lambda

package
v1.12.38 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 11, 2026 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ErrCertificateNotFound = errors.New("no certificate found with the specified tag key/value pair")

ErrCertificateNotFound is returned when no certificate is found with the specified tag key/value pair

Functions

func GetAWSLambdaRoleCertificate added in v1.12.23 

func GetAWSLambdaRoleCertificate(athenzDomain, athenzService, athenzProvider, roleName, ztsUrl string, expiryTime int64, sanDNSDomains []string, spiffeTrustDomain string, csrSubjectFields util.CsrSubjectFields, rolePrincipalEmail bool, svcTLSCert *util.SiaCertData) (*util.SiaCertData, error)

GetAWSLambdaRoleCertificate retrieves a role certificate for the specified Athenz domain, service, provider, and role name. It requires service certificate to obtain role certificate, so Athenz service certificate needs to be obtained first and pass it here to get role certificate from ZTS. Finally, it returns a SiaCertData object containing the role certificate and private key.

func GetAWSLambdaServiceCertificate deprecated 

func GetAWSLambdaServiceCertificate(ztsUrl, athenzProvider, athenzDomain, service, awsAccount string, sanDNSDomains []string, instanceIdSanDNS bool) (tls.Certificate, error)

Deprecated: Use GetAthenzIdentity functions to get identity certificates

func GetAthenzIdentity added in v1.11.38 

func GetAthenzIdentity(athenzDomain, athenzService, athenzProvider, ztsUrl string, sanDNSDomains []string, spiffeTrustDomain string, csrSubjectFields util.CsrSubjectFields) (*util.SiaCertData, error)

func StoreAthenzIdentityInACM added in v1.12.29 

func StoreAthenzIdentityInACM(certArn, certTagIdKey, certTagIdValue string, siaCertData *util.SiaCertData, addlTags map[string]string) (string, error)

StoreAthenzIdentityInACM stores the specified certificate in AWS ACM. If the certificate ARN is specified, the certificate will be updated in the given entry. If the ARN is not specified, then the caller can specify a tag key id and value pair and the function will try to locate the certificate arn that has the given tag configured. If no certificate is found, then a new one will be created with the given tag. If successful, the function will return the certificate arn that was either created or updated.

func StoreAthenzIdentityInParameterStore added in v1.12.3 

func StoreAthenzIdentityInParameterStore(athenzDomain, athenzService, parameterName, kmsId string, siaCertData *util.SiaCertData, isRoleCertificate bool) error

StoreAthenzIdentityInParameterStore store the retrieved athenz identity in the specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys: 

"<domain>.<service>.cert.pem":"<x509-cert-pem>,
"<domain>.<service>.key.pem":"<pkey-pem>,
"time": <utc-timestamp>

The parameter specified by the name must be pre-created

func StoreAthenzIdentityInParameterStoreCustomFormat added in v1.12.3 

func StoreAthenzIdentityInParameterStoreCustomFormat(parameterName, kmsId string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string, isRoleCertificate bool) error

StoreAthenzIdentityInParameterStoreCustomFormat store the retrieved athenz identity in the specified parameter store as Secure String, without CA certificate. The secret is stored in the following keys 

"<x509-cert-pem-key>":"<x509-cert-pem>,
"<private-pem-key>":"<pkey-pem>,
"<time-key>": <utc-timestamp>

It supports only 3 json fields 'cert_pem', 'key_pem' and 'time', where 'cert_pem' and 'key_pem' are mandatory. The resulted json will contain timestamp only if the corresponding json field name is set. It will ignore 'ca_pem' even if it is set.

sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like 

{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }

The parameter specified by the name must be pre-created

func StoreAthenzIdentityInSecretManager added in v1.11.38 

func StoreAthenzIdentityInSecretManager(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, isRoleCertificate bool) error

StoreAthenzIdentityInSecretManager store the retrieved athenz identity in the specified secret. The secret is stored in the following keys: 

"<domain>.<service>.cert.pem":"<x509-cert-pem>,
"<domain>.<service>.key.pem":"<pkey-pem>,
"ca.cert.pem":"<ca-cert-pem>,
"time": <utc-timestamp>

The secret specified by the name must be pre-created

func StoreAthenzIdentityInSecretManagerCustomFormat added in v1.12.3 

func StoreAthenzIdentityInSecretManagerCustomFormat(athenzDomain, athenzService, secretName string, siaCertData *util.SiaCertData, jsonFieldMapper map[string]string, isRoleCertificate bool, targetRoleArn string) error

StoreAthenzIdentityInSecretManagerCustomFormat store the retrieved athenz identity in the specified secret in custom json format. The secret is stored in the following keys: 

"<x509-cert-pem-key>":"<x509-cert-pem>,
"<private-pem-key>":"<pkey-pem>,
"<ca-cert-key>":"<ca-cert-pem>,
"<time-key>": <utc-timestamp>

It supports only 4 json fields 'cert_pem', 'key_pem', 'ca_pem' and 'time'. Out of 4 fields 'cert_pem' and 'key_pem' are mandatory, and resulted json will contain X509CertificateSignerPem and timestamp only if the corresponding json field names are set.

sample `jsonFieldMapper` map: [{"cert_pem": "certPem"}, {"key_pem": "keyPem"}], will result json like 

{  "certPem":"<x509-cert-pem>, "keyPem":"<pkey-pem> }

The secret specified by the name must be pre-created. If the targetRoleArn is specified, the function will assume the role and use the temporary credentials to access the secret manager, otherwise it will use the default credentials from environment.

Types

type ACMClientInterface added in v1.12.29 

type ACMClientInterface interface {
	ListCertificates(ctx context.Context, params *acm.ListCertificatesInput, optFns ...func(*acm.Options)) (*acm.ListCertificatesOutput, error)
	ListTagsForCertificate(ctx context.Context, params *acm.ListTagsForCertificateInput, optFns ...func(*acm.Options)) (*acm.ListTagsForCertificateOutput, error)
	AddTagsToCertificate(ctx context.Context, params *acm.AddTagsToCertificateInput, optFns ...func(*acm.Options)) (*acm.AddTagsToCertificateOutput, error)
}

ACMClientInterface defines the interface for ACM client operations

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.