vaultutil

package module
v0.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2022 License: Apache-2.0 Imports: 14 Imported by: 0

README

vaultutil

PkgGoDev GitHub release (latest SemVer) GitHub go.mod Go version CircleCI Go Report Card

This library provides utilities for utilizing Vault in various user workflows and environments.

import "github.com/fairwindsops/vaultutil"

AWS

There are helpers for:

  • Getting and refreshing STS credentials from a vault aws backend
  • Generating AWS Console login links from STS credentials

Azure

There are helpers for:

  • Getting and refreshing service principals from a vault azure backend

Join the Fairwinds Open Source Community

The goal of the Fairwinds Community is to exchange ideas, influence the open source roadmap, and network with fellow Kubernetes users. Chat with us on Slack join the user group to get involved!

Other Projects from Fairwinds

Enjoying Vaultutil? Check out some of our other projects:

  • Polaris - Audit, enforce, and build policies for Kubernetes resources, including over 20 built-in checks for best practices
  • Goldilocks - Right-size your Kubernetes Deployments by compare your memory and CPU settings against actual usage
  • Pluto - Detect Kubernetes resources that have been deprecated or removed in future versions
  • Nova - Check to see if any of your Helm charts have updates available
  • rbac-manager - Simplify the management of RBAC in your Kubernetes clusters

Documentation

Overview

Package vaultutil is a go library that provides functions and helpers for working with vault-provided cloud credentials.

Example of Getting AWS Credentials: 

import (
    "fmt"
    "os"

    "github.com/fairwindsops/vaultutil"
)

func main() {
    c := vaultutil.NewConfig("aws", "admin", "aws-account", 120)
    creds, err := c.AWSLogin()
    if err != nil {
       fmt.Println(err)
       os.Exit(1)
    }
}

Index

Constants

View Source 
const (
	// BaseURLGovCloud is the base URL for AWS GovCloud
	BaseURLGovCloud = "amazonaws-us-gov.com"
	// BaseURLDefault is the normal AWS base URL
	BaseURLDefault = "aws.amazon.com"
)

Variables

This section is empty.

Functions

func CheckToken 

func CheckToken() error

CheckToken makes sure we have a valid token

func Login added in v0.0.4 

func Login(loginMethod string) error

Login initiates a vault login with the provided method

Types

type AWSCredentials 

type AWSCredentials struct {
	// AccessKeyId is the access key ID of the sts credentials
	AccessKeyID string `json:"sessionId"`
	// SecretAccessKey is the secret access key of the sts credentials
	SecretAccessKey string `json:"sessionKey"`
	// SessionToken is the token of the sts credentials
	SessionToken string `json:"sessionToken"`
	// Created is the time that the credentials were issued
	Created time.Time `json:"created,omitempty"`
	// Duration is the time in seconds that the credentials are valid for
	Duration int64 `json:"duration,omitempty"`
	// LeaseID is the vault lease id. Can be usd to revoke the credentials
	LeaseID string `json:"lease_id,omitempty"`
	// EnvMap is a map of environment variables to the values above. It can be used
	// to populate necessary CLI environement variables for using the credentials. In
	// addition, this tool adds the vault lease and the duration/creation in order to
	// reduce the number of times that new credentials need to be generated.
	// The environment variables are:
	//  AWS_ACCESS_KEY_ID=AccessKeyID
	//  AWS_SECRET_ACCESS_KEY=SecretAccessKey
	//  AWS_SESSION_TOKEN=SessionToken
	//  AWS_SECURITY_TOKEN=SessionToken
	//  AWS_SESSION_START=Created (in Unix time)
	//  AWS_SESSION_DURATION=Duration
	//  AWS_SESSION_VAULT_LEASE_ID=LeaseID
	EnvMap map[string]string `json:"environment"`
}

AWSCredentials holds the AWS Credential JSON

func (*AWSCredentials) Expired 

func (a *AWSCredentials) Expired(buffer int64) bool

Expired returns true if the AWS credentials are expired

func (*AWSCredentials) ReadFromEnv 

func (a *AWSCredentials) ReadFromEnv() error

ReadFromEnv populates a set of aws credentials that were previously exported

func (*AWSCredentials) Revoke 

func (a *AWSCredentials) Revoke() error

Revoke revokes the vault lease associated with the credentials

type AzureCredentials 

type AzureCredentials struct {
	// ClientID is the username of the azure service principal
	ClientID string `json:"client_id"`
	// ClientSecret is the password of the azure service principal
	ClientSecret string `json:"client_secret"`
	// Created is the date/time that the credentials were requested
	Created time.Time `json:"created"`
	// Duration is the number of seconds the credentials are valid
	Duration int64 `json:"duration"`
	// LeaseID is the Vault Lease ID of the requested credentials.
	// This can be used to revoke the lease when the credentials are no longer needed.
	LeaseID string `json:"lease_id"`
	// EnvMap is a map of environment variables to the values above. It can be used
	// to populate necessary CLI environement variables for using the credentials. In
	// addition, this tool adds the vault lease and the duration/creation in order to
	// reduce the number of times that new credentials need to be generated.
	// The environment variables are:
	//  ARM_CLIENT_ID=ClientID
	//  ARM_CLIENT_SECRET=ClientSecret
	//  ARM_SESSION_START=Created (in Unix time)
	//  ARM_SESSION_DURATION=Duration
	//  ARM_SESSION_VAULT_LEASE_ID=LeaseID
	EnvMap map[string]string `json:"environment"`
}

AzureCredentials are a set of azure credentials from vault

func (*AzureCredentials) Expired 

func (az *AzureCredentials) Expired(buffer int64) bool

Expired checks to see if the azure credentials are expired

func (*AzureCredentials) ReadFromEnv 

func (az *AzureCredentials) ReadFromEnv() error

ReadFromEnv populates a set of azure credentials that were previously exported

func (*AzureCredentials) Revoke 

func (az *AzureCredentials) Revoke() error

Revoke revokes the vault lease associated with the credentials

type Config 

type Config struct {
	AWSBaseURL string
	Path       string
	Role       string
	TTL        string
	// BufferSeconds is the number of seconds to renew before expiration
	BufferSeconds int64
}

Config holds all the config

func NewConfig 

func NewConfig(partition, role, path string, buffer int64) *Config

NewConfig returns a config object

func (Config) AWSLogin 

func (c Config) AWSLogin() (*AWSCredentials, error)

AWSLogin calls vault write on an sts endpoint and generates the necessary environment variables

func (Config) AzureLogin 

func (c Config) AzureLogin() (*AzureCredentials, error)

AzureLogin calls vault read on a credentials endpoint and generates the necessary environment variables. If no environment variable support is desired, and renewing credentials is not needed, then this function can be used to get just a simple set of credentials.

func (Config) BuildConsoleLogin 

func (c Config) BuildConsoleLogin() (string, error)

BuildConsoleLogin returns a new console login

func (Config) NewAWSCredentials 

func (c Config) NewAWSCredentials() (*AWSCredentials, error)

NewAWSCredentials returns existing ones from env if they are not expired if they are expired, or if we can't get any from env, return a new set

func (Config) NewAzureCredentials 

func (c Config) NewAzureCredentials() (*AzureCredentials, error)

NewAzureCredentials returns existing ones from env if they are not expired if they are expired, or if we can't get any from env, return a new set.

type Token 

type Token struct {
	Data struct {
		TTL int `json:"ttl"`
	} `json:"data"`
}

Token is the response of vault token lookup

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.