Awskit_lwt_unix.Credentialsmodule Provider = Awskit_lwt.Credentials.ProviderBuffered credential-metadata HTTP response used by injectable metadata clients.
type http_call =
meth:Cohttp.Code.meth ->
headers:(string * string) list ->
Uri.t ->
(http_response, Awskit.Error.t) Stdlib.result Lwt.tCredential-metadata HTTP capability. The default implementation uses Cohttp_lwt_unix.Client, applies a 1s metadata timeout, caps buffered metadata responses at 1 MiB, and preserves Lwt.Canceled.
Policy for tokenless EC2 instance metadata fallback.
val local_provider :
?getenv:Awskit_unix.Credentials.Env.getenv ->
?home:string ->
unit ->
Provider.tStatic AWS environment variables, then shared AWS profile files. This provider performs only local Unix environment and file IO.
val container_provider :
?getenv:Awskit_unix.Credentials.Env.getenv ->
?http_call:http_call ->
?clock:(unit -> Ptime.t) ->
unit ->
Provider.tECS/container credential provider. Supports AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN, and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE. Token-file reads preserve native Lwt.Canceled. Plain HTTP full URIs are accepted only for loopback or AWS container metadata hosts. Metadata credentials are cached until five minutes before expiration.
val instance_metadata_provider :
?getenv:Awskit_unix.Credentials.Env.getenv ->
?http_call:http_call ->
?clock:(unit -> Ptime.t) ->
?imdsv1_fallback:imdsv1_fallback ->
unit ->
Provider.tEC2 instance profile credential provider using IMDSv2 when available. Tokenless IMDSv1 fallback is attempted only for IMDS token endpoint HTTP 403, 404, or 405 responses. Set imdsv1_fallback to `Disabled or AWS_EC2_METADATA_V1_DISABLED=true to reject tokenless fallback. AWS_EC2_METADATA_DISABLED=true makes the provider unavailable. Metadata credentials are cached until five minutes before expiration.
val default_provider :
?getenv:Awskit_unix.Credentials.Env.getenv ->
?home:string ->
?http_call:http_call ->
?clock:(unit -> Ptime.t) ->
?imdsv1_fallback:imdsv1_fallback ->
unit ->
Provider.tAWS-style Unix credential chain: local static sources, container credentials, then EC2 instance profile credentials. The chain continues only when a provider is unavailable; invalid or failed configured sources stop resolution.