Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CacheFilename ¶
func CacheFilename() string
CacheFilename returns the name of the credential cache file, which can either be set by environment variable, or use the default of ~/.kube/cache/aws-iam-authenticator/credentials.yaml
func StdinStderrTokenProvider ¶
StdinStderrTokenProvider gets MFA token from standard input.
func UserHomeDir ¶
func UserHomeDir() string
UserHomeDir returns the home directory for the user the process is running under.
Types ¶
type FileCacheProvider ¶
type FileCacheProvider struct {
// contains filtered or unexported fields
}
FileCacheProvider is a Provider implementation that wraps an underlying Provider (contained in Credentials) and provides caching support for credentials for the specified clusterID, profile, and roleARN (contained in cacheKey)
func NewFileCacheProvider ¶
func NewFileCacheProvider(clusterID, profile, roleARN string, creds *credentials.Credentials) (FileCacheProvider, error)
NewFileCacheProvider creates a new Provider implementation that wraps a provided Credentials, and works with an on disk cache to speed up credential usage when the cached copy is not expired. If there are any problems accessing or initializing the cache, an error will be returned, and callers should just use the existing credentials provider.
func (*FileCacheProvider) ExpiresAt ¶
func (f *FileCacheProvider) ExpiresAt() time.Time
ExpiresAt implements the Expirer interface, and gives access to the expiration time of the credential
func (*FileCacheProvider) IsExpired ¶
func (f *FileCacheProvider) IsExpired() bool
IsExpired() implements the Provider interface, deferring to the cached credential first, but fall back to the underlying Provider if it is expired.
func (*FileCacheProvider) Retrieve ¶
func (f *FileCacheProvider) Retrieve() (credentials.Value, error)
Retrieve() implements the Provider interface, returning the cached credential if is not expired, otherwise fetching the credential from the underlying Provider and caching the results on disk with an expiration time.
type FormatError ¶
type FormatError struct {
// contains filtered or unexported fields
}
FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.
func (FormatError) Error ¶
func (e FormatError) Error() string
type Generator ¶
type Generator interface {
// Get a token using credentials in the default credentials chain.
Get(string) (Token, error)
// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
GetWithRole(clusterID, roleARN string) (Token, error)
// GetWithRoleForSession creates a token by assuming the provided role, using the provided session.
GetWithRoleForSession(clusterID string, roleARN string, sess *session.Session) (Token, error)
// Get a token using the provided options
GetWithOptions(options *GetTokenOptions) (Token, error)
// GetWithSTS returns a token valid for clusterID using the given STS client.
GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token, error)
// FormatJSON returns the client auth formatted json for the ExecCredential auth
FormatJSON(Token) string
}
Generator provides new tokens for the AWS IAM Authenticator.
type GetTokenOptions ¶
type GetTokenOptions struct {
Region string
ClusterID string
AssumeRoleARN string
AssumeRoleExternalID string
SessionName string
Session *session.Session
}
GetTokenOptions is passed to GetWithOptions to provide an extensible get token interface
type Identity ¶
type Identity struct {
// ARN is the raw Amazon Resource Name returned by sts:GetCallerIdentity
ARN string
// CanonicalARN is the Amazon Resource Name converted to a more canonical
// representation. In particular, STS assumed role ARNs like
// "arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted
// to their IAM ARN equivalent "arn:aws:iam::ACCOUNTID:role/NAME"
CanonicalARN string
// AccountID is the 12 digit AWS account number.
AccountID string
// UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA").
UserID string
// SessionName is the STS session name (or "" if this is not a
// session-based identity). For EC2 instance roles, this will be the EC2
// instance ID (e.g., "i-0123456789abcdef0"). You should only rely on it
// if you trust that _only_ EC2 is allowed to assume the IAM Role. If IAM
// users or other roles are allowed to assume the role, they can provide
// (nearly) arbitrary strings here.
SessionName string
// The AWS Access Key ID used to authenticate the request. This can be used
// in conjunction with CloudTrail to determine the identity of the individual
// if the individual assumed an IAM role before making the request.
AccessKeyID string
}
Identity is returned on successful Verify() results. It contains a parsed version of the AWS identity used to create the token.
type STSError ¶
type STSError struct {
// contains filtered or unexported fields
}
STSError is returned when there was either an error calling STS or a problem processing the data returned from STS.
type Token ¶
Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.
type Verifier ¶
Verifier validates tokens by calling STS and returning the associated identity.
func NewVerifier ¶
NewVerifier creates a Verifier that is bound to the clusterID and uses the default http client.
Source Files