aws_gleam_runtime - v1.5.1

aws/internal/providers/ecs

ECS container credentials provider.

One HTTP GET to a URL the container runtime advertises in environment variables — typically http://169.254.170.2<relative-uri> inside an ECS/EKS task. Response shape is the same as IMDS step 3 (a JSON document with AccessKeyId, SecretAccessKey, Token, Expiration).

Auth token, when present, goes in the Authorization header — but only when the destination is trusted (see ecs_uri_allows_auth). The token is a bearer credential; attaching it to an arbitrary host advertised via AWS_CONTAINER_CREDENTIALS_FULL_URI would exfiltrate it (issue #28). An empty token value means “no auth header at all” (None) rather than “send the empty string”.

Types

EcsCredentials

</> 
pub type EcsCredentials {
  EcsCredentials(
    access_key_id: String,
    secret_access_key: String,
    session_token: option.Option(String),
    expires_at: option.Option(Int),
  )
}

Constructors 

  • EcsCredentials(
  access_key_id: String,
  secret_access_key: String,
  session_token: option.Option(String),
  expires_at: option.Option(Int),
)

Error

</> 
pub type Error {
  Unreachable(reason: String)
  Failed(reason: String)
}

Constructors 

  • Unreachable(reason: String)

    The metadata URL isn’t reachable. The chain falls through.

  • Failed(reason: String)

    URL responded but the body was malformed or signalled failure.

Options

</> 
pub type Options {
  Options(url: String, auth_token: option.Option(String))
}

Constructors

Values

ecs_uri_allows_auth

</> 
pub fn ecs_uri_allows_auth(url: String) -> Bool

Whether the metadata URL may receive the AWS_CONTAINER_AUTHORIZATION_TOKEN. The token is a bearer credential, so sending it to an arbitrary host over plain HTTP would leak it (SSRF / credential exfiltration — issue #28). Mirroring aws-sdk-rust and aws-sdk-go-v2, it is only attached when the destination is trusted:

  • any https host (TLS protects the token in transit), or
  • a loopback host: 127.0.0.0/8, IPv6 ::1 / [::1], or localhost, or
  • the ECS (169.254.170.2) / EKS (169.254.170.23) link-local endpoints.

Any other host over plain HTTP returns False so the caller omits the header entirely rather than leak the token. A URL that fails to parse is treated as untrusted.

fetch

</> 
pub fn fetch(
  send: fn(request.Request(BitArray)) -> Result(
    response.Response(BitArray),
    http_send.HttpError,
  ),
  options: Options,
) -> Result(EcsCredentials, Error)
Search Document