arn = $config['RoleArn']; if (!isset($config['WebIdentityTokenFile'])) { throw new \InvalidArgumentException(self::ERROR_MSG . "'WebIdentityTokenFile'."); } $this->tokenFile = $config['WebIdentityTokenFile']; if (!preg_match("/^\w\:|^\/|^\\\/", $this->tokenFile)) { throw new \InvalidArgumentException("'WebIdentityTokenFile' must be an absolute path."); } $this->retries = (int) getenv(self::ENV_RETRIES) ?: (isset($config['retries']) ? $config['retries'] : 3); $this->authenticationAttempts = 0; $this->tokenFileReadAttempts = 0; $this->session = isset($config['SessionName']) ? $config['SessionName'] : 'aws-sdk-php-' . round(microtime(true) * 1000); $region = isset($config['region']) ? $config['region'] : 'us-east-1'; if (isset($config['client'])) { $this->client = $config['client']; } else { $this->client = new StsClient([ 'credentials' => false, 'region' => $region, 'version' => 'latest' ]); } } /** * Loads assume role with web identity credentials. * * @return Promise\PromiseInterface */ public function __invoke() { return Promise\coroutine(function () { $client = $this->client; $result = null; while ($result == null) { try { $token = is_readable($this->tokenFile) ? file_get_contents($this->tokenFile) : false; if (false === $token) { clearstatcache(true, dirname($this->tokenFile) . "/" . readlink($this->tokenFile)); clearstatcache(true, dirname($this->tokenFile) . "/" . dirname(readlink($this->tokenFile))); clearstatcache(true, $this->tokenFile); if (!is_readable($this->tokenFile)) { throw new CredentialsException( "Unreadable tokenfile at location {$this->tokenFile}" ); } $token = file_get_contents($this->tokenFile); } if (empty($token)) { if ($this->tokenFileReadAttempts < $this->retries) { sleep(pow(1.2, $this->tokenFileReadAttempts)); $this->tokenFileReadAttempts++; continue; } throw new CredentialsException("InvalidIdentityToken from file: {$this->tokenFile}"); } } catch (\Exception $exception) { throw new CredentialsException( "Error reading WebIdentityTokenFile from " . $this->tokenFile, 0, $exception ); } $assumeParams = [ 'RoleArn' => $this->arn, 'RoleSessionName' => $this->session, 'WebIdentityToken' => $token ]; try { $result = $client->assumeRoleWithWebIdentity($assumeParams); } catch (AwsException $e) { if ($e->getAwsErrorCode() == 'InvalidIdentityToken') { if ($this->authenticationAttempts < $this->retries) { sleep(pow(1.2, $this->authenticationAttempts)); } else { throw new CredentialsException( "InvalidIdentityToken, retries exhausted" ); } } else { throw new CredentialsException( "Error assuming role from web identity credentials", 0, $e ); } } catch (\Exception $e) { throw new CredentialsException( "Error retrieving web identity credentials: " . $e->getMessage() . " (" . $e->getCode() . ")" ); } $this->authenticationAttempts++; } yield $this->client->createCredentials($result); }); } }