainProvider{
447 VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
448 Providers: []credentials.Provider{
449 &credProviderError{Err: awserr.New("EnvAccessKeyNotFound", "failed to find credentials in the environment.", nil)},
450 &credProviderError{Err: awserr.New("SharedCredsLoad", fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil)},
451 defaults.RemoteCredProvider(*cfg, handlers),
460 // AssumeRoleTokenProviderNotSetError is an error returned when creating a session when the
461 // MFAToken option is not set when shared config is configured load assume a
462 // role with an MFA token.
463 type AssumeRoleTokenProviderNotSetError struct{}
465 // Code is the short id of the error.
466 func (e AssumeRoleTokenProviderNotSetError) Code() string {
467 return "AssumeRoleTokenProviderNotSetError"
470 // Message is the description of the error
471 func (e AssumeRoleTokenProviderNotSetError) Message() string {
472 return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
475 // OrigErr is the underlying error that caused the failure.
476 func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
480 // Error satisfies the error interface.
481 func (e AssumeRoleTokenProviderNotSetError) Error() string {
482 return awserr.SprintError(e.Code(), e.Message(), "", nil)
485 type credProviderError struct {
489 var emptyCreds = credentials.Value{}
491 func (c credProviderError) Retrieve() (credentials.Value, error) {
492 return credentials.Value{}, c.Err
494 func (c credProviderError) IsExpired() bool {
498 func initHandlers(s *Session) {
499 // Add the Validate parameter handler if it is not disabled.
500 s.Handlers.Validate.Remove(corehandlers.ValidateParametersHandler)
501 if !aws.BoolValue(s.Config.DisableParamValidation) {
502 s.Handlers.Validate.PushBackNamed(corehandlers.ValidateParametersHandler)
506 // Copy creates and returns a copy of the current Session, coping the config
507 // and handlers. If any additional configs are provided they will be merged
508 // on top of the Session's copied config.
510 // // Create a copy of the current Session, configured for the us-west-2 region.
511 // sess.Copy(&aws.Config{Region: aws.String("us-west-2")})
512 func (s *Session) Copy(cfgs ...*aws.Config) *Session {
513 newSession := &Session{
514 Config: s.Config.Copy(cfgs...),
515 Handlers: s.Handlers.Copy(),
518 initHandlers(newSession)
523 // ClientConfig satisfies the client.ConfigProvider interface and is used to
524 // configure the service client instances. Passing the Session to the service
525 // client's constructor (New) will use this method to configure the client.
526 func (s *Session) ClientConfig(serviceName string, cfgs ...*aws.Config) client.Config {
527 // Backwards compatibility, the error will be eaten if user calls ClientConfig
528 // directly. All SDK services will use ClientconfigWithError.
529 cfg, _ := s.clientConfigWithErr(serviceName, cfgs...)
534 func (s *Session) clientConfigWithErr(serviceName string, cfgs ...*aws.Config) (client.Config, error) {
537 var resolved endpoints.ResolvedEndpoint
540 region := aws.StringValue(s.Config.Region)
542 if endpoint := aws.StringValue(s.Config.Endpoint); len(endpoint) != 0 {
543 resolved.URL = endpoints.AddScheme(endpoint, aws.BoolValue(s.Config.DisableSSL))
544 resolved.SigningRegion = region
546 resolved, err = s.Config.EndpointResolver.EndpointFor(
548 func(opt *endpoints.Options) {
549 opt.DisableSSL = aws.BoolValue(s.Config.DisableSSL)
550 opt.UseDualStack = aws.BoolValue(s.Config.UseDualStack)
552 // Support the condition where the service is modeled but its
553 // endpoint metadata is not available.
554 opt.ResolveUnknownService = true
559 return client.Config{
561 Handlers: s.Handlers,
562 Endpoint: resolved.URL,
563 SigningRegion: resolved.SigningRegion,
564 SigningName: resolved.SigningName,
568 // ClientConfigNoResolveEndpoint is the same as ClientConfig with the exception
569 // that the EndpointResolver will not be used to resolve the endpoint. The only
570 // endpoint set must come from the aws.Config.Endpoint field.
571 func (s *Session) ClientConfigNoResolveEndpoint(cfgs ...*aws.Config) client.Config {
574 var resolved endpoints.ResolvedEndpoint
576 region := aws.StringValue(s.Config.Region)
578 if ep := aws.StringValue(s.Config.Endpoint); len(ep) > 0 {
579 resolved.URL = endpoints.AddScheme(ep, aws.BoolValue(s.Config.DisableSSL))
580 resolved.SigningRegion = region
583 return client.Config{
585 Handlers: s.Handlers,
586 Endpoint: resolved.URL,
587 SigningRegion: resolved.SigningRegion,
588 SigningName: resolved.SigningName,