AWS IAM: lakefs IDP interface

go.mod

@@ -99,6 +99,12 @@ require (
 	github.com/jackc/pgx/v5 v5.6.0
 	github.com/matoous/go-nanoid v1.5.0
 	github.com/puzpuzpuz/xsync v1.5.2
+	github.com/treeverse/lakefs/modules/auth/factory v0.0.0-20250505194829-76aa2e5fda8c
+	github.com/treeverse/lakefs/modules/authentication/factory v0.0.0-20250505194829-76aa2e5fda8c
+	github.com/treeverse/lakefs/modules/block/factory v0.0.0-20250505194829-76aa2e5fda8c
+	github.com/treeverse/lakefs/modules/config/factory v0.0.0-20250505194829-76aa2e5fda8c
+	github.com/treeverse/lakefs/modules/license/factory v0.0.0-20250505194829-76aa2e5fda8c
+	github.com/treeverse/lakefs/webui v0.0.0-20250505194829-76aa2e5fda8c
 	go.uber.org/ratelimit v0.3.0
 	gocloud.dev v0.34.1-0.20231122211418-53ccd8db26a1
 )
@@ -155,6 +161,7 @@ require (
 	github.com/mitchellh/copystructure v1.0.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.0 // indirect
+	github.com/octarinesec/secret-detector v1.0.11 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pierrec/lz4/v4 v4.1.8 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect

go.sum

@@ -903,6 +903,8 @@ github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OS
 github.com/ncw/swift v1.0.52/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/octarinesec/secret-detector v1.0.11 h1:+EkBkVwgByec+/TFfFrheiZcEa07BMfA6tTswt4ujzA=
+github.com/octarinesec/secret-detector v1.0.11/go.mod h1:1GciC4jz9uF6EtdsWUpE3PNM0gv92EY3tuTPGwNlNpQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.10.3/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
@@ -1055,6 +1057,18 @@ github.com/thanhpk/randstr v1.0.6 h1:psAOktJFD4vV9NEVb3qkhRSMvYh4ORRaj1+w/hn4B+o
 github.com/thanhpk/randstr v1.0.6/go.mod h1:M/H2P1eNLZzlDwAzpkkkUvoyNNMbzRGhESZuEQk3r0U=
 github.com/treeverse/delta-go v0.0.0-20250325160917-8c0ebb032f43 h1:Akw9T/gnKAbAZ363hFcs43496ft+4yEFMYQlgiKL2Es=
 github.com/treeverse/delta-go v0.0.0-20250325160917-8c0ebb032f43/go.mod h1:E7uPCvF9rw8UQt6uDMN05snxpD45/I/UXAZxzVIYTgI=
+github.com/treeverse/lakefs/modules/auth/factory v0.0.0-20250505194829-76aa2e5fda8c h1:iGREtNz0zjeJopCNGsgCfqR9X9Sv2BAcYlT5AANXZY0=
+github.com/treeverse/lakefs/modules/auth/factory v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:vUVQSq2UlCZaeLouvwtLwuj7/wTKfPi9ofrWHwbvt9U=
+github.com/treeverse/lakefs/modules/authentication/factory v0.0.0-20250505194829-76aa2e5fda8c h1:49Khuv+QLLoIOZ+t13qgvnwMhVb7BWRBSVGco90zR9o=
+github.com/treeverse/lakefs/modules/authentication/factory v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:w3fEsh6mlvjw9Z35rrEOXNnXA6VCvMr5AqqZqMipXTA=
+github.com/treeverse/lakefs/modules/block/factory v0.0.0-20250505194829-76aa2e5fda8c h1:UMTPqU+li74goChBIy6VnPvGNNxsuUSlnTCFIttKW+8=
+github.com/treeverse/lakefs/modules/block/factory v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:bYtQY05xiSm3g1jOq2GLZK6lL6sFz5GF1TvOLRDz9qI=
+github.com/treeverse/lakefs/modules/config/factory v0.0.0-20250505194829-76aa2e5fda8c h1:4pd7Fo2KVQIm8XCILlrE7EzV383TRKfy83/eeBOec5k=
+github.com/treeverse/lakefs/modules/config/factory v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:GFXmE0+H5eOozu66Pj8RhrULWQUrn19SUpD5QEb3JH8=
+github.com/treeverse/lakefs/modules/license/factory v0.0.0-20250505194829-76aa2e5fda8c h1:7BwZXbtRxzNxaHKt3z0coUvO8iE6t4E8atDeMHA1n1Y=
+github.com/treeverse/lakefs/modules/license/factory v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:qwWHkpoe1ycZPCOUdh8AUPb4AhjFY9cf8PkxUi0lAf8=
+github.com/treeverse/lakefs/webui v0.0.0-20250505194829-76aa2e5fda8c h1:MXasFu5W6Txvd0Z+3lQtF8SSbQAykfTQq1rHITCFPI8=
+github.com/treeverse/lakefs/webui v0.0.0-20250505194829-76aa2e5fda8c/go.mod h1:wYBH4vk8GMg/r2o3gqI3rrhv/6t2V4n/PV9tD/eYkHs=
 github.com/treeverse/secret-detector v0.0.0-20250429145544-8c655b974a5f h1:7FOJn/bWOYZWYVSnYqTWWQzrk//rYxVxoQIEJJMX3mA=
 github.com/treeverse/secret-detector v0.0.0-20250429145544-8c655b974a5f/go.mod h1:hqKBnS0lrpUZlrQLecveNbK7WCQdlVOzWo1yVmDoyvs=
 github.com/tsenart/vegeta/v12 v12.11.1 h1:Rbwe7Zxr7sJ+BDTReemeQalYPvKiSV+O7nwmUs20B3E=
@@ -1175,7 +1189,7 @@ golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
 golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1284,7 +1298,6 @@ golang.org/x/net v0.0.0-20220401154927-543a649e0bdd/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.36.0 h1:vWF2fRbw4qslQsQzgFqZff+BItCvGFQqKzKIzx1rmoA=
 golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
 golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1321,7 +1334,7 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
 golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1417,15 +1430,14 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
 golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
 golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1438,7 +1450,7 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
 golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

pkg/authentication/externalidp/awsiam/aws_client.go

@@ -0,0 +1,196 @@
+package awsiam
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+)
+
+const (
+	authVersion       = "2011-06-15"
+	authMethod        = http.MethodPost
+	authAction        = "GetCallerIdentity"
+	authAlgorithm     = "AWS4-HMAC-SHA256"
+	stsGlobalEndpoint = "sts.amazonaws.com"
+	authActionKey     = "Action"
+	authVersionKey    = "Version"
+	authAlgorithmKey  = "X-Amz-Algorithm"
+	//nolint:gosec
+	authCredentialKey = "X-Amz-Credential"
+	authDateKey       = "X-Amz-Date"
+	authExpiresKey    = "X-Amz-Expires"
+	//nolint:gosec
+	authSecurityTokenKey  = "X-Amz-Security-Token"
+	authSignedHeadersKey  = "X-Amz-SignedHeaders"
+	authSignatureKey      = "X-Amz-Signature"
+	datetimeFormat        = "20060102T150405Z"
+	credentialTimeFormat  = "20060102"
+	defaultSTSLoginExpire = 15 * time.Minute
+)
+
+var ErrAWSCredentialsExpired = errors.New("AWS credentials expired")
+var ErrRetrievingToken = errors.New("failed to retrieve token")
+
+type AWSIdentityTokenInfo struct {
+	Method             string   `json:"method"`
+	Host               string   `json:"host"`
+	Region             string   `json:"region"`
+	Action             string   `json:"action"`
+	Date               string   `json:"date"`
+	ExpirationDuration string   `json:"expiration_duration"`
+	AccessKeyID        string   `json:"access_key_id"`
+	Signature          string   `json:"signature"`
+	SignedHeaders      []string `json:"signed_headers"`
+	Version            string   `json:"version"`
+	Algorithm          string   `json:"algorithm"`
+	SecurityToken      string   `json:"security_token"`
+}
+type AWSProvider struct {
+	Params IAMAuthParams
+}
+type IAMAuthParams struct {
+	ProviderType        string
+	TokenRequestHeaders map[string]string
+	URLPresignTTL       time.Duration
+	TokenTTL            time.Duration
+	RefreshInterval     time.Duration
+}
+
+func NewAWSProvider(params IAMAuthParams) *AWSProvider {
+	return &AWSProvider{
+		Params: params,
+	}
+}
+
+func (p *AWSProvider) NewRequest() (*AWSIdentityTokenInfo, error) {
+	ctx := context.TODO()
+	cfg, err := GetConfig(ctx)
+	if err != nil {
+		return &AWSIdentityTokenInfo{}, err
+	}
+	creds, err := GetCreds(ctx, cfg)
+	if err != nil {
+		return &AWSIdentityTokenInfo{}, err
+	}
+	url, err := GetPresignedURL(ctx, &p.Params, cfg, creds)
+	if err != nil {
+		return &AWSIdentityTokenInfo{}, err
+	}
+	tokenInfo, err := NewIdentityTokenInfo(creds, url)
+	if err != nil {
+		return &AWSIdentityTokenInfo{}, err
+	}
+	return tokenInfo, nil
+	// tokenTTL := int(p.Params.TokenTTL.Seconds())
+	// externalLoginInfo := apigen.ExternalLoginInformation{
+	// 	IdentityRequest: map[string]interface{}{
+	// 		"identity_token": identityToken,
+	// 	},
+	// 	TokenExpirationDuration: &tokenTTL,
+	// }
+	// res, err := p.Client.ExternalPrincipalLoginWithResponse(ctx, apigen.ExternalPrincipalLoginJSONRequestBody(externalLoginInfo))
+	// if err != nil {
+	// 	return LoginResponse{}, err
+	// }
+	// err = helpers.ResponseAsError(res)
+	// if err != nil {
+	// 	return LoginResponse{}, err
+	// }
+	// return LoginResponse{Token: res.JSON200}, nil
+}
+
+func NewIdentityTokenInfo(creds *aws.Credentials, presignedURL string) (*AWSIdentityTokenInfo, error) {
+	parsedURL, err := url.Parse(presignedURL)
+	if err != nil {
+		return nil, err
+	}
+
+	queryParams := parsedURL.Query()
+	credentials := queryParams.Get(authCredentialKey)
+	splitedCreds := strings.Split(credentials, "/")
+	calculatedRegion := splitedCreds[2]
+	identityTokenInfo := AWSIdentityTokenInfo{
+		Method:             "POST",
+		Host:               parsedURL.Host,
+		Region:             calculatedRegion,
+		Action:             authAction,
+		Date:               queryParams.Get(authDateKey),
+		ExpirationDuration: queryParams.Get(authExpiresKey),
+		AccessKeyID:        creds.AccessKeyID,
+		Signature:          queryParams.Get(authSignatureKey),
+		SignedHeaders:      strings.Split(queryParams.Get(authSignedHeadersKey), ";"),
+		Version:            queryParams.Get(authVersionKey),
+		Algorithm:          queryParams.Get(authAlgorithmKey),
+		SecurityToken:      queryParams.Get(authSecurityTokenKey),
+	}
+	return &identityTokenInfo, nil
+	// marshaledIdentityTokenInfo, _ := json.Marshal(identityTokenInfo)
+	// encodedIdentityTokenInfo := base64.StdEncoding.EncodeToString(marshaledIdentityTokenInfo)
+	// return &identityTokenInfo, encodedIdentityTokenInfo, nil
+}
+
+func GetPresignedURL(ctx context.Context, params *IAMAuthParams, cfg *aws.Config, creds *aws.Credentials) (string, error) {
+	stsClient := sts.NewFromConfig(*cfg)
+	stsPresignClient := sts.NewPresignClient(stsClient, func(o *sts.PresignOptions) {
+		o.ClientOptions = append(o.ClientOptions, func(opts *sts.Options) {
+			opts.ClientLogMode = aws.LogSigning
+		})
+	})
+
+	presign, err := stsPresignClient.PresignGetCallerIdentity(context.Background(), &sts.GetCallerIdentityInput{},
+		sts.WithPresignClientFromClientOptions(sts.WithAPIOptions(setHTTPHeaders(params.TokenRequestHeaders, params.URLPresignTTL))),
+	)
+	if err != nil {
+		return "", err
+	}
+	return presign.URL, err
+}
+
+func GetCreds(ctx context.Context, cfg *aws.Config) (*aws.Credentials, error) {
+	creds, err := cfg.Credentials.Retrieve(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if creds.Expired() {
+		return nil, ErrAWSCredentialsExpired
+	}
+	return &creds, err
+}
+func GetConfig(ctx context.Context) (*aws.Config, error) {
+	cfg, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &cfg, err
+}
+
+func setHTTPHeaders(requestHeaders map[string]string, ttl time.Duration) func(*middleware.Stack) error {
+	return func(stack *middleware.Stack) error {
+		return stack.Build.Add(middleware.BuildMiddlewareFunc("AddHeaders", func(
+			ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+		) (
+			middleware.BuildOutput, middleware.Metadata, error,
+		) {
+			if req, ok := in.Request.(*smithyhttp.Request); ok {
+				req.Method = "POST"
+				for header, value := range requestHeaders {
+					req.Header.Add(header, value)
+				}
+				queryParams := req.URL.Query()
+				queryParams.Set(authExpiresKey, fmt.Sprintf("%d", int(ttl.Seconds())))
+				req.URL.RawQuery = queryParams.Encode()
+			}
+			return next.HandleBuild(ctx, in)
+		}), middleware.Before)
+	}
+}

pkg/authentication/externalidp/idp.go

@@ -0,0 +1,10 @@
+package externalidp
+
+import "github.com/treeverse/lakefs/pkg/authentication/externalidp/awsiam"
+
+type Provider interface {
+	NewRequest() *TokenInfo
+}
+type TokenInfo struct {
+	AWSInfo *awsiam.AWSIdentityTokenInfo
+}