vault

package
v7.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 20, 2023 License: MIT Imports: 29 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// DefaultSessionDuration is the default duration for GetSessionToken or AssumeRole sessions
	DefaultSessionDuration = time.Hour * 1

	// DefaultChainedSessionDuration is the default duration for GetSessionToken sessions when chaining
	DefaultChainedSessionDuration = time.Hour * 8
)

Variables

View Source 
var ErrNotFound = keyring.ErrKeyNotFound

Functions

func FindMasterCredentialsNameFor 

func FindMasterCredentialsNameFor(profileName string, keyring *CredentialKeyring, config *ProfileConfig) (string, error)

func FormatKeyForDisplay 

func FormatKeyForDisplay(k string) string

func GetUsernameFromSession 

func GetUsernameFromSession(ctx context.Context, cfg aws.Config) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsCurrentSessionKey 

func IsCurrentSessionKey(s string) bool

func IsOIDCTokenKey 

func IsOIDCTokenKey(k string) bool

func IsOldSessionKey 

func IsOldSessionKey(s string) bool

func IsSessionKey 

func IsSessionKey(s string) bool

func NewAssumeRoleProvider 

func NewAssumeRoleProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *ProfileConfig, useSessionCache bool) (aws.CredentialsProvider, error)

NewAssumeRoleProvider returns a provider that generates credentials using AssumeRole

func NewAssumeRoleWithWebIdentityProvider 

func NewAssumeRoleWithWebIdentityProvider(k keyring.Keyring, config *ProfileConfig, useSessionCache bool) (aws.CredentialsProvider, error)

NewAssumeRoleWithWebIdentityProvider returns a provider that generates credentials using AssumeRoleWithWebIdentity

func NewAwsConfig 

func NewAwsConfig(region, stsRegionalEndpoints string) aws.Config

func NewAwsConfigWithCredsProvider 

func NewAwsConfigWithCredsProvider(credsProvider aws.CredentialsProvider, region, stsRegionalEndpoints string) aws.Config

func NewCredentialProcessProvider 

func NewCredentialProcessProvider(k keyring.Keyring, config *ProfileConfig, useSessionCache bool) (aws.CredentialsProvider, error)

NewCredentialProcessProvider creates a provider to retrieve credentials from an external executable as described in https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

func NewSSORoleCredentialsProvider 

func NewSSORoleCredentialsProvider(k keyring.Keyring, config *ProfileConfig, useSessionCache bool) (aws.CredentialsProvider, error)

NewSSORoleCredentialsProvider creates a provider for SSO credentials

func NewSessionTokenProvider 

func NewSessionTokenProvider(credsProvider aws.CredentialsProvider, k keyring.Keyring, config *ProfileConfig, useSessionCache bool) (aws.CredentialsProvider, error)

func NewTempCredentialsProvider 

func NewTempCredentialsProvider(config *ProfileConfig, keyring *CredentialKeyring, disableSessions bool, disableCache bool) (aws.CredentialsProvider, error)

NewTempCredentialsProvider creates a credential provider for the given config

func ProcessMfaProvider 

func ProcessMfaProvider(processCmd string) (string, error)

Types

type AssumeRoleProvider 

type AssumeRoleProvider struct {
	StsClient         *sts.Client
	RoleARN           string
	RoleSessionName   string
	ExternalID        string
	Duration          time.Duration
	Tags              map[string]string
	TransitiveTagKeys []string
	SourceIdentity    string
	Mfa
}

AssumeRoleProvider retrieves temporary credentials from STS using AssumeRole

func (*AssumeRoleProvider) Retrieve 

func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS AssumeRole

func (*AssumeRoleProvider) RetrieveStsCredentials added in v7.2.0 

func (p *AssumeRoleProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

type AssumeRoleWithWebIdentityProvider 

type AssumeRoleWithWebIdentityProvider struct {
	StsClient               *sts.Client
	RoleARN                 string
	RoleSessionName         string
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string
	ExternalID              string
	Duration                time.Duration
}

AssumeRoleWithWebIdentityProvider retrieves temporary credentials from STS using AssumeRoleWithWebIdentity

func (*AssumeRoleWithWebIdentityProvider) Retrieve 

func (p *AssumeRoleWithWebIdentityProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS AssumeRoleWithWebIdentity

func (*AssumeRoleWithWebIdentityProvider) RetrieveStsCredentials added in v7.2.0 

func (p *AssumeRoleWithWebIdentityProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

type CachedSessionProvider 

type CachedSessionProvider struct {
	SessionKey      SessionMetadata
	SessionProvider StsSessionProvider
	Keyring         *SessionKeyring
	ExpiryWindow    time.Duration
}

CachedSessionProvider retrieves cached credentials from the keyring, or if no credentials are cached retrieves temporary credentials using the CredentialsFunc

func (*CachedSessionProvider) Retrieve 

func (p *CachedSessionProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve returns cached credentials from the keyring, or if no credentials are cached generates a new set of temporary credentials using the CredentialsFunc

func (*CachedSessionProvider) RetrieveStsCredentials added in v7.2.0 

func (p *CachedSessionProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

type ConfigFile 

type ConfigFile struct {
	Path string
	// contains filtered or unexported fields
}

ConfigFile is an abstraction over what is in ~/.aws/config

func LoadConfig 

func LoadConfig(path string) (*ConfigFile, error)

LoadConfig loads and parses a config file. No error is returned if the file doesn't exist

func LoadConfigFromEnv 

func LoadConfigFromEnv() (*ConfigFile, error)

LoadConfigFromEnv finds the config file from the environment

func (*ConfigFile) Add 

func (c *ConfigFile) Add(profile ProfileSection) error

Add the profile to the configuration file

func (*ConfigFile) ProfileNames 

func (c *ConfigFile) ProfileNames() []string

ProfileNames returns a slice of profile names from the AWS config

func (*ConfigFile) ProfileSection 

func (c *ConfigFile) ProfileSection(name string) (ProfileSection, bool)

ProfileSection returns the profile section with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*ConfigFile) ProfileSections 

func (c *ConfigFile) ProfileSections() []ProfileSection

ProfileSections returns all the profile sections in the config

func (*ConfigFile) SSOSessionSection 

func (c *ConfigFile) SSOSessionSection(name string) (SSOSessionSection, bool)

SSOSessionSection returns the [sso-session] section with the matching name. If there isn't any, an empty sso-session with the provided name is returned, along with false.

func (*ConfigFile) Save 

func (c *ConfigFile) Save() error

type ConfigLoader 

type ConfigLoader struct {
	BaseConfig    ProfileConfig
	File          *ConfigFile
	ActiveProfile string
	// contains filtered or unexported fields
}

ConfigLoader loads config from configfile and environment variables

func NewConfigLoader 

func NewConfigLoader(baseConfig ProfileConfig, file *ConfigFile, activeProfile string) *ConfigLoader

func (*ConfigLoader) GetProfileConfig 

func (cl *ConfigLoader) GetProfileConfig(profileName string) (*ProfileConfig, error)

GetProfileConfig loads the profile from the config file and environment variables into config

type CredentialKeyring 

type CredentialKeyring struct {
	Keyring keyring.Keyring
}

func (*CredentialKeyring) Get 

func (ck *CredentialKeyring) Get(credentialsName string) (creds aws.Credentials, err error)

func (*CredentialKeyring) Has 

func (ck *CredentialKeyring) Has(credentialsName string) (bool, error)

func (*CredentialKeyring) Keys 

func (ck *CredentialKeyring) Keys() (credentialsNames []string, err error)

func (*CredentialKeyring) Remove 

func (ck *CredentialKeyring) Remove(credentialsName string) error

func (*CredentialKeyring) Set 

func (ck *CredentialKeyring) Set(credentialsName string, creds aws.Credentials) error

type CredentialProcessProvider 

type CredentialProcessProvider struct {
	CredentialProcess string
}

CredentialProcessProvider implements interface aws.CredentialsProvider to retrieve credentials from an external executable as described in https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes

func (*CredentialProcessProvider) Retrieve 

func (p *CredentialProcessProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve obtains a new set of temporary credentials using an external process, required to satisfy interface aws.CredentialsProvider

func (*CredentialProcessProvider) RetrieveStsCredentials added in v7.2.0 

func (p *CredentialProcessProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

type FederationTokenProvider 

type FederationTokenProvider struct {
	StsClient *sts.Client
	Name      string
	Duration  time.Duration
}

FederationTokenProvider retrieves temporary credentials from STS using GetFederationToken

func NewFederationTokenProvider 

func NewFederationTokenProvider(ctx context.Context, credsProvider aws.CredentialsProvider, config *ProfileConfig) (*FederationTokenProvider, error)

func (*FederationTokenProvider) Retrieve 

func (f *FederationTokenProvider) Retrieve(ctx context.Context) (creds aws.Credentials, err error)

Retrieve generates a new set of temporary credentials using STS GetFederationToken

type KeyringProvider 

type KeyringProvider struct {
	Keyring         *CredentialKeyring
	CredentialsName string
}

KeyringProvider stores and retrieves master credentials

func NewMasterCredentialsProvider 

func NewMasterCredentialsProvider(k *CredentialKeyring, credentialsName string) *KeyringProvider

NewMasterCredentialsProvider creates a provider for the master credentials

func (*KeyringProvider) Retrieve 

func (p *KeyringProvider) Retrieve(_ context.Context) (aws.Credentials, error)

type Mfa 

type Mfa struct {
	MfaSerial string
	// contains filtered or unexported fields
}

Mfa contains options for an MFA device

func NewMfa 

func NewMfa(config *ProfileConfig) Mfa

func (Mfa) GetMfaToken 

func (m Mfa) GetMfaToken() (*string, error)

GetMfaToken returns the MFA token

type OIDCTokenCacher 

type OIDCTokenCacher interface {
	Get(string) (*ssooidc.CreateTokenOutput, error)
	Set(string, *ssooidc.CreateTokenOutput) error
	Remove(string) error
}

type OIDCTokenData 

type OIDCTokenData struct {
	Token      ssooidc.CreateTokenOutput
	Expiration time.Time
}

type OIDCTokenKeyring 

type OIDCTokenKeyring struct {
	Keyring keyring.Keyring
}

func (OIDCTokenKeyring) Get 

func (o OIDCTokenKeyring) Get(startURL string) (*ssooidc.CreateTokenOutput, error)

func (OIDCTokenKeyring) Has 

func (o OIDCTokenKeyring) Has(startURL string) (bool, error)

func (*OIDCTokenKeyring) Keys 

func (o *OIDCTokenKeyring) Keys() (kk []string, err error)

func (OIDCTokenKeyring) Remove 

func (o OIDCTokenKeyring) Remove(startURL string) error

func (*OIDCTokenKeyring) RemoveAll 

func (o *OIDCTokenKeyring) RemoveAll() (n int, err error)

func (OIDCTokenKeyring) Set 

func (o OIDCTokenKeyring) Set(startURL string, token *ssooidc.CreateTokenOutput) error

type ProfileConfig 

type ProfileConfig struct {
	// ProfileName specifies the name of the profile config
	ProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfileName string

	// SourceProfile is the profile where credentials come from
	SourceProfile *ProfileConfig

	// ChainedFromProfile is the profile that used this profile as its source profile
	ChainedFromProfile *ProfileConfig

	// Region is the AWS region
	Region string

	// STSRegionalEndpoints sets STS endpoint resolution logic, must be "regional" or "legacy"
	STSRegionalEndpoints string

	// Mfa config
	MfaSerial       string
	MfaToken        string
	MfaPromptMethod string

	// MfaProcess specifies external command to run to get an MFA token
	MfaProcess string

	// AssumeRole config
	RoleARN         string
	RoleSessionName string
	ExternalID      string

	// AssumeRoleWithWebIdentity config
	WebIdentityTokenFile    string
	WebIdentityTokenProcess string

	// GetSessionTokenDuration specifies the wanted duration for credentials generated with AssumeRole
	AssumeRoleDuration time.Duration

	// NonChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken
	NonChainedGetSessionTokenDuration time.Duration

	// ChainedGetSessionTokenDuration specifies the wanted duration for credentials generated with GetSessionToken when chaining
	ChainedGetSessionTokenDuration time.Duration

	// GetFederationTokenDuration specifies the wanted duration for credentials generated with GetFederationToken
	GetFederationTokenDuration time.Duration

	// SSOSession specifies the [sso-session] section name.
	SSOSession string

	// SSOStartURL specifies the URL for the AWS IAM Identity Center user portal, legacy option.
	SSOStartURL string

	// SSORegion specifies the region for the AWS IAM Identity Center user portal, legacy option.
	SSORegion string

	// SSORegistrationScopes specifies registration scopes for the AWS IAM Identity Center user portal.
	SSORegistrationScopes string

	// SSOAccountID specifies the AWS account ID for the profile.
	SSOAccountID string

	// SSORoleName specifies the AWS IAM Role name to target.
	SSORoleName string

	// SSOUseStdout specifies that the system browser should not be automatically opened
	SSOUseStdout bool

	// SessionTags specifies assumed role Session Tags
	SessionTags map[string]string

	// TransitiveSessionTags specifies assumed role Transitive Session Tags keys
	TransitiveSessionTags []string

	// SourceIdentity specifies assumed role Source Identity
	SourceIdentity string

	// CredentialProcess specifies external command to run to get an AWS credential
	CredentialProcess string
}

ProfileConfig is a collection of configuration options for creating temporary credentials

func (*ProfileConfig) GetSessionTokenDuration 

func (c *ProfileConfig) GetSessionTokenDuration() time.Duration

func (*ProfileConfig) HasCredentialProcess 

func (c *ProfileConfig) HasCredentialProcess() bool

func (*ProfileConfig) HasMfaSerial 

func (c *ProfileConfig) HasMfaSerial() bool

func (*ProfileConfig) HasRole 

func (c *ProfileConfig) HasRole() bool

func (*ProfileConfig) HasSSOSession 

func (c *ProfileConfig) HasSSOSession() bool

func (*ProfileConfig) HasSSOStartURL 

func (c *ProfileConfig) HasSSOStartURL() bool

func (*ProfileConfig) HasSourceProfile 

func (c *ProfileConfig) HasSourceProfile() bool

func (*ProfileConfig) HasWebIdentity 

func (c *ProfileConfig) HasWebIdentity() bool

func (*ProfileConfig) IsChained 

func (c *ProfileConfig) IsChained() bool

func (*ProfileConfig) SetSessionTags 

func (c *ProfileConfig) SetSessionTags(s string) error

SetSessionTags parses a comma separated key=vaue string and sets Config.SessionTags map

func (*ProfileConfig) SetTransitiveSessionTags 

func (c *ProfileConfig) SetTransitiveSessionTags(s string)

SetTransitiveSessionTags parses a comma separated string and sets Config.TransitiveSessionTags

type ProfileSection 

type ProfileSection struct {
	Name                    string `ini:"-"`
	MfaSerial               string `ini:"mfa_serial,omitempty"`
	RoleARN                 string `ini:"role_arn,omitempty"`
	ExternalID              string `ini:"external_id,omitempty"`
	Region                  string `ini:"region,omitempty"`
	RoleSessionName         string `ini:"role_session_name,omitempty"`
	DurationSeconds         uint   `ini:"duration_seconds,omitempty"`
	SourceProfile           string `ini:"source_profile,omitempty"`
	IncludeProfile          string `ini:"include_profile,omitempty"`
	SSOSession              string `ini:"sso_session,omitempty"`
	SSOStartURL             string `ini:"sso_start_url,omitempty"`
	SSORegion               string `ini:"sso_region,omitempty"`
	SSOAccountID            string `ini:"sso_account_id,omitempty"`
	SSORoleName             string `ini:"sso_role_name,omitempty"`
	WebIdentityTokenFile    string `ini:"web_identity_token_file,omitempty"`
	WebIdentityTokenProcess string `ini:"web_identity_token_process,omitempty"`
	STSRegionalEndpoints    string `ini:"sts_regional_endpoints,omitempty"`
	SessionTags             string `ini:"session_tags,omitempty"`
	TransitiveSessionTags   string `ini:"transitive_session_tags,omitempty"`
	SourceIdentity          string `ini:"source_identity,omitempty"`
	CredentialProcess       string `ini:"credential_process,omitempty"`
	MfaProcess              string `ini:"mfa_process,omitempty"`
}

ProfileSection is a profile section of the config file

func (ProfileSection) IsEmpty 

func (s ProfileSection) IsEmpty() bool

type SSORoleCredentialsProvider 

type SSORoleCredentialsProvider struct {
	OIDCClient     *ssooidc.Client
	OIDCTokenCache OIDCTokenCacher
	StartURL       string
	SSOClient      *sso.Client
	AccountID      string
	RoleName       string
	UseStdout      bool
}

SSORoleCredentialsProvider creates temporary credentials for an SSO Role.

func (*SSORoleCredentialsProvider) Retrieve 

func (p *SSORoleCredentialsProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using SSO GetRoleCredentials.

func (*SSORoleCredentialsProvider) RetrieveStsCredentials added in v7.2.0 

func (p *SSORoleCredentialsProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

type SSOSessionSection 

type SSOSessionSection struct {
	Name                  string `ini:"-"`
	SSOStartURL           string `ini:"sso_start_url,omitempty"`
	SSORegion             string `ini:"sso_region,omitempty"`
	SSORegistrationScopes string `ini:"sso_registration_scopes,omitempty"`
}

SSOSessionSection is a [sso-session] section of the config file

type SessionKeyring 

type SessionKeyring struct {
	Keyring keyring.Keyring
}

func (*SessionKeyring) Get 

func (sk *SessionKeyring) Get(key SessionMetadata) (creds *ststypes.Credentials, err error)

func (*SessionKeyring) GetAllMetadata 

func (sk *SessionKeyring) GetAllMetadata() (mm []SessionMetadata, err error)

func (*SessionKeyring) Has 

func (sk *SessionKeyring) Has(key SessionMetadata) (bool, error)

func (*SessionKeyring) Keys 

func (sk *SessionKeyring) Keys() (kk []SessionMetadata, err error)

func (*SessionKeyring) Remove 

func (sk *SessionKeyring) Remove(key SessionMetadata) error

func (*SessionKeyring) RemoveAll 

func (sk *SessionKeyring) RemoveAll() (n int, err error)

func (*SessionKeyring) RemoveForProfile 

func (sk *SessionKeyring) RemoveForProfile(profileName string) (n int, err error)

func (*SessionKeyring) RemoveOldSessions 

func (sk *SessionKeyring) RemoveOldSessions() (n int, err error)

func (*SessionKeyring) Set 

func (sk *SessionKeyring) Set(key SessionMetadata, creds *ststypes.Credentials) error

type SessionMetadata 

type SessionMetadata struct {
	Type        string
	ProfileName string
	MfaSerial   string
	Expiration  time.Time
}

func NewSessionKeyFromString 

func NewSessionKeyFromString(s string) (SessionMetadata, error)

func (*SessionMetadata) String 

func (k *SessionMetadata) String() string

func (*SessionMetadata) StringForMatching 

func (k *SessionMetadata) StringForMatching() string

type SessionTokenProvider 

type SessionTokenProvider struct {
	StsClient *sts.Client
	Duration  time.Duration
	Mfa
}

SessionTokenProvider retrieves temporary credentials from STS using GetSessionToken

func (*SessionTokenProvider) Retrieve 

func (p *SessionTokenProvider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve generates a new set of temporary credentials using STS GetSessionToken

func (*SessionTokenProvider) RetrieveStsCredentials added in v7.2.0 

func (p *SessionTokenProvider) RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)

GetSessionToken generates a new set of temporary credentials using STS GetSessionToken

type StsSessionProvider added in v7.2.0 

type StsSessionProvider interface {
	aws.CredentialsProvider
	RetrieveStsCredentials(ctx context.Context) (*ststypes.Credentials, error)
}

type TempCredentialsCreator added in v7.2.0 

type TempCredentialsCreator struct {
	Keyring *CredentialKeyring
	// DisableSessions will disable the use of GetSessionToken
	DisableSessions bool
	// DisableCache will disable the use of the session cache
	DisableCache bool
	// DisableSessionsForProfile is a profile for which sessions should not be used
	DisableSessionsForProfile string
	// contains filtered or unexported fields
}

func (*TempCredentialsCreator) GetProviderForProfile added in v7.2.0 

func (t *TempCredentialsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.