ecluse
Safe HaskellNone
LanguageGHC2021

Ecluse.Credential.CodeArtifact

Description

The AWS CodeArtifact leaf of the outbound-credential handle: mint a short-lived registry bearer token via CodeArtifact's GetAuthorizationToken.

This is the one genuinely cloud-specific part of outbound auth — everything else (caching, proactive refresh, single-flight, the circuit breaker) is the cloud-agnostic policy in Ecluse.Credential.Refresh, which this module wires its mint into. The leaf itself is tiny: build an amazonka Env once (credentials discovered the standard AWS way — environment, instance role, container role, SSO, STS), then on each mint call GetAuthorizationToken and return the token together with its real expiry so the refresh policy schedules off the token's own lifetime (CodeArtifact tokens last up to 12h).

This is control plane only: amazonka obtains the token, and the data plane that then uses it to publish to the registry stays on http-client (see docs/architecture/web-layer.md → "Control plane vs data plane"). The Env is constructed once at provider creation and captured in the mint closure, so the backend's state never leaks into the proxy's Env/App (see docs/architecture/technology-stack.md → "Key Decisions").

Synopsis

Configuration

data CodeArtifactConfig Source #

What the CodeArtifact leaf needs to mint a token. The AWS credentials used to make the call are not here: they are discovered the standard AWS way (discover) from the ambient environment (env vars, instance/container role, SSO, STS), so the proxy never holds long-lived AWS keys itself.

Constructors

CodeArtifactConfig 

Fields

  • caRegion :: Text

    The AWS region the CodeArtifact domain lives in (e.g. "us-east-1").

  • caDomain :: Text

    The CodeArtifact domain that scopes the token.

  • caDomainOwner :: Maybe Text

    The 12-digit account number that owns the domain, when it differs from the calling account (Nothing to default to the caller's account).

  • caDurationSeconds :: Maybe Natural

    Requested token lifetime in seconds (90043200, i.e. 15 min–12 h); Nothing lets CodeArtifact default it (it ties the token to the caller's role-credential expiry). The refresh policy adapts to whatever expiry the minted token actually carries, so this is only a preference.

Instances

Instances details
Show CodeArtifactConfig Source # 
Instance details

Defined in Ecluse.Credential.CodeArtifact

Methods

showsPrec :: Int -> CodeArtifactConfig -> ShowS #

show :: CodeArtifactConfig -> String #

showList :: [CodeArtifactConfig] -> ShowS #

Eq CodeArtifactConfig Source # 
Instance details

Defined in Ecluse.Credential.CodeArtifact

Methods

(==) :: CodeArtifactConfig -> CodeArtifactConfig -> Bool #

(/=) :: CodeArtifactConfig -> CodeArtifactConfig -> Bool #

The provider

newCodeArtifactProvider :: CredentialReporters -> CodeArtifactConfig -> IO CredentialProvider Source #

Build a refreshing CredentialProvider backed by CodeArtifact GetAuthorizationToken. Discovers AWS credentials the standard way (discover) and hands the resulting Env to providerForEnv.

Mints once eagerly to seed the cache, so a misconfiguration (bad region, missing credentials, no permission) fails here at construction rather than on the first mirror write.

The CredentialReporters carry the telemetry observers the refresh policy records through (the mint breaker's state and each refresh outcome); pass noCredentialReporters for an unobserved provider.

providerForEnv :: CredentialReporters -> Env -> CodeArtifactConfig -> IO CredentialProvider Source #

Build the provider over a caller-supplied amazonka Env — the boundary the production newCodeArtifactProvider wraps with credential discovery. The config's region is applied to the Env, and each mint calls GetAuthorizationToken through it under the cache/proactive-refresh/single-flight/breaker policy of Ecluse.Credential.Refresh (so the token API is not re-hit per request), reporting its refresh and breaker signals through the given CredentialReporters. Exposed so a test can drive the real mint against an Env aimed at a stub endpoint, with no live AWS.