AWS common configuration (proto)

extensions.common.aws.v3.AwsCredentialProvider

[extensions.common.aws.v3.AwsCredentialProvider proto]

Configuration for AWS credential provider. This is optional and the credentials are normally retrieved from the environment or AWS configuration files by following the default credential provider chain. However, this configuration can be used to override the default behavior.

{
  "assume_role_with_web_identity_provider": {...},
  "inline_credential": {...},
  "credentials_file_provider": {...},
  "custom_credential_provider_chain": ...
}

assume_role_with_web_identity_provider: (extensions.common.aws.v3.AssumeRoleWithWebIdentityCredentialProvider) The option to use AssumeRoleWithWebIdentity.

inline_credential: (extensions.common.aws.v3.InlineCredentialProvider) The option to use an inline credential. If inline credential is provided, no chain will be created and only the inline credential will be used.

credentials_file_provider: (extensions.common.aws.v3.CredentialsFileCredentialProvider) The option to specify parameters for credential retrieval from an envoy data source, such as a file in AWS credential format.

custom_credential_provider_chain

(bool) Create a custom credential provider chain instead of the default credential provider chain. If set to TRUE, the credential provider chain that is created contains only those set in this credential provider message. If set to FALSE, the settings provided here will act as modifiers to the default credential provider chain. Defaults to FALSE.

This has no effect if inline_credential is provided.

extensions.common.aws.v3.InlineCredentialProvider

[extensions.common.aws.v3.InlineCredentialProvider proto]

Configuration to use an inline AWS credential. This is an equivalent to setting the well-known environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and the optional AWS_SESSION_TOKEN.

{
  "access_key_id": ...,
  "secret_access_key": ...,
  "session_token": ...
}

access_key_id: (string, REQUIRED) The AWS access key ID.

secret_access_key: (string, REQUIRED) The AWS secret access key.

session_token: (string) The AWS session token. This is optional.

extensions.common.aws.v3.AssumeRoleWithWebIdentityCredentialProvider

[extensions.common.aws.v3.AssumeRoleWithWebIdentityCredentialProvider proto]

Configuration to use AssumeRoleWithWebIdentity to retrieve AWS credentials.

{
  "web_identity_token_data_source": {...},
  "role_arn": ...,
  "role_session_name": ...
}

web_identity_token_data_source: (config.core.v3.DataSource) Data source for a web identity token that is provided by the identity provider to assume the role. When using this data source, even if a watched_directory is provided, the token file will only be re-read when the credentials returned from AssumeRoleWithWebIdentity expire.

role_arn: (string, REQUIRED) The ARN of the role to assume.

role_session_name: (string) Optional role session name to use in AssumeRoleWithWebIdentity API call.

extensions.common.aws.v3.CredentialsFileCredentialProvider

[extensions.common.aws.v3.CredentialsFileCredentialProvider proto]

{
  "credentials_data_source": {...},
  "profile": ...
}

credentials_data_source: (config.core.v3.DataSource) Data source from which to retrieve AWS credentials When using this data source, if a watched_directory is provided, the credential file will be re-read when a file move is detected. See watched_directory for more information about the watched_directory field.

profile: (string) The profile within the credentials_file data source. If not provided, the default profile will be used.