Class: Aws::CognitoIdentity::CognitoIdentityCredentials
- Inherits:
-
Object
- Object
- Aws::CognitoIdentity::CognitoIdentityCredentials
- Includes:
- Aws::CredentialProvider
- Defined in:
- gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb
Overview
An auto-refreshing credential provider that represents credentials retrieved from STS Web Identity Federation using the Amazon Cognito Identity service.
This provider gets credentials using the
Aws::CognitoIdentity::Client#get_credentials_for_identity service operation, which
requires either an identity_id
or an identity_pool_id
(Amazon Cognito
Identity Pool ID), which is used to call Aws::CognitoIdentity::Client#get_id to
obtain an identity_id
automatically.
In addition, if this credential provider is used to provide authenticated
login, the logins
map may be set to the tokens provided by the
respective identity providers. See #initialize for an example on
creating a credentials object with proper property values.
Refreshing Credentials from Identity Service
The CognitoIdentityCredentials
will auto-refresh the AWS credentials from
Cognito. In addition to AWS credentials expiring after a given amount of
time, the login token from the identity provider will also expire.
Once this token expires, it will not be usable to refresh AWS credentials,
and another token will be needed. The SDK does not manage refreshing of
the token value, but this can be done through a "refresh token"
supported by most identity providers. Consult the documentation for
the identity provider for refreshing tokens. Once the refreshed token is
acquired, you should make sure to update this new token in the
CognitoIdentityCredentials
object's #logins property. The following
code will update the WebIdentityToken, assuming you have retrieved
an updated token from the identity provider:
cognito_credentials.logins['graph.facebook.com'] = updatedToken;
cognito_credentials.refresh! # required only if authentication state has changed
The CognitoIdentityCredentials
also provides a before_refresh
callback
that can be used to help manage refreshing identity provider tokens.
before_refresh
is called when AWS credentials are required and need
to be refreshed and it has access to the CognitoIdentityCredentials object.
Instance Attribute Summary collapse
Attributes included from Aws::CredentialProvider
Instance Method Summary collapse
-
#identity_id ⇒ String
-
#initialize(options = {}) ⇒ CognitoIdentityCredentials
constructor
A new instance of CognitoIdentityCredentials.
Methods included from Aws::CredentialProvider
Constructor Details
#initialize(options = {}) ⇒ CognitoIdentityCredentials
Returns a new instance of CognitoIdentityCredentials.
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
# File 'gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb', line 81 def initialize( = {}) @identity_pool_id = .delete(:identity_pool_id) @identity_id = .delete(:identity_id) @custom_role_arn = .delete(:custom_role_arn) @logins = .delete(:logins) || {} @async_refresh = false client_opts = {} .each_pair { |k, v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) } unless @identity_pool_id || @identity_id raise ArgumentError, 'Must provide either identity_pool_id or identity_id' end @client = [:client] || CognitoIdentity::Client.new( client_opts.merge(credentials: false) ) super end |
Instance Attribute Details
#client ⇒ CognitoIdentity::Client (readonly)
103 104 105 |
# File 'gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb', line 103 def client @client end |
#logins ⇒ Hash<String,String>
106 107 108 |
# File 'gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb', line 106 def logins @logins end |
Instance Method Details
#identity_id ⇒ String
109 110 111 112 113 114 |
# File 'gems/aws-sdk-cognitoidentity/lib/aws-sdk-cognitoidentity/customizations/cognito_identity_credentials.rb', line 109 def identity_id @identity_id ||= @client.get_id( identity_pool_id: @identity_pool_id, logins: @logins ).identity_id end |