sts_web_identity

STS AssumeRoleWithWebIdentity provider — the IRSA (IAM Roles for Service Accounts) flow used inside EKS pods and any other environment that hands you a signed identity token plus an IAM role to assume.

Flow:

Read the web identity token from AWS_WEB_IDENTITY_TOKEN_FILE at fetch time (IRSA rotates the token periodically; we must not pin it at provider construction).
POST form-encoded Action=AssumeRoleWithWebIdentity to STS with RoleArn, RoleSessionName, WebIdentityToken, and a duration.
Pull the credentials out of the XML response.

XML is parsed with simple <Tag>value</Tag> string scans — the STS response shape is fixed and well-known, so a real XML parser would be over-investment.

Types

Error

</>

pub type Error {
  Misconfigured(reason: String)
  Failed(reason: String)
}

Constructors

```
Misconfigured(reason: String)
```
Required configuration absent. Chain falls through.
```
Failed(reason: String)
```
STS responded with non-2xx or a malformed body.

Options

</>

pub type Options {
  Options(
    endpoint: String,
    role_arn: String,
    role_session_name: String,
    token: String,
    duration_seconds: Int,
  )
}

Constructors

Options(
  endpoint: String,
  role_arn: String,
  role_session_name: String,
  token: String,
  duration_seconds: Int,
)

StsCredentials

</>

pub type StsCredentials {
  StsCredentials(
    access_key_id: String,
    secret_access_key: String,
    session_token: String,
    expires_at: Int,
  )
}

Constructors

StsCredentials(
  access_key_id: String,
  secret_access_key: String,
  session_token: String,
  expires_at: Int,
)

Values

fetch

</>

pub fn fetch(
  send: fn(request.Request(BitArray)) -> Result(
    response.Response(BitArray),
    http_send.HttpError,
  ),
  options: Options,
) -> Result(StsCredentials, Error)