#pragma once #include "envoy/config/core/v3/grpc_service.pb.h" #include "envoy/config/grpc_credential/v3/aws_iam.pb.h" #include "envoy/grpc/google_grpc_creds.h" #include "envoy/http/header_map.h" #include "common/http/message_impl.h" #include "extensions/common/aws/signer.h" #include "extensions/grpc_credentials/well_known_names.h" namespace Envoy { namespace Extensions { namespace GrpcCredentials { namespace AwsIam { /** * AWS IAM based gRPC channel credentials factory. */ class AwsIamGrpcCredentialsFactory : public Grpc::GoogleGrpcCredentialsFactory { public: std::shared_ptr getChannelCredentials(const envoy::config::core::v3::GrpcService& grpc_service_config, Api::Api& api) override; Envoy::ProtobufTypes::MessagePtr createEmptyConfigProto() { return std::make_unique(); } std::string name() const override { return GrpcCredentialsNames::get().AwsIam; } private: static std::string getRegion(const envoy::config::grpc_credential::v3::AwsIamConfig& config); }; /** * Produce AWS IAM signature metadata for a gRPC call. */ class AwsIamHeaderAuthenticator : public grpc::MetadataCredentialsPlugin { public: AwsIamHeaderAuthenticator(Common::Aws::SignerPtr signer) : signer_(std::move(signer)) {} grpc::Status GetMetadata(grpc::string_ref, grpc::string_ref, const grpc::AuthContext&, std::multimap* metadata) override; bool IsBlocking() const override { return true; } private: static Http::RequestMessageImpl buildMessageToSign(absl::string_view service_url, absl::string_view method_name); static void signedHeadersToMetadata(const Http::HeaderMap& headers, std::multimap& metadata); const Common::Aws::SignerPtr signer_; }; } // namespace AwsIam } // namespace GrpcCredentials } // namespace Extensions } // namespace Envoy