Documentation
¶
Overview ¶
Package stscreds are credential Providers to retrieve STS AWS credentials.
STS provides multiple ways to retrieve credentials which can be used when making future AWS service API operation calls.
The SDK will ensure that per instance of credentials.Credentials all requests to refresh the credentials will be synchronized. But, the SDK is unable to ensure synchronous usage of the AssumeRoleProvider if the value is shared between multiple Credentials or service clients.
Assume Role ¶
To assume an IAM role using STS with the SDK you can create a new Credentials with the SDKs's stscreds package.
// Initial credentials loaded from SDK's default credential chain. Such as
// the environment, shared credentials (~/.aws/credentials), or EC2 Instance
// Role. These credentials will be used to to make the STS Assume Role API.
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
panic(err)
}
// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN.
stsSvc := sts.NewFromConfig(cfg)
creds := stscreds.NewAssumeRoleProvider(stsSvc, "myRoleArn")
cfg.Credentials = &aws.CredentialsCache{Provider: creds}
// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)
Assume Role with static MFA Token ¶
To assume an IAM role with a MFA token you can either specify a MFA token code directly or provide a function to prompt the user each time the credentials need to refresh the role's credentials. Specifying the TokenCode should be used for short lived operations that will not need to be refreshed, and when you do not want to have direct control over the user provides their MFA token.
With TokenCode the AssumeRoleProvider will be not be able to refresh the role's credentials.
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
panic(err)
}
// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN using the MFA token code provided.
creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
o.SerialNumber = aws.String("myTokenSerialNumber")
o.TokenCode = aws.String("00000000")
})
cfg.Credentials = &aws.CredentialsCache{Provider: creds}
// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)
Assume Role with MFA Token Provider ¶
To assume an IAM role with MFA for longer running tasks where the credentials may need to be refreshed setting the TokenProvider field of AssumeRoleProvider will allow the credential provider to prompt for new MFA token code when the role's credentials need to be refreshed.
The StdinTokenProvider function is available to prompt on stdin to retrieve the MFA token code from the user. You can also implement custom prompts by satisfying the TokenProvider function signature.
Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will have undesirable results as the StdinTokenProvider will not be synchronized. A single Credentials with an AssumeRoleProvider can be shared safely.
cfg, err := config.LoadDefaultConfig(context.TODO())
if err != nil {
panic(err)
}
// Create the credentials from AssumeRoleProvider to assume the role
// referenced by the "myRoleARN" ARN using the MFA token code provided.
creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
o.SerialNumber = aws.String("myTokenSerialNumber")
o.TokenProvider = stscreds.StdinTokenProvider
})
cfg.Credentials = &aws.CredentialsCache{Provider: creds}
// Create service client value configured for credentials
// from assumed role.
svc := s3.NewFromConfig(cfg)
Index ¶
Constants ¶
const ProviderName = "AssumeRoleProvider"
ProviderName provides a name of AssumeRole provider
const (
// WebIdentityProviderName is the web identity provider name
WebIdentityProviderName = "WebIdentityCredentials"
)
Variables ¶
var DefaultDuration = time.Duration(15) * time.Minute
DefaultDuration is the default amount of time in minutes that the credentials will be valid for.
Functions ¶
func StdinTokenProvider ¶
StdinTokenProvider will prompt on stdout and read from stdin for a string value. An error is returned if reading from stdin fails.
Use this function go read MFA tokens from stdin. The function makes no attempt to make atomic prompts from stdin across multiple gorouties.
Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will have undesirable results as the StdinTokenProvider will not be synchronized. A single Credentials with an AssumeRoleProvider can be shared safely
Will wait forever until something is provided on the stdin.
Types ¶
type AssumeRoleAPIClient ¶
type AssumeRoleAPIClient interface {
AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}
AssumeRoleAPIClient is a client capable of the STS AssumeRole operation.
type AssumeRoleOptions ¶
type AssumeRoleOptions struct {
// Client implementation of the AssumeRole operation. Required
Client AssumeRoleAPIClient
// IAM Role ARN to be assumed. Required
RoleARN string
// Session name, if you wish to uniquely identify this session.
RoleSessionName string
// Expiry duration of the STS credentials. Defaults to 15 minutes if not set.
Duration time.Duration
// Optional ExternalID to pass along, defaults to nil if not set.
ExternalID *string
// The policy plain text must be 2048 bytes or shorter. However, an internal
// conversion compresses it into a packed binary format with a separate limit.
// The PackedPolicySize response element indicates by percentage how close to
// the upper size limit the policy is, with 100% equaling the maximum allowed
// size.
Policy *string
// The ARNs of IAM managed policies you want to use as managed session policies.
// The policies must exist in the same account as the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plain text that you use for both inline and managed session
// policies can't exceed 2,048 characters.
//
// An AWS conversion compresses the passed session policies and session tags
// into a packed binary format that has a separate limit. Your request can fail
// for this limit even if your plain text meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent AWS API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyARNs []types.PolicyDescriptorType
// The identification number of the MFA device that is associated with the user
// who is making the AssumeRole call. Specify this value if the trust policy
// of the role being assumed includes a condition that requires MFA authentication.
// The value is either the serial number for a hardware device (such as GAHT12345678)
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
SerialNumber *string
// Async method of providing MFA token code for assuming an IAM role with MFA.
// The value returned by the function will be used as the TokenCode in the Retrieve
// call. See StdinTokenProvider for a provider that prompts and reads from stdin.
//
// This token provider will be called when ever the assumed role's
// credentials need to be refreshed when SerialNumber is also set and
// TokenCode is not set.
//
// If both TokenCode and TokenProvider is set, TokenProvider will be used and
// TokenCode is ignored.
TokenProvider func() (string, error)
}
AssumeRoleOptions is the configurable options for AssumeRoleProvider
type AssumeRoleProvider ¶
type AssumeRoleProvider struct {
// contains filtered or unexported fields
}
AssumeRoleProvider retrieves temporary credentials from the STS service, and keeps track of their expiration time.
This credential provider will be used by the SDKs default credential change when shared configuration is enabled, and the shared config or shared credentials file configure assume role. See Session docs for how to do this.
AssumeRoleProvider does not provide any synchronization and it is not safe to share this value across multiple Credentials, Sessions, or service clients without also sharing the same Credentials instance.
func NewAssumeRoleProvider ¶
func NewAssumeRoleProvider(client AssumeRoleAPIClient, roleARN string, optFns ...func(*AssumeRoleOptions)) *AssumeRoleProvider
NewAssumeRoleProvider constructs and returns a credentials provider that will retrieve credentials by assuming a IAM role using STS.
func (*AssumeRoleProvider) Retrieve ¶
func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)
Retrieve generates a new set of temporary credentials using STS.
type AssumeRoleWithWebIdentityAPIClient ¶
type AssumeRoleWithWebIdentityAPIClient interface {
AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
}
AssumeRoleWithWebIdentityAPIClient is a client capable of the STS AssumeRoleWithWebIdentity operation.
type IdentityTokenFile ¶
type IdentityTokenFile string
IdentityTokenFile is for retrieving an identity token from the given file name
func (IdentityTokenFile) GetIdentityToken ¶
func (j IdentityTokenFile) GetIdentityToken() ([]byte, error)
GetIdentityToken retrieves the JWT token from the file and returns the contents as a []byte
type IdentityTokenRetriever ¶
IdentityTokenRetriever is an interface for retrieving a JWT
type WebIdentityRoleOptions ¶
type WebIdentityRoleOptions struct {
// Client implementation of the AssumeRoleWithWebIdentity operation. Required
Client AssumeRoleWithWebIdentityAPIClient
// JWT Token Provider. Required
TokenRetriever IdentityTokenRetriever
// IAM Role ARN to assume. Required
RoleARN string
// Session name, if you wish to uniquely identify this session.
RoleSessionName string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you
// want to use as managed session policies. The policies must exist in the
// same account as the role.
PolicyARNs []types.PolicyDescriptorType
}
WebIdentityRoleOptions is a structure of configurable options for WebIdentityRoleProvider
type WebIdentityRoleProvider ¶
type WebIdentityRoleProvider struct {
// contains filtered or unexported fields
}
WebIdentityRoleProvider is used to retrieve credentials using an OIDC token.
func NewWebIdentityRoleProvider ¶
func NewWebIdentityRoleProvider(client AssumeRoleWithWebIdentityAPIClient, roleARN string, tokenRetriever IdentityTokenRetriever, optFns ...func(*WebIdentityRoleOptions)) *WebIdentityRoleProvider
NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the provided stsiface.ClientAPI
func (*WebIdentityRoleProvider) Retrieve ¶
func (p *WebIdentityRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error)
Retrieve will attempt to assume a role from a token which is located at 'WebIdentityTokenFilePath' specified destination and if that is empty an error will be returned.
Source Files