envoy.extensions.common.aws.v3.credential_provider.proto Maven / Gradle / Ivy
The newest version!
syntax = "proto3";
package envoy.extensions.common.aws.v3;
import "envoy/config/core/v3/base.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.common.aws.v3";
option java_outer_classname = "CredentialProviderProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3;awsv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: AWS common configuration]
// Configuration for AWS credential provider. This is optional and the credentials are normally
// retrieved from the environment or AWS configuration files by following the default credential
// provider chain. However, this configuration can be used to override the default behavior.
message AwsCredentialProvider {
// The option to use `AssumeRoleWithWebIdentity `_.
AssumeRoleWithWebIdentityCredentialProvider assume_role_with_web_identity_provider = 1;
// The option to use an inline credential. If inline credential is provided, no chain will be created and only the inline credential will be used.
InlineCredentialProvider inline_credential = 2;
// The option to specify parameters for credential retrieval from an envoy data source, such as a file in AWS credential format.
CredentialsFileCredentialProvider credentials_file_provider = 3;
// Create a custom credential provider chain instead of the default credential provider chain.
// If set to TRUE, the credential provider chain that is created contains only those set in this credential provider message.
// If set to FALSE, the settings provided here will act as modifiers to the default credential provider chain.
// Defaults to FALSE.
//
// This has no effect if inline_credential is provided.
bool custom_credential_provider_chain = 4;
}
// Configuration to use an inline AWS credential. This is an equivalent to setting the well-known
// environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and the optional ``AWS_SESSION_TOKEN``.
message InlineCredentialProvider {
// The AWS access key ID.
string access_key_id = 1 [(validate.rules).string = {min_len: 1}];
// The AWS secret access key.
string secret_access_key = 2
[(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true];
// The AWS session token. This is optional.
string session_token = 3 [(udpa.annotations.sensitive) = true];
}
// Configuration to use `AssumeRoleWithWebIdentity `_
// to retrieve AWS credentials.
message AssumeRoleWithWebIdentityCredentialProvider {
// Data source for a web identity token that is provided by the identity provider to assume the role.
// When using this data source, even if a ``watched_directory`` is provided, the token file will only be re-read when the credentials
// returned from AssumeRoleWithWebIdentity expire.
config.core.v3.DataSource web_identity_token_data_source = 1
[(udpa.annotations.sensitive) = true];
// The ARN of the role to assume.
string role_arn = 2 [(validate.rules).string = {min_len: 1}];
// Optional role session name to use in AssumeRoleWithWebIdentity API call.
string role_session_name = 3;
}
message CredentialsFileCredentialProvider {
// Data source from which to retrieve AWS credentials
// When using this data source, if a ``watched_directory`` is provided, the credential file will be re-read when a file move is detected.
// See :ref:`watched_directory ` for more information about the ``watched_directory`` field.
config.core.v3.DataSource credentials_data_source = 1 [(udpa.annotations.sensitive) = true];
// The profile within the credentials_file data source. If not provided, the default profile will be used.
string profile = 2;
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy