import (
"fmt"
+ "os"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/client"
"github.com/aws/aws-sdk-go/aws/credentials"
+ "github.com/aws/aws-sdk-go/internal/sdkrand"
"github.com/aws/aws-sdk-go/service/sts"
)
-// StdinTokenProvider will prompt on stdout and read from stdin for a string value.
+// StdinTokenProvider will prompt on stderr and read from stdin for a string value.
// An error is returned if reading from stdin fails.
//
// Use this function go read MFA tokens from stdin. The function makes no attempt
// Will wait forever until something is provided on the stdin.
func StdinTokenProvider() (string, error) {
var v string
- fmt.Printf("Assume Role MFA token code: ")
+ fmt.Fprintf(os.Stderr, "Assume Role MFA token code: ")
_, err := fmt.Scanln(&v)
return v, err
//
// If ExpiryWindow is 0 or less it will be ignored.
ExpiryWindow time.Duration
+
+ // MaxJitterFrac reduces the effective Duration of each credential requested
+ // by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must
+ // have a value between 0 and 1. Any other value may lead to expected behavior.
+ // With a MaxJitterFrac value of 0, default) will no jitter will be used.
+ //
+ // For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the
+ // AssumeRole call will be made with an arbitrary Duration between 27m and
+ // 30m.
+ //
+ // MaxJitterFrac should not be negative.
+ MaxJitterFrac float64
}
// NewCredentials returns a pointer to a new Credentials object wrapping the
// Expire as often as AWS permits.
p.Duration = DefaultDuration
}
+ jitter := time.Duration(sdkrand.SeededRand.Float64() * p.MaxJitterFrac * float64(p.Duration))
input := &sts.AssumeRoleInput{
- DurationSeconds: aws.Int64(int64(p.Duration / time.Second)),
+ DurationSeconds: aws.Int64(int64((p.Duration - jitter) / time.Second)),
RoleArn: aws.String(p.RoleARN),
RoleSessionName: aws.String(p.RoleSessionName),
ExternalId: p.ExternalID,