Documentation ¶
Overview ¶
credentialexchange
Handles all the main flows for exchanging credentials for AWS temporary creds.
Currently supports SAML as posted by an IdP to an ACS endpoint in AWS AWS_WEB_IDENTITY_TOKEN_FILE and optionally can specify the exact role to choose,
if the TOKEN corresponds to the `chained role`.
Index ¶
- Constants
- Variables
- func ConfigIniFile(basePath string) string
- func GetWebIdTokenFileContents() (string, error)
- func HomeDir() string
- func IsValid(ctx context.Context, currentCreds *AWSCredentials, reloadBeforeTime int, ...) (bool, error)
- func KeyRoleConverter(key string) string
- func MergeRoleChain(role string, roleChain []string, insertRoleIntoChain bool) []string
- func ReloadBeforeExpiry(expiry time.Time, reloadBeforeSeconds int) bool
- func RoleKeyConverter(role string) string
- func SessionName(username, selfName string) string
- func SetCredentials(creds *AWSCredentials, config CredentialConfig) error
- func WriteIniSection(role string) error
- type AWSCredentials
- func AssumeRoleInChain(ctx context.Context, baseCreds *AWSCredentials, svc AuthSamlApi, ...) (*AWSCredentials, error)
- func LoginAwsWebToken(ctx context.Context, username string, svc authWebTokenApi) (*AWSCredentials, error)
- func LoginStsSaml(ctx context.Context, samlResponse string, role AWSRole, svc AuthSamlApi) (*AWSCredentials, error)
- type AWSRole
- type AWSRoleConfig
- type AuthSamlApi
- type BaseConfig
- type CredentialConfig
- type SecretStore
- func (s *SecretStore) AWSCredential() (*AWSCredentials, error)
- func (s *SecretStore) Clear() error
- func (s *SecretStore) ClearAll() error
- func (s *SecretStore) SaveAWSCredential(cred *AWSCredentials) error
- func (s *SecretStore) WithKeyring(keyring keyring.Keyring) *SecretStore
- func (s *SecretStore) WithLocker(locker lockgate.Locker) *SecretStore
Constants ¶
const ( SELF_NAME = "aws-cli-auth" WEB_ID_TOKEN_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE" AWS_ROLE_ARN = "AWS_ROLE_ARN" INI_CONF_SECTION = "role" )
Variables ¶
var ( ErrUnableAssume = errors.New("unable to assume") ErrUnableSessionCreate = errors.New("unable to create a sesion") ErrTokenExpired = errors.New("token expired") ErrMissingEnvVar = errors.New("missing env var") ErrUnmarshalCred = errors.New("unable to unmarshal credential from string") )
var ( ErrSectionNotFound = errors.New("section not found") ErrConfigFailure = errors.New("config error") )
var ( ErrUnableToLoadAWSCred = errors.New("unable to laod AWS credential") ErrCannotLockDir = errors.New("unable to create lock dir") ErrUnableToRetrieveSections = errors.New("unable to retrieve sections") ErrUnableToLoadDueToLock = errors.New("cannot load secret due to lock error") ErrUnableToAcquireLock = errors.New("cannot acquire lock") ErrUnmarshallingSecret = errors.New("cannot unmarshal secret") ErrFailedToClearSecretStorage = errors.New("failed to clear secret storage on OS") )
Functions ¶
func ConfigIniFile ¶
func GetWebIdTokenFileContents ¶
GetWebIdTokenFileContents reads the contents of the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable. Used only with specific assume
func IsValid ¶
func IsValid(ctx context.Context, currentCreds *AWSCredentials, reloadBeforeTime int, svc AuthSamlApi) (bool, error)
IsValid checks current credentials and returns them if they are still valid if reloadTimeBefore is less than time left on the creds then it will re-request a login
func KeyRoleConverter ¶
KeyRoleConverter Converts a key back to a role
func MergeRoleChain ¶ added in v0.13.3
MergeRoleChain inserts the main role into the role chain.
This is mainly used with AWS SSO flow where the SSO user credentials are used to assume the target role(s).
func ReloadBeforeExpiry ¶
ReloadBeforeExpiry returns true if the time to expiry is less than the specified time in seconds false if there is more than required time in seconds before needing to recycle credentials
func RoleKeyConverter ¶
RoleKeyConverter converts a role to a key used for storing in key store
func SessionName ¶
func SetCredentials ¶
func SetCredentials(creds *AWSCredentials, config CredentialConfig) error
func WriteIniSection ¶
WriteIniSection update ini sections in own config file
Types ¶
type AWSCredentials ¶
type AWSCredentials struct { Version int AWSAccessKey string `json:"AccessKeyId"` AWSSecretKey string `json:"SecretAccessKey"` AWSSessionToken string `json:"SessionToken"` PrincipalARN string `json:"-"` Expires time.Time `json:"Expiration"` }
AWSCredentials is a representation of the returned credential
func AssumeRoleInChain ¶ added in v0.12.0
func AssumeRoleInChain(ctx context.Context, baseCreds *AWSCredentials, svc AuthSamlApi, username string, roles []string) (*AWSCredentials, error)
AssumeRoleInChain loops over all the roles provided
func LoginAwsWebToken ¶
func LoginAwsWebToken(ctx context.Context, username string, svc authWebTokenApi) (*AWSCredentials, error)
LoginAwsWebToken
func LoginStsSaml ¶
func LoginStsSaml(ctx context.Context, samlResponse string, role AWSRole, svc AuthSamlApi) (*AWSCredentials, error)
LoginStsSaml exchanges saml response for STS creds
func (*AWSCredentials) FromRoleCredString ¶ added in v0.12.0
func (a *AWSCredentials) FromRoleCredString(cred string) (*AWSCredentials, error)
type AWSRoleConfig ¶
AWSRole aws role attributes
type AuthSamlApi ¶
type AuthSamlApi interface { AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error) GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error) AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) }
type BaseConfig ¶
type CredentialConfig ¶ added in v0.12.0
type SecretStore ¶
type SecretStore struct { AWSCredentials *AWSCredentials AWSCredJson string // contains filtered or unexported fields }
SecretStore
func NewSecretStore ¶
func NewSecretStore(roleArn, namer, baseDir, username string) (*SecretStore, error)
func (*SecretStore) AWSCredential ¶
func (s *SecretStore) AWSCredential() (*AWSCredentials, error)
func (*SecretStore) Clear ¶
func (s *SecretStore) Clear() error
func (*SecretStore) ClearAll ¶
func (s *SecretStore) ClearAll() error
ClearAll loops through all the sections in the INI file deletes them from the keychain implementation on the OS
func (*SecretStore) SaveAWSCredential ¶
func (s *SecretStore) SaveAWSCredential(cred *AWSCredentials) error
func (*SecretStore) WithKeyring ¶
func (s *SecretStore) WithKeyring(keyring keyring.Keyring) *SecretStore
func (*SecretStore) WithLocker ¶
func (s *SecretStore) WithLocker(locker lockgate.Locker) *SecretStore