vault

package
v6.0.0-beta8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 17, 2020 License: MIT Imports: 26 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// DefaultSessionDuration is the default duration for GetSessionToken or AssumeRole sessions
	DefaultSessionDuration = time.Hour * 1

	// DefaultChainedSessionDuration is the default duration for GetSessionToken sessions when chaining
	DefaultChainedSessionDuration = time.Hour * 8
)

Variables

View Source 
var ErrNotFound = fmt.Errorf("Key not found")
View Source 
var UseSession = true

UseSession will disable the use of GetSessionToken when set to false

View Source 
var UseSessionCache = true

Functions

func FormatKeyForDisplay 

func FormatKeyForDisplay(k string) string

func GetUsernameFromSession 

func GetUsernameFromSession(sess *session.Session) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsCurrentSessionKey 

func IsCurrentSessionKey(s string) bool

func IsOldSessionKey 

func IsOldSessionKey(s string) bool

func IsSessionKey 

func IsSessionKey(s string) bool

func MasterCredentialsFor 

func MasterCredentialsFor(profileName string, keyring *CredentialKeyring, config *Config) (string, error)

func NewAssumeRoleProvider 

func NewAssumeRoleProvider(creds *credentials.Credentials, k keyring.Keyring, config *Config) (credentials.Provider, error)

NewAssumeRoleProvider returns a provider that generates credentials using AssumeRole

func NewAssumeRoleWithWebIdentityProvider 

func NewAssumeRoleWithWebIdentityProvider(k keyring.Keyring, config *Config) (credentials.Provider, error)

NewAssumeRoleWithWebIdentityProvider returns a provider that generates credentials using AssumeRoleWithWebIdentity

func NewFederationTokenCredentials 

func NewFederationTokenCredentials(profileName string, k *CredentialKeyring, config *Config) (*credentials.Credentials, error)

func NewMasterCredentials 

func NewMasterCredentials(k *CredentialKeyring, credentialsName string) *credentials.Credentials

func NewSSORoleCredentialsProvider 

func NewSSORoleCredentialsProvider(k keyring.Keyring, config *Config) (credentials.Provider, error)

NewSSORoleCredentialsProvider creates a provider for SSO credentials

func NewSession 

func NewSession(creds *credentials.Credentials, region string) (*session.Session, error)

func NewSessionTokenProvider 

func NewSessionTokenProvider(creds *credentials.Credentials, k keyring.Keyring, config *Config) (credentials.Provider, error)

func NewTempCredentials 

func NewTempCredentials(config *Config, k *CredentialKeyring) (*credentials.Credentials, error)

NewTempCredentials returns credentials for the given config

func NewTempCredentialsProvider 

func NewTempCredentialsProvider(config *Config, keyring *CredentialKeyring) (credentials.Provider, error)

NewTempCredentialsProvider creates a credential provider for the given config

Types

type AssumeRoleProvider 

type AssumeRoleProvider struct {
	StsClient       *sts.STS
	RoleARN         string
	RoleSessionName string
	ExternalID      string
	Duration        time.Duration
	ExpiryWindow    time.Duration
	Mfa
	credentials.Expiry
}

AssumeRoleProvider retrieves temporary credentials from STS using AssumeRole

func (*AssumeRoleProvider) Retrieve 

func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error)

Retrieve generates a new set of temporary credentials using STS AssumeRole

type AssumeRoleWithWebIdentityProvider 

type AssumeRoleWithWebIdentityProvider struct {
	StsClient               *sts.STS
	RoleARN                 string
	RoleSessionName         string
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string
	ExternalID              string
	Duration                time.Duration
	ExpiryWindow            time.Duration
	credentials.Expiry
}

AssumeRoleWithWebIdentityProvider retrieves temporary credentials from STS using AssumeRoleWithWebIdentity

func (*AssumeRoleWithWebIdentityProvider) Retrieve 

func (p *AssumeRoleWithWebIdentityProvider) Retrieve() (credentials.Value, error)

Retrieve generates a new set of temporary credentials using STS AssumeRoleWithWebIdentity

type CachedSessionProvider 

type CachedSessionProvider struct {
	SessionKey      SessionMetadata
	CredentialsFunc func() (*sts.Credentials, error)
	Keyring         *SessionKeyring
	ExpiryWindow    time.Duration
	credentials.Expiry
}

CachedSessionProvider retrieves cached credentials from the keyring, or if no credentials are cached retrieves temporary credentials using the CredentialsFunc

func (*CachedSessionProvider) Retrieve 

func (p *CachedSessionProvider) Retrieve() (credentials.Value, error)

Retrieve returns cached credentials from the keyring, or if no credentials are cached generates a new set of temporary credentials using the CredentialsFunc

type Config 

type Config struct {
	// ProfileName specifies the name of the profile config
	ProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfile *Config

	// ChainedFromProfile is the profile that used this profile as it's source profile
	ChainedFromProfile *Config

	// Region is the AWS region
	Region string

	// Mfa config
	MfaSerial       string
	MfaToken        string
	MfaPromptMethod string

	// AssumeRole config
	RoleARN         string
	RoleSessionName string
	ExternalID      string

	// AssumeRoleWithWebIdentity config
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string

	// GetSessionTokenDuration specifies the wanted duration for credentials generated with AssumeRole
	AssumeRoleDuration time.Duration

	// NonChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken
	NonChainedGetSessionTokenDuration time.Duration

	// ChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken when chaining
	ChainedGetSessionTokenDuration time.Duration

	// GetFederationTokenDuration specifies the wanted duration for credentials generated with GetFederationToken
	GetFederationTokenDuration time.Duration

	// SSOStartURL specifies the URL for the AWS SSO user portal.
	SSOStartURL string

	// SSORegion specifies the region for the AWS SSO user portal.
	SSORegion string

	// SSOAccountID specifies the AWS account ID for the profile.
	SSOAccountID string

	// SSORoleName specifies the AWS SSO Role name to target.
	SSORoleName string
}

Config is a collection of configuration options for creating temporary credentials

func (*Config) CanUseGetSessionToken 

func (c *Config) CanUseGetSessionToken() (bool, string)

CanUseGetSessionToken determines if GetSessionToken should be used, and if not returns a reason

func (*Config) GetSessionTokenDuration 

func (c *Config) GetSessionTokenDuration() time.Duration

func (*Config) HasMfaSerial 

func (c *Config) HasMfaSerial() bool

func (*Config) HasRole 

func (c *Config) HasRole() bool

func (*Config) HasSSOStartURL 

func (c *Config) HasSSOStartURL() bool

func (*Config) HasSourceProfile 

func (c *Config) HasSourceProfile() bool

func (*Config) HasWebIdentityTokenFile 

func (c *Config) HasWebIdentityTokenFile() bool

func (*Config) HasWebIdentityTokenProcess 

func (c *Config) HasWebIdentityTokenProcess() bool

func (*Config) IsChained 

func (c *Config) IsChained() bool

type ConfigFile 

type ConfigFile struct {
	Path string
	// contains filtered or unexported fields
}

ConfigFile is an abstraction over what is in ~/.aws/config

func LoadConfig 

func LoadConfig(path string) (*ConfigFile, error)

LoadConfig loads and parses a config file. No error is returned if the file doesn't exist

func LoadConfigFromEnv 

func LoadConfigFromEnv() (*ConfigFile, error)

LoadConfigFromEnv finds the config file from the environment

func (*ConfigFile) Add 

func (c *ConfigFile) Add(profile ProfileSection) error

Add the profile to the configuration file

func (*ConfigFile) ProfileNames 

func (c *ConfigFile) ProfileNames() []string

ProfileNames returns a slice of profile names from the AWS config

func (*ConfigFile) ProfileSection 

func (c *ConfigFile) ProfileSection(name string) (ProfileSection, bool)

ProfileSection returns the profile section with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*ConfigFile) ProfileSections 

func (c *ConfigFile) ProfileSections() []ProfileSection

ProfileSections returns all the profile sections in the config

func (*ConfigFile) Save 

func (c *ConfigFile) Save() error

type ConfigLoader 

type ConfigLoader struct {
	BaseConfig    Config
	File          *ConfigFile
	ActiveProfile string
	// contains filtered or unexported fields
}

ConfigLoader loads config from configfile and environment variables

func (*ConfigLoader) LoadFromProfile 

func (cl *ConfigLoader) LoadFromProfile(profileName string) (*Config, error)

LoadFromProfile loads the profile from the config file and environment variables into config

type CredentialKeyring 

type CredentialKeyring struct {
	Keyring keyring.Keyring
}

func (*CredentialKeyring) CredentialsKeys 

func (ck *CredentialKeyring) CredentialsKeys() (credentialsNames []string, err error)

func (*CredentialKeyring) Get 

func (ck *CredentialKeyring) Get(credentialsName string) (val credentials.Value, err error)

func (*CredentialKeyring) Has 

func (ck *CredentialKeyring) Has(credentialsName string) (bool, error)

func (*CredentialKeyring) Remove 

func (ck *CredentialKeyring) Remove(credentialsName string) error

func (*CredentialKeyring) Set 

func (ck *CredentialKeyring) Set(credentialsName string, val credentials.Value) error

type FederationTokenProvider 

type FederationTokenProvider struct {
	StsClient    *sts.STS
	Name         string
	Duration     time.Duration
	ExpiryWindow time.Duration
	credentials.Expiry
}

FederationTokenProvider retrieves temporary credentials from STS using GetFederationToken

func (*FederationTokenProvider) Retrieve 

func (f *FederationTokenProvider) Retrieve() (val credentials.Value, err error)

Retrieve generates a new set of temporary credentials using STS GetFederationToken

type KeyringProvider 

type KeyringProvider struct {
	Keyring         *CredentialKeyring
	CredentialsName string
}

KeyringProvider stores and retrieves master credentials

func NewMasterCredentialsProvider 

func NewMasterCredentialsProvider(k *CredentialKeyring, credentialsName string) *KeyringProvider

NewMasterCredentialsProvider creates a provider for the master credentials

func (*KeyringProvider) IsExpired 

func (p *KeyringProvider) IsExpired() bool

func (*KeyringProvider) Retrieve 

func (p *KeyringProvider) Retrieve() (val credentials.Value, err error)

type Mfa 

type Mfa struct {
	MfaToken        string
	MfaPromptMethod string
	MfaSerial       string
}

Mfa contains options for an MFA device

func (*Mfa) GetMfaToken 

func (m *Mfa) GetMfaToken() (*string, error)

GetMfaToken returns the MFA token

type OIDCTokenCacher 

type OIDCTokenCacher interface {
	Get(string) (*ssooidc.CreateTokenOutput, error)
	Set(string, *ssooidc.CreateTokenOutput) error
}

type OIDCTokenData 

type OIDCTokenData struct {
	Token      ssooidc.CreateTokenOutput
	Expiration time.Time
}

type OIDCTokenKeyring 

type OIDCTokenKeyring struct {
	Keyring keyring.Keyring
}

func (OIDCTokenKeyring) Get 

func (o OIDCTokenKeyring) Get(startURL string) (*ssooidc.CreateTokenOutput, error)

func (OIDCTokenKeyring) Remove 

func (o OIDCTokenKeyring) Remove(startURL string) error

func (OIDCTokenKeyring) Set 

func (o OIDCTokenKeyring) Set(startURL string, token *ssooidc.CreateTokenOutput) error

type ProfileSection 

type ProfileSection struct {
	Name                    string `ini:"-"`
	MfaSerial               string `ini:"mfa_serial,omitempty"`
	RoleARN                 string `ini:"role_arn,omitempty"`
	ExternalID              string `ini:"external_id,omitempty"`
	Region                  string `ini:"region,omitempty"`
	RoleSessionName         string `ini:"role_session_name,omitempty"`
	DurationSeconds         uint   `ini:"duration_seconds,omitempty"`
	SourceProfile           string `ini:"source_profile,omitempty"`
	ParentProfile           string `ini:"parent_profile,omitempty"` // deprecated
	IncludeProfile          string `ini:"include_profile,omitempty"`
	SSOStartURL             string `ini:"sso_start_url,omitempty"`
	SSORegion               string `ini:"sso_region,omitempty"`
	SSOAccountID            string `ini:"sso_account_id,omitempty"`
	SSORoleName             string `ini:"sso_role_name,omitempty"`
	WebIdentityTokenFile    string `ini:"web_identity_token_file,omitempty"`
	WebIdentityTokenProcess string `ini:"web_identity_token_process,omitempty"`
}

ProfileSection is a profile section of the config file

func (ProfileSection) IsEmpty 

func (s ProfileSection) IsEmpty() bool

type SSORoleCredentialsProvider 

type SSORoleCredentialsProvider struct {
	OIDCClient     *ssooidc.SSOOIDC
	OIDCTokenCache OIDCTokenCacher
	StartURL       string
	SSOClient      *sso.SSO
	AccountID      string
	RoleName       string
	ExpiryWindow   time.Duration
	credentials.Expiry
}

SSORoleCredentialsProvider creates temporary credentials for an SSO Role.

func (*SSORoleCredentialsProvider) Retrieve 

func (p *SSORoleCredentialsProvider) Retrieve() (credentials.Value, error)

Retrieve generates a new set of temporary credentials using SSO GetRoleCredentials.

type SessionKeyring 

type SessionKeyring struct {
	Keyring keyring.Keyring
	// contains filtered or unexported fields
}

func (*SessionKeyring) GarbageCollectOnce 

func (sk *SessionKeyring) GarbageCollectOnce() (n int, err error)

func (*SessionKeyring) Get 

func (sk *SessionKeyring) Get(key SessionMetadata) (val *sts.Credentials, err error)

func (*SessionKeyring) GetAllMetadata 

func (sk *SessionKeyring) GetAllMetadata() (mm []SessionMetadata, err error)

func (*SessionKeyring) Has 

func (sk *SessionKeyring) Has(key SessionMetadata) (bool, error)

func (*SessionKeyring) Keys 

func (sk *SessionKeyring) Keys() (kk []SessionMetadata, err error)

func (*SessionKeyring) Remove 

func (sk *SessionKeyring) Remove(key SessionMetadata) error

func (*SessionKeyring) RemoveForProfile 

func (sk *SessionKeyring) RemoveForProfile(profileName string) (n int, err error)

func (*SessionKeyring) Set 

func (sk *SessionKeyring) Set(key SessionMetadata, val *sts.Credentials) error

type SessionMetadata 

type SessionMetadata struct {
	Type        string
	ProfileName string
	MfaSerial   string
	Expiration  time.Time
}

func NewSessionKeyFromString 

func NewSessionKeyFromString(s string) (SessionMetadata, error)

func (*SessionMetadata) String 

func (k *SessionMetadata) String() string

func (*SessionMetadata) StringForMatching 

func (k *SessionMetadata) StringForMatching() string

type SessionTokenProvider 

type SessionTokenProvider struct {
	StsClient    *sts.STS
	Duration     time.Duration
	ExpiryWindow time.Duration
	Mfa
	credentials.Expiry
}

SessionTokenProvider retrieves temporary credentials from STS using GetSessionToken

func (*SessionTokenProvider) GetSessionToken 

func (p *SessionTokenProvider) GetSessionToken() (*sts.Credentials, error)

GetSessionToken generates a new set of temporary credentials using STS GetSessionToken

func (*SessionTokenProvider) Retrieve 

func (p *SessionTokenProvider) Retrieve() (credentials.Value, error)

Retrieve generates a new set of temporary credentials using STS GetSessionToken

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.