Documentation ¶
Overview ¶
Package vaultutil is a go library that provides functions and helpers for working with vault-provided cloud credentials.
Example of Getting AWS Credentials:
import ( "fmt" "os" "github.com/fairwindsops/vaultutil" ) func main() { c := vaultutil.NewConfig("aws", "admin", "aws-account", 120) creds, err := c.AWSLogin() if err != nil { fmt.Println(err) os.Exit(1) } }
Index ¶
Constants ¶
const ( // BaseURLGovCloud is the base URL for AWS GovCloud BaseURLGovCloud = "amazonaws-us-gov.com" // BaseURLDefault is the normal AWS base URL BaseURLDefault = "aws.amazon.com" )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type AWSCredentials ¶
type AWSCredentials struct { // AccessKeyId is the access key ID of the sts credentials AccessKeyID string `json:"sessionId"` // SecretAccessKey is the secret access key of the sts credentials SecretAccessKey string `json:"sessionKey"` // SessionToken is the token of the sts credentials SessionToken string `json:"sessionToken"` // Created is the time that the credentials were issued Created time.Time `json:"created,omitempty"` // Duration is the time in seconds that the credentials are valid for Duration int64 `json:"duration,omitempty"` // LeaseID is the vault lease id. Can be usd to revoke the credentials LeaseID string `json:"lease_id,omitempty"` // EnvMap is a map of environment variables to the values above. It can be used // to populate necessary CLI environement variables for using the credentials. In // addition, this tool adds the vault lease and the duration/creation in order to // reduce the number of times that new credentials need to be generated. // The environment variables are: // AWS_ACCESS_KEY_ID=AccessKeyID // AWS_SECRET_ACCESS_KEY=SecretAccessKey // AWS_SESSION_TOKEN=SessionToken // AWS_SECURITY_TOKEN=SessionToken // AWS_SESSION_START=Created (in Unix time) // AWS_SESSION_DURATION=Duration // AWS_SESSION_VAULT_LEASE_ID=LeaseID EnvMap map[string]string `json:"environment"` }
AWSCredentials holds the AWS Credential JSON
func (*AWSCredentials) Expired ¶
func (a *AWSCredentials) Expired(buffer int64) bool
Expired returns true if the AWS credentials are expired
func (*AWSCredentials) ReadFromEnv ¶
func (a *AWSCredentials) ReadFromEnv() error
ReadFromEnv populates a set of aws credentials that were previously exported
func (*AWSCredentials) Revoke ¶
func (a *AWSCredentials) Revoke() error
Revoke revokes the vault lease associated with the credentials
type AzureCredentials ¶
type AzureCredentials struct { // ClientID is the username of the azure service principal ClientID string `json:"client_id"` // ClientSecret is the password of the azure service principal ClientSecret string `json:"client_secret"` // Created is the date/time that the credentials were requested Created time.Time `json:"created"` // Duration is the number of seconds the credentials are valid Duration int64 `json:"duration"` // LeaseID is the Vault Lease ID of the requested credentials. // This can be used to revoke the lease when the credentials are no longer needed. LeaseID string `json:"lease_id"` // EnvMap is a map of environment variables to the values above. It can be used // to populate necessary CLI environement variables for using the credentials. In // addition, this tool adds the vault lease and the duration/creation in order to // reduce the number of times that new credentials need to be generated. // The environment variables are: // ARM_CLIENT_ID=ClientID // ARM_CLIENT_SECRET=ClientSecret // ARM_SESSION_START=Created (in Unix time) // ARM_SESSION_DURATION=Duration // ARM_SESSION_VAULT_LEASE_ID=LeaseID EnvMap map[string]string `json:"environment"` }
AzureCredentials are a set of azure credentials from vault
func (*AzureCredentials) Expired ¶
func (az *AzureCredentials) Expired(buffer int64) bool
Expired checks to see if the azure credentials are expired
func (*AzureCredentials) ReadFromEnv ¶
func (az *AzureCredentials) ReadFromEnv() error
ReadFromEnv populates a set of azure credentials that were previously exported
func (*AzureCredentials) Revoke ¶
func (az *AzureCredentials) Revoke() error
Revoke revokes the vault lease associated with the credentials
type Config ¶
type Config struct { AWSBaseURL string Path string Role string TTL string // BufferSeconds is the number of seconds to renew before expiration BufferSeconds int64 }
Config holds all the config
func (Config) AWSLogin ¶
func (c Config) AWSLogin() (*AWSCredentials, error)
AWSLogin calls vault write on an sts endpoint and generates the necessary environment variables
func (Config) AzureLogin ¶
func (c Config) AzureLogin() (*AzureCredentials, error)
AzureLogin calls vault read on a credentials endpoint and generates the necessary environment variables. If no environment variable support is desired, and renewing credentials is not needed, then this function can be used to get just a simple set of credentials.
func (Config) BuildConsoleLogin ¶
BuildConsoleLogin returns a new console login
func (Config) NewAWSCredentials ¶
func (c Config) NewAWSCredentials() (*AWSCredentials, error)
NewAWSCredentials returns existing ones from env if they are not expired if they are expired, or if we can't get any from env, return a new set
func (Config) NewAzureCredentials ¶
func (c Config) NewAzureCredentials() (*AzureCredentials, error)
NewAzureCredentials returns existing ones from env if they are not expired if they are expired, or if we can't get any from env, return a new set.