1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
package VM::EC2::Security::CredentialCache;
$VM::EC2::Security::CredentialCache::VERSION = '0.25';
use strict;
use warnings;
use DateTime::Format::ISO8601;
use VM::EC2::Instance::Metadata;
=head1 NAME
VM::EC2::Security::CredentialCache -- Cache credentials respecting expiration time for IAM roles.
=head1 SYNOPSIS
Retrieves the current EC2 instance's IAM credentials and caches them until they expire.
use VM::EC2::Security::CredentialCache;
# return a VM::EC2::Security::Credentials if available undef otherwise.
my $credentials = VM::EC2::Security::CredentialCache->get();
=head1 DESCRIPTION
This module provides a cache for an EC2's IAM credentials represented by L<VM::EC2::Security::Credentials>.
Rather than retriving the credentials for every possible call that uses them, cache them until they
expire and retreive them again if they have expired.
=cut
my $credentials;
my $credential_expiration_dt;
sub get {
my ($self, $now) = @_;
if (!defined($credentials)) {
my $meta = VM::EC2::Instance::Metadata->new;
defined($meta) || die("Unable to retrieve instance metadata");
$credentials= $meta->iam_credentials;
defined($credentials) || die("No IAM credentials retrieved from instance metadata");
$credential_expiration_dt = DateTime::Format::ISO8601->parse_datetime($credentials->expiration())->epoch();
return $credentials;
}
# AWS provides new credentials atleast 5 minutes before the expiration of the old
# credentials, but we'll only start looking at 4 minutes
$now //= time;
if ($credential_expiration_dt - $now > 240) {
return $credentials;
}
# These credentials are good for only 4 minutes or less, so clear them and attempt to
# retrieve new credentials.
$credentials = undef;
$credential_expiration_dt = undef;
return get();
}
1;
|
