credentialexchange

package
v0.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 24, 2024 License: MIT Imports: 16 Imported by: 0

Documentation

Overview

credentialexchange

Handles all the main flows for exchanging credentials for AWS temporary creds.

Currently supports SAML as posted by an IdP to an ACS endpoint in AWS AWS_WEB_IDENTITY_TOKEN_FILE and optionally can specify the exact role to choose,

if the TOKEN corresponds to the `chained role`.

Index

Constants

View Source 
const (
	SELF_NAME        = "aws-cli-auth"
	WEB_ID_TOKEN_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE"
	AWS_ROLE_ARN     = "AWS_ROLE_ARN"
	INI_CONF_SECTION = "role"
)

Variables

View Source 
var (
	ErrUnableAssume        = errors.New("unable to assume")
	ErrUnableSessionCreate = errors.New("unable to create a sesion")
	ErrTokenExpired        = errors.New("token expired")
	ErrMissingEnvVar       = errors.New("missing env var")
	ErrUnmarshalCred       = errors.New("unable to unmarshal credential from string")
)
View Source 
var (
	ErrSectionNotFound = errors.New("section not found")
	ErrConfigFailure   = errors.New("config error")
)
View Source 
var (
	ErrUnableToLoadAWSCred        = errors.New("unable to laod AWS credential")
	ErrCannotLockDir              = errors.New("unable to create lock dir")
	ErrUnableToRetrieveSections   = errors.New("unable to retrieve sections")
	ErrUnableToLoadDueToLock      = errors.New("cannot load secret due to lock error")
	ErrUnableToAcquireLock        = errors.New("cannot acquire lock")
	ErrUnmarshallingSecret        = errors.New("cannot unmarshal secret")
	ErrFailedToClearSecretStorage = errors.New("failed to clear secret storage on OS")
)

Functions

func ConfigIniFile 

func ConfigIniFile(basePath string) string

func GetWebIdTokenFileContents 

func GetWebIdTokenFileContents() (string, error)

GetWebIdTokenFileContents reads the contents of the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable. Used only with specific assume

func HomeDir 

func HomeDir() string

func IsValid 

func IsValid(ctx context.Context, currentCreds *AWSCredentials, reloadBeforeTime int, svc AuthSamlApi) (bool, error)

IsValid checks current credentials and returns them if they are still valid if reloadTimeBefore is less than time left on the creds then it will re-request a login

func KeyRoleConverter 

func KeyRoleConverter(key string) string

KeyRoleConverter Converts a key back to a role

func MergeRoleChain added in v0.13.3 

func MergeRoleChain(role string, roleChain []string, insertRoleIntoChain bool) []string

MergeRoleChain inserts the main role into the role chain.

This is mainly used with AWS SSO flow where the SSO user credentials are used to assume the target role(s).

func ReloadBeforeExpiry 

func ReloadBeforeExpiry(expiry time.Time, reloadBeforeSeconds int) bool

ReloadBeforeExpiry returns true if the time to expiry is less than the specified time in seconds false if there is more than required time in seconds before needing to recycle credentials

func RoleKeyConverter 

func RoleKeyConverter(role string) string

RoleKeyConverter converts a role to a key used for storing in key store

func SessionName 

func SessionName(username, selfName string) string

func SetCredentials 

func SetCredentials(creds *AWSCredentials, config CredentialConfig) error

func WriteIniSection 

func WriteIniSection(role string) error

WriteIniSection update ini sections in own config file

Types

type AWSCredentials 

type AWSCredentials struct {
	Version         int
	AWSAccessKey    string    `json:"AccessKeyId"`
	AWSSecretKey    string    `json:"SecretAccessKey"`
	AWSSessionToken string    `json:"SessionToken"`
	PrincipalARN    string    `json:"-"`
	Expires         time.Time `json:"Expiration"`
}

AWSCredentials is a representation of the returned credential

func AssumeRoleInChain added in v0.12.0 

func AssumeRoleInChain(ctx context.Context, baseCreds *AWSCredentials, svc AuthSamlApi, username string, roles []string) (*AWSCredentials, error)

AssumeRoleInChain loops over all the roles provided

func LoginAwsWebToken 

func LoginAwsWebToken(ctx context.Context, username string, svc authWebTokenApi) (*AWSCredentials, error)

LoginAwsWebToken

func LoginStsSaml 

func LoginStsSaml(ctx context.Context, samlResponse string, role AWSRole, svc AuthSamlApi) (*AWSCredentials, error)

LoginStsSaml exchanges saml response for STS creds

func (*AWSCredentials) FromRoleCredString added in v0.12.0 

func (a *AWSCredentials) FromRoleCredString(cred string) (*AWSCredentials, error)

type AWSRole 

type AWSRole struct {
	RoleARN      string
	PrincipalARN string
	Name         string
	Duration     int
}

AWSRole aws role attributes

type AWSRoleConfig 

type AWSRoleConfig struct {
	RoleARN      string
	PrincipalARN string
	Name         string
}

AWSRole aws role attributes

type AuthSamlApi 

type AuthSamlApi interface {
	AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error)
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}

type BaseConfig 

type BaseConfig struct {
	Role                 string
	RoleChain            []string
	Username             string
	CfgSectionName       string
	StoreInProfile       bool
	DoKillHangingProcess bool
	ReloadBeforeTime     int
}

type CredentialConfig added in v0.12.0 

type CredentialConfig struct {
	BaseConfig         BaseConfig
	ProviderUrl        string
	PrincipalArn       string
	AcsUrl             string
	Duration           int
	IsSso              bool
	SsoRegion          string
	SsoRole            string
	SsoUserEndpoint    string
	SsoCredFedEndpoint string
}

type SecretStore 

type SecretStore struct {
	AWSCredentials *AWSCredentials
	AWSCredJson    string
	// contains filtered or unexported fields
}

SecretStore

func NewSecretStore 

func NewSecretStore(roleArn, namer, baseDir, username string) (*SecretStore, error)

func (*SecretStore) AWSCredential 

func (s *SecretStore) AWSCredential() (*AWSCredentials, error)

func (*SecretStore) Clear 

func (s *SecretStore) Clear() error

func (*SecretStore) ClearAll 

func (s *SecretStore) ClearAll() error

ClearAll loops through all the sections in the INI file deletes them from the keychain implementation on the OS

func (*SecretStore) SaveAWSCredential 

func (s *SecretStore) SaveAWSCredential(cred *AWSCredentials) error

func (*SecretStore) WithKeyring 

func (s *SecretStore) WithKeyring(keyring keyring.Keyring) *SecretStore

func (*SecretStore) WithLocker 

func (s *SecretStore) WithLocker(locker lockgate.Locker) *SecretStore

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.