vault

package
v6.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 16, 2023 License: MIT Imports: 29 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// DefaultSessionDuration is the default duration for GetSessionToken or AssumeRole sessions
	DefaultSessionDuration = time.Hour * 1

	// DefaultChainedSessionDuration is the default duration for GetSessionToken sessions when chaining
	DefaultChainedSessionDuration = time.Hour * 8
)

Variables

View Source 
var ErrNotFound = keyring.ErrKeyNotFound
View Source 
var UseSession = true

UseSession will disable the use of GetSessionToken when set to false

View Source 
var UseSessionCache = true

Functions

func FindMasterCredentialsNameFor added in v6.4.0 

func FindMasterCredentialsNameFor(profileName string, keyring *CredentialKeyring, config *Config) (string, error)

func FormatKeyForDisplay 

func FormatKeyForDisplay(k string) string

func GetUsernameFromSession 

func GetUsernameFromSession(ctx context.Context, cfg aws.Config) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsCurrentSessionKey 

func IsCurrentSessionKey(s string) bool

func IsOIDCTokenKey 

func IsOIDCTokenKey(k string) bool

func IsOldSessionKey 

func IsOldSessionKey(s string) bool

func IsSessionKey 

func IsSessionKey(s string) bool

func NewAssumeRoleProvider 

func NewAssumeRoleProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewAssumeRoleProvider returns a provider that generates credentials using AssumeRole

func NewAssumeRoleWithWebIdentityProvider 

func NewAssumeRoleWithWebIdentityProvider(k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewAssumeRoleWithWebIdentityProvider returns a provider that generates credentials using AssumeRoleWithWebIdentity

func NewAwsConfig added in v6.4.0 

func NewAwsConfig(region, stsRegionalEndpoints string) aws.Config

func NewAwsConfigWithCredsProvider added in v6.4.0 

func NewAwsConfigWithCredsProvider(credsProvider aws.CredentialsProvider, region, stsRegionalEndpoints string) aws.Config

func NewEnvironmentCredentialsProvider added in v6.6.0 

func NewEnvironmentCredentialsProvider() aws.CredentialsProvider

func NewFederationTokenCredentialsProvider added in v6.4.0 

func NewFederationTokenCredentialsProvider(ctx context.Context, profileName string, k *CredentialKeyring, config *Config) (aws.CredentialsProvider, error)

func NewSSORoleCredentialsProvider 

func NewSSORoleCredentialsProvider(k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

NewSSORoleCredentialsProvider creates a provider for SSO credentials

func NewSessionTokenProvider 

func NewSessionTokenProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *Config) (aws.CredentialsProvider, error)

func NewTempCredentialsProvider 

func NewTempCredentialsProvider(config *Config, keyring *CredentialKeyring) (aws.CredentialsProvider, error)

NewTempCredentialsProvider creates a credential provider for the given config

Types

type AssumeRoleProvider 

type AssumeRoleProvider struct {
	StsClient         *sts.Client
	RoleARN           string
	RoleSessionName   string
	ExternalID        string
	Duration          time.Duration
	Tags              map[string]string
	TransitiveTagKeys []string
	SourceIdentity    string
	Mfa
}

AssumeRoleProvider retrieves temporary credentials from STS using AssumeRole

func (*AssumeRoleProvider) Retrieve 

func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS AssumeRole

type AssumeRoleWithWebIdentityProvider 

type AssumeRoleWithWebIdentityProvider struct {
	StsClient               *sts.Client
	RoleARN                 string
	RoleSessionName         string
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string
	ExternalID              string
	Duration                time.Duration
}

AssumeRoleWithWebIdentityProvider retrieves temporary credentials from STS using AssumeRoleWithWebIdentity

func (*AssumeRoleWithWebIdentityProvider) Retrieve 

func (p *AssumeRoleWithWebIdentityProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS AssumeRoleWithWebIdentity

type CachedSessionProvider 

type CachedSessionProvider struct {
	SessionKey      SessionMetadata
	CredentialsFunc func(context.Context) (*ststypes.Credentials, error)
	Keyring         *SessionKeyring
	ExpiryWindow    time.Duration
}

CachedSessionProvider retrieves cached credentials from the keyring, or if no credentials are cached retrieves temporary credentials using the CredentialsFunc

func (*CachedSessionProvider) Retrieve 

func (p *CachedSessionProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve returns cached credentials from the keyring, or if no credentials are cached generates a new set of temporary credentials using the CredentialsFunc

type Config 

type Config struct {
	// ProfileName specifies the name of the profile config
	ProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfile *Config

	// ChainedFromProfile is the profile that used this profile as it's source profile
	ChainedFromProfile *Config

	// Region is the AWS region
	Region string

	// STSRegionalEndpoints sets STS endpoint resolution logic, must be "regional" or "legacy"
	STSRegionalEndpoints string

	// Mfa config
	MfaSerial       string
	MfaToken        string
	MfaPromptMethod string

	// AssumeRole config
	RoleARN         string
	RoleSessionName string
	ExternalID      string

	// AssumeRoleWithWebIdentity config
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string

	// GetSessionTokenDuration specifies the wanted duration for credentials generated with AssumeRole
	AssumeRoleDuration time.Duration

	// NonChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken
	NonChainedGetSessionTokenDuration time.Duration

	// ChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken when chaining
	ChainedGetSessionTokenDuration time.Duration

	// GetFederationTokenDuration specifies the wanted duration for credentials generated with GetFederationToken
	GetFederationTokenDuration time.Duration

	// SSOStartURL specifies the URL for the AWS IAM Identity Center user portal.
	SSOStartURL string

	// SSORegion specifies the region for the AWS IAM Identity Center user portal.
	SSORegion string

	// SSOAccountID specifies the AWS account ID for the profile.
	SSOAccountID string

	// SSORoleName specifies the AWS IAM Role name to target.
	SSORoleName string

	// SSOUseStdout specifies that the system browser should not be automatically opened
	SSOUseStdout bool

	// SessionTags specifies assumed role Session Tags
	SessionTags map[string]string

	// TransitiveSessionTags specifies assumed role Transitive Session Tags keys
	TransitiveSessionTags []string

	// SourceIdentity specifies assumed role Source Identity
	SourceIdentity string
}

Config is a collection of configuration options for creating temporary credentials

func (*Config) CanUseGetSessionToken 

func (c *Config) CanUseGetSessionToken() (bool, string)

CanUseGetSessionToken determines if GetSessionToken should be used, and if not returns a reason

func (*Config) GetSessionTokenDuration 

func (c *Config) GetSessionTokenDuration() time.Duration

func (*Config) HasMfaSerial 

func (c *Config) HasMfaSerial() bool

func (*Config) HasRole 

func (c *Config) HasRole() bool

func (*Config) HasSSOStartURL 

func (c *Config) HasSSOStartURL() bool

func (*Config) HasSourceProfile 

func (c *Config) HasSourceProfile() bool

func (*Config) HasWebIdentityTokenFile 

func (c *Config) HasWebIdentityTokenFile() bool

func (*Config) HasWebIdentityTokenProcess 

func (c *Config) HasWebIdentityTokenProcess() bool

func (*Config) IsChained 

func (c *Config) IsChained() bool

func (*Config) SetSessionTags added in v6.3.0 

func (c *Config) SetSessionTags(s string) error

SetSessionTags parses a comma separated key=vaue string and sets Config.SessionTags map

func (*Config) SetTransitiveSessionTags added in v6.3.0 

func (c *Config) SetTransitiveSessionTags(s string)

SetTransitiveSessionTags parses a comma separated string and sets Config.TransitiveSessionTags

type ConfigFile 

type ConfigFile struct {
	Path string
	// contains filtered or unexported fields
}

ConfigFile is an abstraction over what is in ~/.aws/config

func LoadConfig 

func LoadConfig(path string) (*ConfigFile, error)

LoadConfig loads and parses a config file. No error is returned if the file doesn't exist

func LoadConfigFromEnv 

func LoadConfigFromEnv() (*ConfigFile, error)

LoadConfigFromEnv finds the config file from the environment

func (*ConfigFile) Add 

func (c *ConfigFile) Add(profile ProfileSection) error

Add the profile to the configuration file

func (*ConfigFile) ProfileNames 

func (c *ConfigFile) ProfileNames() []string

ProfileNames returns a slice of profile names from the AWS config

func (*ConfigFile) ProfileSection 

func (c *ConfigFile) ProfileSection(name string) (ProfileSection, bool)

ProfileSection returns the profile section with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*ConfigFile) ProfileSections 

func (c *ConfigFile) ProfileSections() []ProfileSection

ProfileSections returns all the profile sections in the config

func (*ConfigFile) Save 

func (c *ConfigFile) Save() error

type ConfigLoader 

type ConfigLoader struct {
	BaseConfig    Config
	File          *ConfigFile
	ActiveProfile string
	// contains filtered or unexported fields
}

ConfigLoader loads config from configfile and environment variables

func (*ConfigLoader) LoadFromProfile 

func (cl *ConfigLoader) LoadFromProfile(profileName string) (*Config, error)

LoadFromProfile loads the profile from the config file and environment variables into config

type CredentialKeyring 

type CredentialKeyring struct {
	Keyring keyring.Keyring
}

func (*CredentialKeyring) Get 

func (ck *CredentialKeyring) Get(credentialsName string) (creds aws.Credentials, err error)

func (*CredentialKeyring) Has 

func (ck *CredentialKeyring) Has(credentialsName string) (bool, error)

func (*CredentialKeyring) Keys 

func (ck *CredentialKeyring) Keys() (credentialsNames []string, err error)

func (*CredentialKeyring) Remove 

func (ck *CredentialKeyring) Remove(credentialsName string) error

func (*CredentialKeyring) Set 

func (ck *CredentialKeyring) Set(credentialsName string, creds aws.Credentials) error

type EnvironmentVariablesCredentialsProvider added in v6.6.0 

type EnvironmentVariablesCredentialsProvider struct {
}

EnvironmentVariablesCredentialsProvider retrieves AWS credentials available in the OS environment variables

func (*EnvironmentVariablesCredentialsProvider) Retrieve added in v6.6.0 

func (m *EnvironmentVariablesCredentialsProvider) Retrieve(context.Context) (aws.Credentials, error)

type FederationTokenProvider 

type FederationTokenProvider struct {
	StsClient *sts.Client
	Name      string
	Duration  time.Duration
}

FederationTokenProvider retrieves temporary credentials from STS using GetFederationToken

func (*FederationTokenProvider) Retrieve 

func (f *FederationTokenProvider) Retrieve(ctx context.Context) (creds aws.Credentials, err error)

Retrieve generates a new set of temporary credentials using STS GetFederationToken

type KeyringProvider 

type KeyringProvider struct {
	Keyring         *CredentialKeyring
	CredentialsName string
}

KeyringProvider stores and retrieves master credentials

func NewMasterCredentialsProvider 

func NewMasterCredentialsProvider(k *CredentialKeyring, credentialsName string) *KeyringProvider

NewMasterCredentialsProvider creates a provider for the master credentials

func (*KeyringProvider) Retrieve 

func (p *KeyringProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

type Mfa 

type Mfa struct {
	MfaToken        string
	MfaPromptMethod string
	MfaSerial       string
}

Mfa contains options for an MFA device

func (*Mfa) GetMfaToken 

func (m *Mfa) GetMfaToken() (*string, error)

GetMfaToken returns the MFA token

type OIDCTokenCacher 

type OIDCTokenCacher interface {
	Get(string) (*ssooidc.CreateTokenOutput, error)
	Set(string, *ssooidc.CreateTokenOutput) error
	Remove(string) error
}

type OIDCTokenData 

type OIDCTokenData struct {
	Token      ssooidc.CreateTokenOutput
	Expiration time.Time
}

type OIDCTokenKeyring 

type OIDCTokenKeyring struct {
	Keyring keyring.Keyring
}

func (OIDCTokenKeyring) Get 

func (o OIDCTokenKeyring) Get(startURL string) (*ssooidc.CreateTokenOutput, error)

func (OIDCTokenKeyring) Has 

func (o OIDCTokenKeyring) Has(startURL string) (bool, error)

func (*OIDCTokenKeyring) Keys 

func (o *OIDCTokenKeyring) Keys() (kk []string, err error)

func (OIDCTokenKeyring) Remove 

func (o OIDCTokenKeyring) Remove(startURL string) error

func (*OIDCTokenKeyring) RemoveAll 

func (o *OIDCTokenKeyring) RemoveAll() (n int, err error)

func (OIDCTokenKeyring) Set 

func (o OIDCTokenKeyring) Set(startURL string, token *ssooidc.CreateTokenOutput) error

type ProfileSection 

type ProfileSection struct {
	Name                    string `ini:"-"`
	MfaSerial               string `ini:"mfa_serial,omitempty"`
	RoleARN                 string `ini:"role_arn,omitempty"`
	ExternalID              string `ini:"external_id,omitempty"`
	Region                  string `ini:"region,omitempty"`
	RoleSessionName         string `ini:"role_session_name,omitempty"`
	DurationSeconds         uint   `ini:"duration_seconds,omitempty"`
	SourceProfile           string `ini:"source_profile,omitempty"`
	ParentProfile           string `ini:"parent_profile,omitempty"` // deprecated
	IncludeProfile          string `ini:"include_profile,omitempty"`
	SSOStartURL             string `ini:"sso_start_url,omitempty"`
	SSORegion               string `ini:"sso_region,omitempty"`
	SSOAccountID            string `ini:"sso_account_id,omitempty"`
	SSORoleName             string `ini:"sso_role_name,omitempty"`
	WebIdentityTokenFile    string `ini:"web_identity_token_file,omitempty"`
	WebIdentityTokenProcess string `ini:"web_identity_token_process,omitempty"`
	STSRegionalEndpoints    string `ini:"sts_regional_endpoints,omitempty"`
	SessionTags             string `ini:"session_tags,omitempty"`
	TransitiveSessionTags   string `ini:"transitive_session_tags,omitempty"`
	SourceIdentity          string `ini:"source_identity,omitempty"`
}

ProfileSection is a profile section of the config file

func (ProfileSection) IsEmpty 

func (s ProfileSection) IsEmpty() bool

type SSORoleCredentialsProvider 

type SSORoleCredentialsProvider struct {
	OIDCClient     *ssooidc.Client
	OIDCTokenCache OIDCTokenCacher
	StartURL       string
	SSOClient      *sso.Client
	AccountID      string
	RoleName       string
	UseStdout      bool
}

SSORoleCredentialsProvider creates temporary credentials for an SSO Role.

func (*SSORoleCredentialsProvider) Retrieve 

func (p *SSORoleCredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using SSO GetRoleCredentials.

type SessionKeyring 

type SessionKeyring struct {
	Keyring keyring.Keyring
}

func (*SessionKeyring) Get 

func (sk *SessionKeyring) Get(key SessionMetadata) (creds *ststypes.Credentials, err error)

func (*SessionKeyring) GetAllMetadata 

func (sk *SessionKeyring) GetAllMetadata() (mm []SessionMetadata, err error)

func (*SessionKeyring) Has 

func (sk *SessionKeyring) Has(key SessionMetadata) (bool, error)

func (*SessionKeyring) Keys 

func (sk *SessionKeyring) Keys() (kk []SessionMetadata, err error)

func (*SessionKeyring) Remove 

func (sk *SessionKeyring) Remove(key SessionMetadata) error

func (*SessionKeyring) RemoveAll 

func (sk *SessionKeyring) RemoveAll() (n int, err error)

func (*SessionKeyring) RemoveForProfile 

func (sk *SessionKeyring) RemoveForProfile(profileName string) (n int, err error)

func (*SessionKeyring) RemoveOldSessions 

func (sk *SessionKeyring) RemoveOldSessions() (n int, err error)

func (*SessionKeyring) Set 

func (sk *SessionKeyring) Set(key SessionMetadata, creds *ststypes.Credentials) error

type SessionMetadata 

type SessionMetadata struct {
	Type        string
	ProfileName string
	MfaSerial   string
	Expiration  time.Time
}

func NewSessionKeyFromString 

func NewSessionKeyFromString(s string) (SessionMetadata, error)

func (*SessionMetadata) String 

func (k *SessionMetadata) String() string

func (*SessionMetadata) StringForMatching 

func (k *SessionMetadata) StringForMatching() string

type SessionTokenProvider 

type SessionTokenProvider struct {
	StsClient *sts.Client
	Duration  time.Duration
	Mfa
}

SessionTokenProvider retrieves temporary credentials from STS using GetSessionToken

func (*SessionTokenProvider) GetSessionToken 

func (p *SessionTokenProvider) GetSessionToken(ctx context.Context) (*ststypes.Credentials, error)

GetSessionToken generates a new set of temporary credentials using STS GetSessionToken

func (*SessionTokenProvider) Retrieve 

func (p *SessionTokenProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS GetSessionToken

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.