Module Awskit_lwt_unix.Credentials

type http_response = {
  1. status : int;
  2. headers : (string * string) list;
  3. body : string;
}

Buffered credential-metadata HTTP response used by injectable metadata clients.

type http_call = meth:Cohttp.Code.meth -> headers:(string * string) list -> Uri.t -> (http_response, Awskit.Error.t) Stdlib.result Lwt.t

Credential-metadata HTTP capability. The default implementation uses Cohttp_lwt_unix.Client, applies a 1s metadata timeout, caps buffered metadata responses at 1 MiB, and preserves Lwt.Canceled.

type imdsv1_fallback = [
  1. | `Enabled
  2. | `Disabled
]

Policy for tokenless EC2 instance metadata fallback.

val local_provider : ?getenv:Awskit_unix.Credentials.Env.getenv -> ?home:string -> unit -> Provider.t

Static AWS environment variables, then shared AWS profile files. This provider performs only local Unix environment and file IO.

val container_provider : ?getenv:Awskit_unix.Credentials.Env.getenv -> ?http_call:http_call -> ?clock:(unit -> Ptime.t) -> unit -> Provider.t

ECS/container credential provider. Supports AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, AWS_CONTAINER_CREDENTIALS_FULL_URI, AWS_CONTAINER_AUTHORIZATION_TOKEN, and AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE. Token-file reads preserve native Lwt.Canceled. Plain HTTP full URIs are accepted only for loopback or AWS container metadata hosts. Metadata credentials are cached until five minutes before expiration.

val instance_metadata_provider : ?getenv:Awskit_unix.Credentials.Env.getenv -> ?http_call:http_call -> ?clock:(unit -> Ptime.t) -> ?imdsv1_fallback:imdsv1_fallback -> unit -> Provider.t

EC2 instance profile credential provider using IMDSv2 when available. Tokenless IMDSv1 fallback is attempted only for IMDS token endpoint HTTP 403, 404, or 405 responses. Set imdsv1_fallback to `Disabled or AWS_EC2_METADATA_V1_DISABLED=true to reject tokenless fallback. AWS_EC2_METADATA_DISABLED=true makes the provider unavailable. Metadata credentials are cached until five minutes before expiration.

val default_provider : ?getenv:Awskit_unix.Credentials.Env.getenv -> ?home:string -> ?http_call:http_call -> ?clock:(unit -> Ptime.t) -> ?imdsv1_fallback:imdsv1_fallback -> unit -> Provider.t

AWS-style Unix credential chain: local static sources, container credentials, then EC2 instance profile credentials. The chain continues only when a provider is unavailable; invalid or failed configured sources stop resolution.