/**
* Fetches and caches EC2 instance profile credentials. This is meant to be used by the constructor, and is not to
* be manually invoked.
*
* @param CacheCore $cache (Required) The a reference to the cache object that is being used to handle the caching.
* @param array $options (Required) The options that were passed into the constructor.
* @return mixed The data to be cached, or NULL.
*/
public function cache_instance_profile_credentials($cache, $options)
{
$instance_profile_url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/';
$connect_timeout = isset($options['instance_profile_timeout']) ? $options['instance_profile_timeout'] : 2;
try {
// Make a call to the EC2 Metadata Service to find the available instance profile
$request = new RequestCore($instance_profile_url);
$request->set_curlopts(array(CURLOPT_CONNECTTIMEOUT => $connect_timeout));
$response = $request->send_request(true);
if ($response->isOK()) {
// Get the instance profile name
$profile = (string) $response->body;
// Make a call to the EC2 Metadata Service to get the instance profile credentials
$request = new RequestCore($instance_profile_url . $profile);
$request->set_curlopts(array(CURLOPT_CONNECTTIMEOUT => $connect_timeout));
$response = $request->send_request(true);
if ($response->isOK()) {
// Get the credentials
$credentials = json_decode($response->body, true);
if ($credentials['Code'] === 'Success') {
// Determine the expiration time
$expiration_time = strtotime((string) $credentials['Expiration']);
$expiration_duration = round(($expiration_time - time()) * 0.85);
$cache->expire_in($expiration_duration);
// Return the credential information
return array('key' => $credentials['AccessKeyId'], 'secret' => $credentials['SecretAccessKey'], 'token' => $credentials['Token'], 'expires' => $credentials['Expiration']);
}
}
}
} catch (cURL_Exception $e) {
// The EC2 Metadata Service does not exist or had timed out.
// An exception will be thrown on the next line.
}
// @codeCoverageIgnoreStart
throw new CFCredentials_Exception('No credentials were provided. The SDK attempted to retrieve Instance ' . 'Profile credentials from the EC2 Instance Metadata Service, but failed to do so. Instance profile ' . 'credentials are only accessible on EC2 instances configured with a specific IAM role.');
// @codeCoverageIgnoreEnd
}
/**
* Fetches and caches STS credentials. This is meant to be used by the constructor, and is not to be
* manually invoked.
*
* @param CacheCore $cache (Required) The a reference to the cache object that is being used to handle the caching.
* @param array $options (Required) The options that were passed into the constructor.
* @return mixed The data to be cached, or NULL.
*/
public function cache_sts_credentials($cache, $options)
{
$token = new AmazonSTS($options);
$response = $token->get_session_token();
if ($response->isOK()) {
// Update the expiration
$expiration_time = strtotime((string) $response->body->GetSessionTokenResult->Credentials->Expiration);
$expiration_duration = round(($expiration_time - time()) * 0.85);
$cache->expire_in($expiration_duration);
// Return the important data
return array('key' => (string) $response->body->GetSessionTokenResult->Credentials->AccessKeyId, 'secret' => (string) $response->body->GetSessionTokenResult->Credentials->SecretAccessKey, 'token' => (string) $response->body->GetSessionTokenResult->Credentials->SessionToken, 'expires' => (string) $response->body->GetSessionTokenResult->Credentials->Expiration);
}
return null;
}
