Startseite Erkunden Hilfe
Anmelden
urbanu619
/
yunbaolive
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: 341424f617
Branches Tags
yunbaolive
/
web
/
sdk
/
aws
/
Aws
/
Credentials
/
CredentialProvider.php

CredentialProvider.php 36 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991 
  1. <?php
    2. 

  2. namespace Aws\Credentials;
    3. 

  3. 

  4. use Aws;
    5. 

  5. use Aws\Api\DateTimeResult;
    6. 

  6. use Aws\CacheInterface;
    7. 

  7. use Aws\Exception\CredentialsException;
    8. 

  8. use Aws\Sts\StsClient;
    9. 

  9. use GuzzleHttp\Promise;
    10. 

  10. /**
    11. 

  11.  * Credential providers are functions that accept no arguments and return a
    12. 

  12.  * promise that is fulfilled with an {@see \Aws\Credentials\CredentialsInterface}
    13. 

  13.  * or rejected with an {@see \Aws\Exception\CredentialsException}.
    14. 

  14.  *
    15. 

  15.  * <code>
    16. 

  16.  * use Aws\Credentials\CredentialProvider;
    17. 

  17.  * $provider = CredentialProvider::defaultProvider();
    18. 

  18.  * // Returns a CredentialsInterface or throws.
    19. 

  19.  * $creds = $provider()->wait();
    20. 

  20.  * </code>
    21. 

  21.  *
    22. 

  22.  * Credential providers can be composed to create credentials using conditional
    23. 

  23.  * logic that can create different credentials in different environments. You
    24. 

  24.  * can compose multiple providers into a single provider using
    25. 

  25.  * {@see Aws\Credentials\CredentialProvider::chain}. This function accepts
    26. 

  26.  * providers as variadic arguments and returns a new function that will invoke
    27. 

  27.  * each provider until a successful set of credentials is returned.
    28. 

  28.  *
    29. 

  29.  * <code>
    30. 

  30.  * // First try an INI file at this location.
    31. 

  31.  * $a = CredentialProvider::ini(null, '/path/to/file.ini');
    32. 

  32.  * // Then try an INI file at this location.
    33. 

  33.  * $b = CredentialProvider::ini(null, '/path/to/other-file.ini');
    34. 

  34.  * // Then try loading from environment variables.
    35. 

  35.  * $c = CredentialProvider::env();
    36. 

  36.  * // Combine the three providers together.
    37. 

  37.  * $composed = CredentialProvider::chain($a, $b, $c);
    38. 

  38.  * // Returns a promise that is fulfilled with credentials or throws.
    39. 

  39.  * $promise = $composed();
    40. 

  40.  * // Wait on the credentials to resolve.
    41. 

  41.  * $creds = $promise->wait();
    42. 

  42.  * </code>
    43. 

  43.  */
    44. 

  44. class CredentialProvider
    45. 

  45. {
    46. 

  46.     const ENV_ARN = 'AWS_ROLE_ARN';
    47. 

  47.     const ENV_KEY = 'AWS_ACCESS_KEY_ID';
    48. 

  48.     const ENV_PROFILE = 'AWS_PROFILE';
    49. 

  49.     const ENV_ROLE_SESSION_NAME = 'AWS_ROLE_SESSION_NAME';
    50. 

  50.     const ENV_SECRET = 'AWS_SECRET_ACCESS_KEY';
    51. 

  51.     const ENV_SESSION = 'AWS_SESSION_TOKEN';
    52. 

  52.     const ENV_TOKEN_FILE = 'AWS_WEB_IDENTITY_TOKEN_FILE';
    53. 

  53.     const ENV_SHARED_CREDENTIALS_FILE = 'AWS_SHARED_CREDENTIALS_FILE';
    54. 

  54. 

  55.     /**
    56. 

  56.      * Create a default credential provider that
    57. 

  57.      * first checks for environment variables,
    58. 

  58.      * then checks for assumed role via web identity,
    59. 

  59.      * then checks for cached SSO credentials from the CLI,
    60. 

  60.      * then check for credential_process in the "default" profile in ~/.aws/credentials,
    61. 

  61.      * then checks for the "default" profile in ~/.aws/credentials,
    62. 

  62.      * then for credential_process in the "default profile" profile in ~/.aws/config,
    63. 

  63.      * then checks for "profile default" profile in ~/.aws/config (which is
    64. 

  64.      * the default profile of AWS CLI),
    65. 

  65.      * then tries to make a GET Request to fetch credentials if ECS environment variable is presented,
    66. 

  66.      * finally checks for EC2 instance profile credentials.
    67. 

  67.      *
    68. 

  68.      * This provider is automatically wrapped in a memoize function that caches
    69. 

  69.      * previously provided credentials.
    70. 

  70.      *
    71. 

  71.      * @param array $config Optional array of ecs/instance profile credentials
    72. 

  72.      *                      provider options.
    73. 

  73.      *
    74. 

  74.      * @return callable
    75. 

  75.      */
    76. 

  76.     public static function defaultProvider(array $config = [])
    77. 

  77.     {
    78. 

  78.         $cacheable = [
    79. 

  79.             'web_identity',
    80. 

  80.             'sso',
    81. 

  81.             'process_credentials',
    82. 

  82.             'process_config',
    83. 

  83.             'ecs',
    84. 

  84.             'instance'
    85. 

  85.         ];
    86. 

  86. 

  87.         $profileName = getenv(self::ENV_PROFILE) ?: 'default';
    88. 

  88. 

  89.         $defaultChain = [
    90. 

  90.             'env' => self::env(),
    91. 

  91.             'web_identity' => self::assumeRoleWithWebIdentityCredentialProvider($config),
    92. 

  92.         ];
    93. 

  93.         if (
    94. 

  94.             !isset($config['use_aws_shared_config_files'])
    95. 

  95.             || $config['use_aws_shared_config_files'] !== false
    96. 

  96.         ) {
    97. 

  97.             $defaultChain['sso'] = self::sso(
    98. 

  98.                 $profileName,
    99. 

  99.                 self::getHomeDir() . '/.aws/config',
    100. 

  100.                 $config
    101. 

  101.             );
    102. 

  102.             $defaultChain['process_credentials'] = self::process();
    103. 

  103.             $defaultChain['ini'] = self::ini();
    104. 

  104.             $defaultChain['process_config'] = self::process(
    105. 

  105.                 'profile ' . $profileName,
    106. 

  106.                 self::getHomeDir() . '/.aws/config'
    107. 

  107.             );
    108. 

  108.             $defaultChain['ini_config'] = self::ini(
    109. 

  109.                 'profile '. $profileName,
    110. 

  110.                 self::getHomeDir() . '/.aws/config'
    111. 

  111.             );
    112. 

  112.         }
    113. 

  113. 

  114.         if (self::shouldUseEcs()) {
    115. 

  115.             $defaultChain['ecs'] = self::ecsCredentials($config);
    116. 

  116.         } else {
    117. 

  117.             $defaultChain['instance'] = self::instanceProfile($config);
    118. 

  118.         }
    119. 

  119. 

  120.         if (isset($config['credentials'])
    121. 

  121.             && $config['credentials'] instanceof CacheInterface
    122. 

  122.         ) {
    123. 

  123.             foreach ($cacheable as $provider) {
    124. 

  124.                 if (isset($defaultChain[$provider])) {
    125. 

  125.                     $defaultChain[$provider] = self::cache(
    126. 

  126.                         $defaultChain[$provider],
    127. 

  127.                         $config['credentials'],
    128. 

  128.                         'aws_cached_' . $provider . '_credentials'
    129. 

  129.                     );
    130. 

  130.                 }
    131. 

  131.             }
    132. 

  132.         }
    133. 

  133. 

  134.         return self::memoize(
    135. 

  135.             call_user_func_array(
    136. 

  136.                 [CredentialProvider::class, 'chain'],
    137. 

  137.                 array_values($defaultChain)
    138. 

  138.             )
    139. 

  139.         );
    140. 

  140.     }
    141. 

  141. 

  142.     /**
    143. 

  143.      * Create a credential provider function from a set of static credentials.
    144. 

  144.      *
    145. 

  145.      * @param CredentialsInterface $creds
    146. 

  146.      *
    147. 

  147.      * @return callable
    148. 

  148.      */
    149. 

  149.     public static function fromCredentials(CredentialsInterface $creds)
    150. 

  150.     {
    151. 

  151.         $promise = Promise\Create::promiseFor($creds);
    152. 

  152. 

  153.         return function () use ($promise) {
    154. 

  154.             return $promise;
    155. 

  155.         };
    156. 

  156.     }
    157. 

  157. 

  158.     /**
    159. 

  159.      * Creates an aggregate credentials provider that invokes the provided
    160. 

  160.      * variadic providers one after the other until a provider returns
    161. 

  161.      * credentials.
    162. 

  162.      *
    163. 

  163.      * @return callable
    164. 

  164.      */
    165. 

  165.     public static function chain()
    166. 

  166.     {
    167. 

  167.         $links = func_get_args();
    168. 

  168.         if (empty($links)) {
    169. 

  169.             throw new \InvalidArgumentException('No providers in chain');
    170. 

  170.         }
    171. 

  171. 

  172.         return function ($previousCreds = null) use ($links) {
    173. 

  173.             /** @var callable $parent */
    174. 

  174.             $parent = array_shift($links);
    175. 

  175.             $promise = $parent();
    176. 

  176.             while ($next = array_shift($links)) {
    177. 

  177.                 if ($next instanceof InstanceProfileProvider
    178. 

  178.                     && $previousCreds instanceof Credentials
    179. 

  179.                 ) {
    180. 

  180.                     $promise = $promise->otherwise(
    181. 

  181.                         function () use ($next, $previousCreds) {return $next($previousCreds);}
    182. 

  182.                     );
    183. 

  183.                 } else {
    184. 

  184.                     $promise = $promise->otherwise($next);
    185. 

  185.                 }
    186. 

  186.             }
    187. 

  187.             return $promise;
    188. 

  188.         };
    189. 

  189.     }
    190. 

  190. 

  191.     /**
    192. 

  192.      * Wraps a credential provider and caches previously provided credentials.
    193. 

  193.      *
    194. 

  194.      * Ensures that cached credentials are refreshed when they expire.
    195. 

  195.      *
    196. 

  196.      * @param callable $provider Credentials provider function to wrap.
    197. 

  197.      *
    198. 

  198.      * @return callable
    199. 

  199.      */
    200. 

  200.     public static function memoize(callable $provider)
    201. 

  201.     {
    202. 

  202.         return function () use ($provider) {
    203. 

  203.             static $result;
    204. 

  204.             static $isConstant;
    205. 

  205. 

  206.             // Constant credentials will be returned constantly.
    207. 

  207.             if ($isConstant) {
    208. 

  208.                 return $result;
    209. 

  209.             }
    210. 

  210. 

  211.             // Create the initial promise that will be used as the cached value
    212. 

  212.             // until it expires.
    213. 

  213.             if (null === $result) {
    214. 

  214.                 $result = $provider();
    215. 

  215.             }
    216. 

  216. 

  217.             // Return credentials that could expire and refresh when needed.
    218. 

  218.             return $result
    219. 

  219.                 ->then(function (CredentialsInterface $creds) use ($provider, &$isConstant, &$result) {
    220. 

  220.                     // Determine if these are constant credentials.
    221. 

  221.                     if (!$creds->getExpiration()) {
    222. 

  222.                         $isConstant = true;
    223. 

  223.                         return $creds;
    224. 

  224.                     }
    225. 

  225. 

  226.                     // Refresh expired credentials.
    227. 

  227.                     if (!$creds->isExpired()) {
    228. 

  228.                         return $creds;
    229. 

  229.                     }
    230. 

  230.                     // Refresh the result and forward the promise.
    231. 

  231.                     return $result = $provider($creds);
    232. 

  232.                 })
    233. 

  233.                 ->otherwise(function($reason) use (&$result) {
    234. 

  234.                     // Cleanup rejected promise.
    235. 

  235.                     $result = null;
    236. 

  236.                     return new Promise\RejectedPromise($reason);
    237. 

  237.                 });
    238. 

  238.         };
    239. 

  239.     }
    240. 

  240. 

  241.     /**
    242. 

  242.      * Wraps a credential provider and saves provided credentials in an
    243. 

  243.      * instance of Aws\CacheInterface. Forwards calls when no credentials found
    244. 

  244.      * in cache and updates cache with the results.
    245. 

  245.      *
    246. 

  246.      * @param callable $provider Credentials provider function to wrap
    247. 

  247.      * @param CacheInterface $cache Cache to store credentials
    248. 

  248.      * @param string|null $cacheKey (optional) Cache key to use
    249. 

  249.      *
    250. 

  250.      * @return callable
    251. 

  251.      */
    252. 

  252.     public static function cache(
    253. 

  253.         callable $provider,
    254. 

  254.         CacheInterface $cache,
    255. 

  255.         $cacheKey = null
    256. 

  256.     ) {
    257. 

  257.         $cacheKey = $cacheKey ?: 'aws_cached_credentials';
    258. 

  258. 

  259.         return function () use ($provider, $cache, $cacheKey) {
    260. 

  260.             $found = $cache->get($cacheKey);
    261. 

  261.             if ($found instanceof CredentialsInterface && !$found->isExpired()) {
    262. 

  262.                 return Promise\Create::promiseFor($found);
    263. 

  263.             }
    264. 

  264. 

  265.             return $provider()
    266. 

  266.                 ->then(function (CredentialsInterface $creds) use (
    267. 

  267.                     $cache,
    268. 

  268.                     $cacheKey
    269. 

  269.                 ) {
    270. 

  270.                     $cache->set(
    271. 

  271.                         $cacheKey,
    272. 

  272.                         $creds,
    273. 

  273.                         null === $creds->getExpiration() ?
    274. 

  274.                             0 : $creds->getExpiration() - time()
    275. 

  275.                     );
    276. 

  276. 

  277.                     return $creds;
    278. 

  278.                 });
    279. 

  279.         };
    280. 

  280.     }
    281. 

  281. 

  282.     /**
    283. 

  283.      * Provider that creates credentials from environment variables
    284. 

  284.      * AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
    285. 

  285.      *
    286. 

  286.      * @return callable
    287. 

  287.      */
    288. 

  288.     public static function env()
    289. 

  289.     {
    290. 

  290.         return function () {
    291. 

  291.             // Use credentials from environment variables, if available
    292. 

  292.             $key = getenv(self::ENV_KEY);
    293. 

  293.             $secret = getenv(self::ENV_SECRET);
    294. 

  294.             if ($key && $secret) {
    295. 

  295.                 return Promise\Create::promiseFor(
    296. 

  296.                     new Credentials($key, $secret, getenv(self::ENV_SESSION) ?: NULL)
    297. 

  297.                 );
    298. 

  298.             }
    299. 

  299. 

  300.             return self::reject('Could not find environment variable '
    301. 

  301.                 . 'credentials in ' . self::ENV_KEY . '/' . self::ENV_SECRET);
    302. 

  302.         };
    303. 

  303.     }
    304. 

  304. 

  305.     /**
    306. 

  306.      * Credential provider that creates credentials using instance profile
    307. 

  307.      * credentials.
    308. 

  308.      *
    309. 

  309.      * @param array $config Array of configuration data.
    310. 

  310.      *
    311. 

  311.      * @return InstanceProfileProvider
    312. 

  312.      * @see Aws\Credentials\InstanceProfileProvider for $config details.
    313. 

  313.      */
    314. 

  314.     public static function instanceProfile(array $config = [])
    315. 

  315.     {
    316. 

  316.         return new InstanceProfileProvider($config);
    317. 

  317.     }
    318. 

  318. 

  319.     /**
    320. 

  320.      * Credential provider that retrieves cached SSO credentials from the CLI
    321. 

  321.      *
    322. 

  322.      * @return callable
    323. 

  323.      */
    324. 

  324.     public static function sso($ssoProfileName = 'default',
    325. 

  325.                                $filename = null,
    326. 

  326.                                $config = []
    327. 

  327.     ) {
    328. 

  328.         $filename = $filename ?: (self::getHomeDir() . '/.aws/config');
    329. 

  329. 

  330.         return function () use ($ssoProfileName, $filename, $config) {
    331. 

  331.             if (!@is_readable($filename)) {
    332. 

  332.                 return self::reject("Cannot read credentials from $filename");
    333. 

  333.             }
    334. 

  334.             $profiles = self::loadProfiles($filename);
    335. 

  335. 

  336.             if (isset($profiles[$ssoProfileName])) {
    337. 

  337.                 $ssoProfile = $profiles[$ssoProfileName];
    338. 

  338.             } elseif (isset($profiles['profile ' . $ssoProfileName])) {
    339. 

  339.                 $ssoProfileName = 'profile ' . $ssoProfileName;
    340. 

  340.                 $ssoProfile = $profiles[$ssoProfileName];
    341. 

  341.             } else {
    342. 

  342.                 return self::reject("Profile {$ssoProfileName} does not exist in {$filename}.");
    343. 

  343.             }
    344. 

  344. 

  345.             if (!empty($ssoProfile['sso_session'])) {
    346. 

  346.                 return CredentialProvider::getSsoCredentials($profiles, $ssoProfileName, $filename, $config);
    347. 

  347.             } else {
    348. 

  348.                 return CredentialProvider::getSsoCredentialsLegacy($profiles, $ssoProfileName, $filename, $config);
    349. 

  349.             }
    350. 

  350.         };
    351. 

  351.     }
    352. 

  352. 

  353.     /**
    354. 

  354.      * Credential provider that creates credentials using
    355. 

  355.      * ecs credentials by a GET request, whose uri is specified
    356. 

  356.      * by environment variable
    357. 

  357.      *
    358. 

  358.      * @param array $config Array of configuration data.
    359. 

  359.      *
    360. 

  360.      * @return EcsCredentialProvider
    361. 

  361.      * @see Aws\Credentials\EcsCredentialProvider for $config details.
    362. 

  362.      */
    363. 

  363.     public static function ecsCredentials(array $config = [])
    364. 

  364.     {
    365. 

  365.         return new EcsCredentialProvider($config);
    366. 

  366.     }
    367. 

  367. 

  368.     /**
    369. 

  369.      * Credential provider that creates credentials using assume role
    370. 

  370.      *
    371. 

  371.      * @param array $config Array of configuration data
    372. 

  372.      * @return callable
    373. 

  373.      * @see Aws\Credentials\AssumeRoleCredentialProvider for $config details.
    374. 

  374.      */
    375. 

  375.     public static function assumeRole(array $config=[])
    376. 

  376.     {
    377. 

  377.         return new AssumeRoleCredentialProvider($config);
    378. 

  378.     }
    379. 

  379. 

  380.     /**
    381. 

  381.      * Credential provider that creates credentials by assuming role from a
    382. 

  382.      * Web Identity Token
    383. 

  383.      *
    384. 

  384.      * @param array $config Array of configuration data
    385. 

  385.      * @return callable
    386. 

  386.      * @see Aws\Credentials\AssumeRoleWithWebIdentityCredentialProvider for
    387. 

  387.      * $config details.
    388. 

  388.      */
    389. 

  389.     public static function assumeRoleWithWebIdentityCredentialProvider(array $config = [])
    390. 

  390.     {
    391. 

  391.         return function () use ($config) {
    392. 

  392.             $arnFromEnv = getenv(self::ENV_ARN);
    393. 

  393.             $tokenFromEnv = getenv(self::ENV_TOKEN_FILE);
    394. 

  394.             $stsClient = isset($config['stsClient'])
    395. 

  395.                 ? $config['stsClient']
    396. 

  396.                 : null;
    397. 

  397.             $region = isset($config['region'])
    398. 

  398.                 ? $config['region']
    399. 

  399.                 : null;
    400. 

  400. 

  401.             if ($tokenFromEnv && $arnFromEnv) {
    402. 

  402.                 $sessionName = getenv(self::ENV_ROLE_SESSION_NAME)
    403. 

  403.                     ? getenv(self::ENV_ROLE_SESSION_NAME)
    404. 

  404.                     : null;
    405. 

  405.                 $provider = new AssumeRoleWithWebIdentityCredentialProvider([
    406. 

  406.                     'RoleArn' => $arnFromEnv,
    407. 

  407.                     'WebIdentityTokenFile' => $tokenFromEnv,
    408. 

  408.                     'SessionName' => $sessionName,
    409. 

  409.                     'client' => $stsClient,
    410. 

  410.                     'region' => $region
    411. 

  411.                 ]);
    412. 

  412. 

  413.                 return $provider();
    414. 

  414.             }
    415. 

  415. 

  416.             $profileName = getenv(self::ENV_PROFILE) ?: 'default';
    417. 

  417.             if (isset($config['filename'])) {
    418. 

  418.                 $profiles = self::loadProfiles($config['filename']);
    419. 

  419.             } else {
    420. 

  420.                 $profiles = self::loadDefaultProfiles();
    421. 

  421.             }
    422. 

  422. 

  423.             if (isset($profiles[$profileName])) {
    424. 

  424.                 $profile = $profiles[$profileName];
    425. 

  425.                 if (isset($profile['region'])) {
    426. 

  426.                     $region = $profile['region'];
    427. 

  427.                 }
    428. 

  428.                 if (isset($profile['web_identity_token_file'])
    429. 

  429.                     && isset($profile['role_arn'])
    430. 

  430.                 ) {
    431. 

  431.                     $sessionName = isset($profile['role_session_name'])
    432. 

  432.                         ? $profile['role_session_name']
    433. 

  433.                         : null;
    434. 

  434.                     $provider = new AssumeRoleWithWebIdentityCredentialProvider([
    435. 

  435.                         'RoleArn' => $profile['role_arn'],
    436. 

  436.                         'WebIdentityTokenFile' => $profile['web_identity_token_file'],
    437. 

  437.                         'SessionName' => $sessionName,
    438. 

  438.                         'client' => $stsClient,
    439. 

  439.                         'region' => $region
    440. 

  440.                     ]);
    441. 

  441. 

  442.                     return $provider();
    443. 

  443.                 }
    444. 

  444.             } else {
    445. 

  445.                 return self::reject("Unknown profile: $profileName");
    446. 

  446.             }
    447. 

  447.             return self::reject("No RoleArn or WebIdentityTokenFile specified");
    448. 

  448.         };
    449. 

  449.     }
    450. 

  450. 

  451.     /**
    452. 

  452.      * Credentials provider that creates credentials using an ini file stored
    453. 

  453.      * in the current user's home directory.  A source can be provided
    454. 

  454.      * in this file for assuming a role using the credential_source config option.
    455. 

  455.      *
    456. 

  456.      * @param string|null $profile  Profile to use. If not specified will use
    457. 

  457.      *                              the "default" profile in "~/.aws/credentials".
    458. 

  458.      * @param string|null $filename If provided, uses a custom filename rather
    459. 

  459.      *                              than looking in the home directory.
    460. 

  460.      * @param array|null $config If provided, may contain the following:
    461. 

  461.      *                           preferStaticCredentials: If true, prefer static
    462. 

  462.      *                           credentials to role_arn if both are present
    463. 

  463.      *                           disableAssumeRole: If true, disable support for
    464. 

  464.      *                           roles that assume an IAM role. If true and role profile
    465. 

  465.      *                           is selected, an error is raised.
    466. 

  466.      *                           stsClient: StsClient used to assume role specified in profile
    467. 

  467.      *
    468. 

  468.      * @return callable
    469. 

  469.      */
    470. 

  470.     public static function ini($profile = null, $filename = null, array $config = [])
    471. 

  471.     {
    472. 

  472.         $filename = self::getFileName($filename);
    473. 

  473.         $profile = $profile ?: (getenv(self::ENV_PROFILE) ?: 'default');
    474. 

  474. 

  475.         return function () use ($profile, $filename, $config) {
    476. 

  476.             $preferStaticCredentials = isset($config['preferStaticCredentials'])
    477. 

  477.                 ? $config['preferStaticCredentials']
    478. 

  478.                 : false;
    479. 

  479.             $disableAssumeRole = isset($config['disableAssumeRole'])
    480. 

  480.                 ? $config['disableAssumeRole']
    481. 

  481.                 : false;
    482. 

  482.             $stsClient = isset($config['stsClient']) ? $config['stsClient'] : null;
    483. 

  483. 

  484.             if (!@is_readable($filename)) {
    485. 

  485.                 return self::reject("Cannot read credentials from $filename");
    486. 

  486.             }
    487. 

  487.             $data = self::loadProfiles($filename);
    488. 

  488.             if ($data === false) {
    489. 

  489.                 return self::reject("Invalid credentials file: $filename");
    490. 

  490.             }
    491. 

  491.             if (!isset($data[$profile])) {
    492. 

  492.                 return self::reject("'$profile' not found in credentials file");
    493. 

  493.             }
    494. 

  494. 

  495.             /*
    496. 

  496.             In the CLI, the presence of both a role_arn and static credentials have
    497. 

  497.             different meanings depending on how many profiles have been visited. For
    498. 

  498.             the first profile processed, role_arn takes precedence over any static
    499. 

  499.             credentials, but for all subsequent profiles, static credentials are
    500. 

  500.             used if present, and only in their absence will the profile's
    501. 

  501.             source_profile and role_arn keys be used to load another set of
    502. 

  502.             credentials. This bool is intended to yield compatible behaviour in this
    503. 

  503.             sdk.
    504. 

  504.             */
    505. 

  505.             $preferStaticCredentialsToRoleArn = ($preferStaticCredentials
    506. 

  506.                 && isset($data[$profile]['aws_access_key_id'])
    507. 

  507.                 && isset($data[$profile]['aws_secret_access_key']));
    508. 

  508. 

  509.             if (isset($data[$profile]['role_arn'])
    510. 

  510.                 && !$preferStaticCredentialsToRoleArn
    511. 

  511.             ) {
    512. 

  512.                 if ($disableAssumeRole) {
    513. 

  513.                     return self::reject(
    514. 

  514.                         "Role assumption profiles are disabled. "
    515. 

  515.                         . "Failed to load profile " . $profile);
    516. 

  516.                 }
    517. 

  517.                 return self::loadRoleProfile(
    518. 

  518.                     $data,
    519. 

  519.                     $profile,
    520. 

  520.                     $filename,
    521. 

  521.                     $stsClient,
    522. 

  522.                     $config
    523. 

  523.                 );
    524. 

  524.             }
    525. 

  525. 

  526.             if (!isset($data[$profile]['aws_access_key_id'])
    527. 

  527.                 || !isset($data[$profile]['aws_secret_access_key'])
    528. 

  528.             ) {
    529. 

  529.                 return self::reject("No credentials present in INI profile "
    530. 

  530.                     . "'$profile' ($filename)");
    531. 

  531.             }
    532. 

  532. 

  533.             if (empty($data[$profile]['aws_session_token'])) {
    534. 

  534.                 $data[$profile]['aws_session_token']
    535. 

  535.                     = isset($data[$profile]['aws_security_token'])
    536. 

  536.                     ? $data[$profile]['aws_security_token']
    537. 

  537.                     : null;
    538. 

  538.             }
    539. 

  539. 

  540.             return Promise\Create::promiseFor(
    541. 

  541.                 new Credentials(
    542. 

  542.                     $data[$profile]['aws_access_key_id'],
    543. 

  543.                     $data[$profile]['aws_secret_access_key'],
    544. 

  544.                     $data[$profile]['aws_session_token']
    545. 

  545.                 )
    546. 

  546.             );
    547. 

  547.         };
    548. 

  548.     }
    549. 

  549. 

  550.     /**
    551. 

  551.      * Credentials provider that creates credentials using a process configured in
    552. 

  552.      * ini file stored in the current user's home directory.
    553. 

  553.      *
    554. 

  554.      * @param string|null $profile  Profile to use. If not specified will use
    555. 

  555.      *                              the "default" profile in "~/.aws/credentials".
    556. 

  556.      * @param string|null $filename If provided, uses a custom filename rather
    557. 

  557.      *                              than looking in the home directory.
    558. 

  558.      *
    559. 

  559.      * @return callable
    560. 

  560.      */
    561. 

  561.     public static function process($profile = null, $filename = null)
    562. 

  562.     {
    563. 

  563.         $filename = self::getFileName($filename);
    564. 

  564.         $profile = $profile ?: (getenv(self::ENV_PROFILE) ?: 'default');
    565. 

  565. 

  566.         return function () use ($profile, $filename) {
    567. 

  567.             if (!@is_readable($filename)) {
    568. 

  568.                 return self::reject("Cannot read process credentials from $filename");
    569. 

  569.             }
    570. 

  570.             $data = \Aws\parse_ini_file($filename, true, INI_SCANNER_RAW);
    571. 

  571.             if ($data === false) {
    572. 

  572.                 return self::reject("Invalid credentials file: $filename");
    573. 

  573.             }
    574. 

  574.             if (!isset($data[$profile])) {
    575. 

  575.                 return self::reject("'$profile' not found in credentials file");
    576. 

  576.             }
    577. 

  577.             if (!isset($data[$profile]['credential_process'])) {
    578. 

  578.                 return self::reject("No credential_process present in INI profile "
    579. 

  579.                     . "'$profile' ($filename)");
    580. 

  580.             }
    581. 

  581. 

  582.             $credentialProcess = $data[$profile]['credential_process'];
    583. 

  583.             $json = shell_exec($credentialProcess);
    584. 

  584. 

  585.             $processData = json_decode($json, true);
    586. 

  586. 

  587.             // Only support version 1
    588. 

  588.             if (isset($processData['Version'])) {
    589. 

  589.                 if ($processData['Version'] !== 1) {
    590. 

  590.                     return self::reject("credential_process does not return Version == 1");
    591. 

  591.                 }
    592. 

  592.             }
    593. 

  593. 

  594.             if (!isset($processData['AccessKeyId'])
    595. 

  595.                 || !isset($processData['SecretAccessKey']))
    596. 

  596.             {
    597. 

  597.                 return self::reject("credential_process does not return valid credentials");
    598. 

  598.             }
    599. 

  599. 

  600.             if (isset($processData['Expiration'])) {
    601. 

  601.                 try {
    602. 

  602.                     $expiration = new DateTimeResult($processData['Expiration']);
    603. 

  603.                 } catch (\Exception $e) {
    604. 

  604.                     return self::reject("credential_process returned invalid expiration");
    605. 

  605.                 }
    606. 

  606.                 $now = new DateTimeResult();
    607. 

  607.                 if ($expiration < $now) {
    608. 

  608.                     return self::reject("credential_process returned expired credentials");
    609. 

  609.                 }
    610. 

  610.                 $expires = $expiration->getTimestamp();
    611. 

  611.             } else {
    612. 

  612.                 $expires = null;
    613. 

  613.             }
    614. 

  614. 

  615.             if (empty($processData['SessionToken'])) {
    616. 

  616.                 $processData['SessionToken'] = null;
    617. 

  617.             }
    618. 

  618. 

  619.             return Promise\Create::promiseFor(
    620. 

  620.                 new Credentials(
    621. 

  621.                     $processData['AccessKeyId'],
    622. 

  622.                     $processData['SecretAccessKey'],
    623. 

  623.                     $processData['SessionToken'],
    624. 

  624.                     $expires
    625. 

  625.                 )
    626. 

  626.             );
    627. 

  627.         };
    628. 

  628.     }
    629. 

  629. 

  630.     /**
    631. 

  631.      * Assumes role for profile that includes role_arn
    632. 

  632.      *
    633. 

  633.      * @return callable
    634. 

  634.      */
    635. 

  635.     private static function loadRoleProfile(
    636. 

  636.         $profiles,
    637. 

  637.         $profileName,
    638. 

  638.         $filename,
    639. 

  639.         $stsClient,
    640. 

  640.         $config = []
    641. 

  641.     ) {
    642. 

  642.         $roleProfile = $profiles[$profileName];
    643. 

  643.         $roleArn = isset($roleProfile['role_arn']) ? $roleProfile['role_arn'] : '';
    644. 

  644.         $roleSessionName = isset($roleProfile['role_session_name'])
    645. 

  645.             ? $roleProfile['role_session_name']
    646. 

  646.             : 'aws-sdk-php-' . round(microtime(true) * 1000);
    647. 

  647. 

  648.         if (
    649. 

  649.             empty($roleProfile['source_profile'])
    650. 

  650.             == empty($roleProfile['credential_source'])
    651. 

  651.         ) {
    652. 

  652.             return self::reject("Either source_profile or credential_source must be set " .
    653. 

  653.                 "using profile " . $profileName . ", but not both."
    654. 

  654.             );
    655. 

  655.         }
    656. 

  656. 

  657.         $sourceProfileName = "";
    658. 

  658.         if (!empty($roleProfile['source_profile'])) {
    659. 

  659.             $sourceProfileName = $roleProfile['source_profile'];
    660. 

  660.             if (!isset($profiles[$sourceProfileName])) {
    661. 

  661.                 return self::reject("source_profile " . $sourceProfileName
    662. 

  662.                     . " using profile " . $profileName . " does not exist"
    663. 

  663.                 );
    664. 

  664.             }
    665. 

  665.             if (isset($config['visited_profiles']) &&
    666. 

  666.                 in_array($roleProfile['source_profile'], $config['visited_profiles'])
    667. 

  667.             ) {
    668. 

  668.                 return self::reject("Circular source_profile reference found.");
    669. 

  669.             }
    670. 

  670.             $config['visited_profiles'] [] = $roleProfile['source_profile'];
    671. 

  671.         } else {
    672. 

  672.             if (empty($roleArn)) {
    673. 

  673.                 return self::reject(
    674. 

  674.                     "A role_arn must be provided with credential_source in " .
    675. 

  675.                     "file {$filename} under profile {$profileName} "
    676. 

  676.                 );
    677. 

  677.             }
    678. 

  678.         }
    679. 

  679. 

  680.         if (empty($stsClient)) {
    681. 

  681.             $sourceRegion = isset($profiles[$sourceProfileName]['region'])
    682. 

  682.                 ? $profiles[$sourceProfileName]['region']
    683. 

  683.                 : 'us-east-1';
    684. 

  684.             $config['preferStaticCredentials'] = true;
    685. 

  685.             $sourceCredentials = null;
    686. 

  686.             if (!empty($roleProfile['source_profile'])){
    687. 

  687.                 $sourceCredentials = call_user_func(
    688. 

  688.                     CredentialProvider::ini($sourceProfileName, $filename, $config)
    689. 

  689.                 )->wait();
    690. 

  690.             } else {
    691. 

  691.                 $sourceCredentials = self::getCredentialsFromSource(
    692. 

  692.                     $profileName,
    693. 

  693.                     $filename
    694. 

  694.                 );
    695. 

  695.             }
    696. 

  696.             $stsClient = new StsClient([
    697. 

  697.                 'credentials' => $sourceCredentials,
    698. 

  698.                 'region' => $sourceRegion,
    699. 

  699.                 'version' => '2011-06-15',
    700. 

  700.             ]);
    701. 

  701.         }
    702. 

  702. 

  703.         $result = $stsClient->assumeRole([
    704. 

  704.             'RoleArn' => $roleArn,
    705. 

  705.             'RoleSessionName' => $roleSessionName
    706. 

  706.         ]);
    707. 

  707. 

  708.         $credentials = $stsClient->createCredentials($result);
    709. 

  709.         return Promise\Create::promiseFor($credentials);
    710. 

  710.     }
    711. 

  711. 

  712.     /**
    713. 

  713.      * Gets the environment's HOME directory if available.
    714. 

  714.      *
    715. 

  715.      * @return null|string
    716. 

  716.      */
    717. 

  717.     private static function getHomeDir()
    718. 

  718.     {
    719. 

  719.         // On Linux/Unix-like systems, use the HOME environment variable
    720. 

  720.         if ($homeDir = getenv('HOME')) {
    721. 

  721.             return $homeDir;
    722. 

  722.         }
    723. 

  723. 

  724.         // Get the HOMEDRIVE and HOMEPATH values for Windows hosts
    725. 

  725.         $homeDrive = getenv('HOMEDRIVE');
    726. 

  726.         $homePath = getenv('HOMEPATH');
    727. 

  727. 

  728.         return ($homeDrive && $homePath) ? $homeDrive . $homePath : null;
    729. 

  729.     }
    730. 

  730. 

  731.     /**
    732. 

  732.      * Gets profiles from specified $filename, or default ini files.
    733. 

  733.      */
    734. 

  734.     private static function loadProfiles($filename)
    735. 

  735.     {
    736. 

  736.         $profileData = \Aws\parse_ini_file($filename, true, INI_SCANNER_RAW);
    737. 

  737. 

  738.         // If loading .aws/credentials, also load .aws/config when AWS_SDK_LOAD_NONDEFAULT_CONFIG is set
    739. 

  739.         if ($filename === self::getHomeDir() . '/.aws/credentials'
    740. 

  740.             && getenv('AWS_SDK_LOAD_NONDEFAULT_CONFIG')
    741. 

  741.         ) {
    742. 

  742.             $configFilename = self::getHomeDir() . '/.aws/config';
    743. 

  743.             $configProfileData = \Aws\parse_ini_file($configFilename, true, INI_SCANNER_RAW);
    744. 

  744.             foreach ($configProfileData as $name => $profile) {
    745. 

  745.                 // standardize config profile names
    746. 

  746.                 $name = str_replace('profile ', '', $name);
    747. 

  747.                 if (!isset($profileData[$name])) {
    748. 

  748.                     $profileData[$name] = $profile;
    749. 

  749.                 }
    750. 

  750.             }
    751. 

  751.         }
    752. 

  752. 

  753.         return $profileData;
    754. 

  754.     }
    755. 

  755. 

  756.     /**
    757. 

  757.      * Gets profiles from ~/.aws/credentials and ~/.aws/config ini files
    758. 

  758.      */
    759. 

  759.     private static function loadDefaultProfiles() {
    760. 

  760.         $profiles = [];
    761. 

  761.         $credFile = self::getHomeDir() . '/.aws/credentials';
    762. 

  762.         $configFile = self::getHomeDir() . '/.aws/config';
    763. 

  763.         if (file_exists($credFile)) {
    764. 

  764.             $profiles = \Aws\parse_ini_file($credFile, true, INI_SCANNER_RAW);
    765. 

  765.         }
    766. 

  766. 

  767.         if (file_exists($configFile)) {
    768. 

  768.             $configProfileData = \Aws\parse_ini_file($configFile, true, INI_SCANNER_RAW);
    769. 

  769.             foreach ($configProfileData as $name => $profile) {
    770. 

  770.                 // standardize config profile names
    771. 

  771.                 $name = str_replace('profile ', '', $name);
    772. 

  772.                 if (!isset($profiles[$name])) {
    773. 

  773.                     $profiles[$name] = $profile;
    774. 

  774.                 }
    775. 

  775.             }
    776. 

  776.         }
    777. 

  777. 

  778.         return $profiles;
    779. 

  779.     }
    780. 

  780. 

  781.     public static function getCredentialsFromSource(
    782. 

  782.         $profileName = '',
    783. 

  783.         $filename = '',
    784. 

  784.         $config = []
    785. 

  785.     ) {
    786. 

  786.         $data = self::loadProfiles($filename);
    787. 

  787.         $credentialSource = !empty($data[$profileName]['credential_source'])
    788. 

  788.             ? $data[$profileName]['credential_source']
    789. 

  789.             : null;
    790. 

  790.         $credentialsPromise = null;
    791. 

  791. 

  792.         switch ($credentialSource) {
    793. 

  793.             case 'Environment':
    794. 

  794.                 $credentialsPromise = self::env();
    795. 

  795.                 break;
    796. 

  796.             case 'Ec2InstanceMetadata':
    797. 

  797.                 $credentialsPromise = self::instanceProfile($config);
    798. 

  798.                 break;
    799. 

  799.             case 'EcsContainer':
    800. 

  800.                 $credentialsPromise = self::ecsCredentials($config);
    801. 

  801.                 break;
    802. 

  802.             default:
    803. 

  803.                 throw new CredentialsException(
    804. 

  804.                     "Invalid credential_source found in config file: {$credentialSource}. Valid inputs "
    805. 

  805.                     . "include Environment, Ec2InstanceMetadata, and EcsContainer."
    806. 

  806.                 );
    807. 

  807.         }
    808. 

  808. 

  809.         $credentialsResult = null;
    810. 

  810.         try {
    811. 

  811.             $credentialsResult = $credentialsPromise()->wait();
    812. 

  812.         } catch (\Exception $reason) {
    813. 

  813.             return self::reject(
    814. 

  814.                 "Unable to successfully retrieve credentials from the source specified in the"
    815. 

  815.                 . " credentials file: {$credentialSource}; failure message was: "
    816. 

  816.                 . $reason->getMessage()
    817. 

  817.             );
    818. 

  818.         }
    819. 

  819.         return function () use ($credentialsResult) {
    820. 

  820.             return Promise\Create::promiseFor($credentialsResult);
    821. 

  821.         };
    822. 

  822.     }
    823. 

  823. 

  824.     private static function reject($msg)
    825. 

  825.     {
    826. 

  826.         return new Promise\RejectedPromise(new CredentialsException($msg));
    827. 

  827.     }
    828. 

  828. 

  829.     /**
    830. 

  830.      * @param $filename
    831. 

  831.      * @return string
    832. 

  832.      */
    833. 

  833.     private static function getFileName($filename)
    834. 

  834.     {
    835. 

  835.         if (!isset($filename)) {
    836. 

  836.             $filename = getenv(self::ENV_SHARED_CREDENTIALS_FILE) ?:
    837. 

  837.                 (self::getHomeDir() . '/.aws/credentials');
    838. 

  838.         }
    839. 

  839.         return $filename;
    840. 

  840.     }
    841. 

  841. 

  842.     /**
    843. 

  843.      * @return boolean
    844. 

  844.      */
    845. 

  845.     public static function shouldUseEcs()
    846. 

  846.     {
    847. 

  847.         //Check for relative uri. if not, then full uri.
    848. 

  848.         //fall back to server for each as getenv is not thread-safe.
    849. 

  849.         return !empty(getenv(EcsCredentialProvider::ENV_URI))
    850. 

  850.             || !empty($_SERVER[EcsCredentialProvider::ENV_URI])
    851. 

  851.             || !empty(getenv(EcsCredentialProvider::ENV_FULL_URI))
    852. 

  852.             || !empty($_SERVER[EcsCredentialProvider::ENV_FULL_URI]);
    853. 

  853.     }
    854. 

  854. 

  855.     /**
    856. 

  856.      * @param $profiles
    857. 

  857.      * @param $ssoProfileName
    858. 

  858.      * @param $filename
    859. 

  859.      * @param $config
    860. 

  860.      * @return Promise\PromiseInterface
    861. 

  861.      */
    862. 

  862.     private static function getSsoCredentials($profiles, $ssoProfileName, $filename, $config)
    863. 

  863.     {
    864. 

  864.         if (empty($config['ssoOidcClient'])) {
    865. 

  865.             $ssoProfile = $profiles[$ssoProfileName];
    866. 

  866.             $sessionName = $ssoProfile['sso_session'];
    867. 

  867.             if (empty($profiles['sso-session ' . $sessionName])) {
    868. 

  868.                 return self::reject(
    869. 

  869.                     "Could not find sso-session {$sessionName} in {$filename}"
    870. 

  870.                 );
    871. 

  871.             }
    872. 

  872.             $ssoSession = $profiles['sso-session ' . $ssoProfile['sso_session']];
    873. 

  873.             $ssoOidcClient = new Aws\SSOOIDC\SSOOIDCClient([
    874. 

  874.                 'region' => $ssoSession['sso_region'],
    875. 

  875.                 'version' => '2019-06-10',
    876. 

  876.                 'credentials' => false
    877. 

  877.             ]);
    878. 

  878.         } else {
    879. 

  879.             $ssoOidcClient = $config['ssoClient'];
    880. 

  880.         }
    881. 

  881. 

  882.         $tokenPromise = new Aws\Token\SsoTokenProvider(
    883. 

  883.             $ssoProfileName,
    884. 

  884.             $filename,
    885. 

  885.             $ssoOidcClient
    886. 

  886.         );
    887. 

  887.         $token = $tokenPromise()->wait();
    888. 

  888.         $ssoCredentials = CredentialProvider::getCredentialsFromSsoService(
    889. 

  889.             $ssoProfile,
    890. 

  890.             $ssoSession['sso_region'],
    891. 

  891.             $token->getToken(),
    892. 

  892.             $config
    893. 

  893.         );
    894. 

  894.         $expiration = $ssoCredentials['expiration'];
    895. 

  895.         return Promise\Create::promiseFor(
    896. 

  896.             new Credentials(
    897. 

  897.                 $ssoCredentials['accessKeyId'],
    898. 

  898.                 $ssoCredentials['secretAccessKey'],
    899. 

  899.                 $ssoCredentials['sessionToken'],
    900. 

  900.                 $expiration
    901. 

  901.             )
    902. 

  902.         );
    903. 

  903.     }
    904. 

  904. 

  905.     /**
    906. 

  906.      * @param $profiles
    907. 

  907.      * @param $ssoProfileName
    908. 

  908.      * @param $filename
    909. 

  909.      * @param $config
    910. 

  910.      * @return Promise\PromiseInterface
    911. 

  911.      */
    912. 

  912.     private static function getSsoCredentialsLegacy($profiles, $ssoProfileName, $filename, $config)
    913. 

  913.     {
    914. 

  914.         $ssoProfile = $profiles[$ssoProfileName];
    915. 

  915.         if (empty($ssoProfile['sso_start_url'])
    916. 

  916.             || empty($ssoProfile['sso_region'])
    917. 

  917.             || empty($ssoProfile['sso_account_id'])
    918. 

  918.             || empty($ssoProfile['sso_role_name'])
    919. 

  919.         ) {
    920. 

  920.             return self::reject(
    921. 

  921.                 "Profile {$ssoProfileName} in {$filename} must contain the following keys: "
    922. 

  922.                 . "sso_start_url, sso_region, sso_account_id, and sso_role_name."
    923. 

  923.             );
    924. 

  924.         }
    925. 

  925.         $tokenLocation = self::getHomeDir()
    926. 

  926.             . '/.aws/sso/cache/'
    927. 

  927.             . sha1($ssoProfile['sso_start_url'])
    928. 

  928.             . ".json";
    929. 

  929. 

  930.         if (!@is_readable($tokenLocation)) {
    931. 

  931.             return self::reject("Unable to read token file at $tokenLocation");
    932. 

  932.         }
    933. 

  933.         $tokenData = json_decode(file_get_contents($tokenLocation), true);
    934. 

  934.         if (empty($tokenData['accessToken']) || empty($tokenData['expiresAt'])) {
    935. 

  935.             return self::reject(
    936. 

  936.                 "Token file at {$tokenLocation} must contain an access token and an expiration"
    937. 

  937.             );
    938. 

  938.         }
    939. 

  939.         try {
    940. 

  940.             $expiration = (new DateTimeResult($tokenData['expiresAt']))->getTimestamp();
    941. 

  941.         } catch (\Exception $e) {
    942. 

  942.             return self::reject("Cached SSO credentials returned an invalid expiration");
    943. 

  943.         }
    944. 

  944.         $now = time();
    945. 

  945.         if ($expiration < $now) {
    946. 

  946.             return self::reject("Cached SSO credentials returned expired credentials");
    947. 

  947.         }
    948. 

  948.         $ssoCredentials = CredentialProvider::getCredentialsFromSsoService(
    949. 

  949.             $ssoProfile,
    950. 

  950.             $ssoProfile['sso_region'],
    951. 

  951.             $tokenData['accessToken'],
    952. 

  952.             $config
    953. 

  953.         );
    954. 

  954.         return Promise\Create::promiseFor(
    955. 

  955.             new Credentials(
    956. 

  956.                 $ssoCredentials['accessKeyId'],
    957. 

  957.                 $ssoCredentials['secretAccessKey'],
    958. 

  958.                 $ssoCredentials['sessionToken'],
    959. 

  959.                 $expiration
    960. 

  960.             )
    961. 

  961.         );
    962. 

  962.     }
    963. 

  963.     /**
    964. 

  964.      * @param array $ssoProfile
    965. 

  965.      * @param string $clientRegion
    966. 

  966.      * @param string $accessToken
    967. 

  967.      * @param array $config
    968. 

  968.      * @return array|null
    969. 

  969.      */
    970. 

  970.     private static function getCredentialsFromSsoService($ssoProfile, $clientRegion, $accessToken, $config)
    971. 

  971.     {
    972. 

  972.         if (empty($config['ssoClient'])) {
    973. 

  973.             $ssoClient = new Aws\SSO\SSOClient([
    974. 

  974.                 'region' => $clientRegion,
    975. 

  975.                 'version' => '2019-06-10',
    976. 

  976.                 'credentials' => false
    977. 

  977.             ]);
    978. 

  978.         } else {
    979. 

  979.             $ssoClient = $config['ssoClient'];
    980. 

  980.         }
    981. 

  981.         $ssoResponse = $ssoClient->getRoleCredentials([
    982. 

  982.             'accessToken' => $accessToken,
    983. 

  983.             'accountId' => $ssoProfile['sso_account_id'],
    984. 

  984.             'roleName' => $ssoProfile['sso_role_name']
    985. 

  985.         ]);
    986. 

  986. 

  987.         $ssoCredentials = $ssoResponse['roleCredentials'];
    988. 

  988.         return $ssoCredentials;
    989. 

  989.     }
    990. 

  990. }
    991. 

  991.