Documentation
¶
Index ¶
- Constants
- func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes, required bool) (*awsutil.CredentialsConfig, error)
- func MockAssumeRoleAttributes(region string, disableRotate bool) *structpb.Struct
- func MockStaticCredentialSecrets() *structpb.Struct
- type AwsCredentialPersistedState
- func (s *AwsCredentialPersistedState) DeleteCreds(ctx context.Context) error
- func (s *AwsCredentialPersistedState) GenerateCredentialChain(ctx context.Context) (*aws.Config, error)
- func (s *AwsCredentialPersistedState) ReplaceCreds(ctx context.Context, credentialsConfig *awsutil.CredentialsConfig) error
- func (s *AwsCredentialPersistedState) RotateCreds(ctx context.Context) error
- func (s *AwsCredentialPersistedState) ToMap() map[string]any
- func (s *AwsCredentialPersistedState) ValidateCreds(ctx context.Context) error
- type AwsCredentialPersistedStateOption
- type CredentialAttributes
- type CredentialType
Constants ¶
const ( // ConstAccessKey is the key for the region in the aws credentials. ConstRegion = "region" // ConstAccessKey is the key for the access key id in the aws credentials. ConstAccessKeyId = "access_key_id" // ConstSecretAccessKey is the key for the secret access key in the aws credentials. ConstSecretAccessKey = "secret_access_key" // ConstDisableCredentialRotation is the key for the disable credential rotation in the aws credentials. ConstDisableCredentialRotation = "disable_credential_rotation" // ConstCredsLastRotatedTime is the key for the last rotated time in the aws credentials. ConstCredsLastRotatedTime = "creds_last_rotated_time" // ConstRoleArn is the key for assuming a IAM role. ConstRoleArn = "role_arn" // ConstRoleExternalId is the key for the external id used for assuming a IAM role. ConstRoleExternalId = "role_external_id" // ConstRoleSessionName is the key for the session name used for assuming a IAM role. ConstRoleSessionName = "role_session_name" // ConstRoleTags is the key for the tags used for assuming a IAM role. ConstRoleTags = "role_tags" )
Variables ¶
This section is empty.
Functions ¶
func GetCredentialsConfig ¶
func GetCredentialsConfig(secrets *structpb.Struct, attrs *CredentialAttributes, required bool) (*awsutil.CredentialsConfig, error)
GetCredentialsConfig parses values out of a protobuf struct secrets and returns a CredentialsConfig used for configuring an AWS session. An error is returned if any unrecognized fields are found in the protobuf struct input.
func MockAssumeRoleAttributes ¶ added in v0.1.7
MockAssumeRoleAttributes returns a *structpb.Struct that contains six key pair values:
(region, region)
(disable_credential_rotation, disableRotate)
(role_arn, arn:aws:iam::123456789012:role/S3Access)
(role_external_id, 1234567890)
(role_session_name, ec2-assume-role-provider)
(role_tags, struct{foo:bar})
func MockStaticCredentialSecrets ¶ added in v0.1.7
MockStaticCredentialSecrets returns a *structpb.Struct that contains two key pair values: (access_key_id, AKIA_foobar) & (secret_access_key, bazqux)
Types ¶
type AwsCredentialPersistedState ¶
type AwsCredentialPersistedState struct {
// CredentialsConfig is the credential configuration for the AWS credential.
CredentialsConfig *awsutil.CredentialsConfig
// CredsLastRotatedTime is the last rotation of aws secrets for the AWS credential.
CredsLastRotatedTime time.Time
// contains filtered or unexported fields
}
AwsCredentialPersistedState is the persisted state for the AWS credential.
func AwsCredentialPersistedStateFromProto ¶
func AwsCredentialPersistedStateFromProto(secrets *structpb.Struct, attrs *CredentialAttributes, opts ...AwsCredentialPersistedStateOption) (*AwsCredentialPersistedState, error)
AwsCredentialPersistedStateFromProto parses values out of a protobuf struct input and returns a AwsCredentialPersistedState used for configuring an AWS session.
func NewAwsCredentialPersistedState ¶
func NewAwsCredentialPersistedState(opts ...AwsCredentialPersistedStateOption) (*AwsCredentialPersistedState, error)
NewAwsCredentialPersistedState returns a AwsCredentialPersistedState. Supported options include: WithAccessKeyId, WithSecretAccessKey WithCredsLastRotatedTime, & WithRegion.
func (*AwsCredentialPersistedState) DeleteCreds ¶
func (s *AwsCredentialPersistedState) DeleteCreds(ctx context.Context) error
DeleteCreds deletes the credentials in the state. The access key ID, secret access key, and rotation time fields are zeroed out in the state just to ensure that they cannot be re-used after.
func (*AwsCredentialPersistedState) GenerateCredentialChain ¶ added in v0.2.0
func (s *AwsCredentialPersistedState) GenerateCredentialChain(ctx context.Context) (*aws.Config, error)
GenerateCredentialChain returns a AWS configuration for the credentials in the state.
func (*AwsCredentialPersistedState) ReplaceCreds ¶
func (s *AwsCredentialPersistedState) ReplaceCreds(ctx context.Context, credentialsConfig *awsutil.CredentialsConfig) error
ReplaceCreds replaces the access key in the state with a new key. If the existing key was rotated at any point in time, it is deleted first, otherwise it's left alone.
func (*AwsCredentialPersistedState) RotateCreds ¶
func (s *AwsCredentialPersistedState) RotateCreds(ctx context.Context) error
RotateCreds takes the access key and secret key from the persisted state and creates a new access/secret key, then deletes the old access key. If deletion of the old access key is successful, the new access key/secret key are written into the credentials config and the persisted state. On any error, the old credentials are not overwritten. This ensures that any generated new secret key never leaves this function in case of an error, even though it will still result in an extraneous access key existing.
func (*AwsCredentialPersistedState) ToMap ¶
func (s *AwsCredentialPersistedState) ToMap() map[string]any
ToMap returns a map of the credentials stored in the persisted state. ToMap will return an empty map for temporary credentials. ToMap will return a map for long-term credentials with following keys: access_key_id, secret_access_key & creds_last_rotated_time
func (*AwsCredentialPersistedState) ValidateCreds ¶
func (s *AwsCredentialPersistedState) ValidateCreds(ctx context.Context) error
ValidateCreds takes the credentials configuration from the persisted state and runs sts.GetCallerIdentity for the current credentials, which is done to check that the credentials are valid.
type AwsCredentialPersistedStateOption ¶
type AwsCredentialPersistedStateOption func(s *AwsCredentialPersistedState) error
func WithCredentialsConfig ¶ added in v0.1.7
func WithCredentialsConfig(x *awsutil.CredentialsConfig) AwsCredentialPersistedStateOption
WithCredentialsConfig sets the value for CredentialsConfig in the credential persisted state.
func WithCredsLastRotatedTime ¶
func WithCredsLastRotatedTime(t time.Time) AwsCredentialPersistedStateOption
WithCredsLastRotatedTime sets the value for CredsLastRotatedTime in the credential persisted state.
func WithStateTestOpts ¶
func WithStateTestOpts(opts []awsutil.Option) AwsCredentialPersistedStateOption
WithStateTestOpts enables unit testing different edge cases when using CredentialsConfig. This should never be used in production code. This should only be used in unit tests.
type CredentialAttributes ¶
type CredentialAttributes struct {
// Region is the region associated with the aws credentials
Region string
// DisableCredentialRotation disables the rotation of aws secrets associated with the plugin
DisableCredentialRotation bool
// RoleArn is the role arn associated with the aws credentials
RoleArn string
// RoleExternalId is the external id associated with the aws credentials
RoleExternalId string
// RoleSessionName is the session name associated with the aws credentials
RoleSessionName string
// RoleTags is the tags associated with the aws credentials
RoleTags map[string]string
}
CredentialAttributes contains attributes used for AWS credentials
func GetCredentialAttributes ¶
func GetCredentialAttributes(in *structpb.Struct) (*CredentialAttributes, error)
GetCredentialAttributes parses values out of a protobuf struct input and returns a CredentialAttributes used for configuring an AWS session. An error is returned if any of the following fields are missing from the protobuf struct input or have invalid value types: region, disableCredentialRotation
type CredentialType ¶ added in v0.2.0
type CredentialType int
const ( // StaticAWS denotes an Access Key Id that begins with "AKIA". These are // long-term access keys, provided by AWS, for an IAM user or an AWS account // root user. // https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html#sec-access-keys-and-secret-access-keys StaticAWS CredentialType = iota // DynamicAWS denotes the presence of a RoleARN, or an Access Key Id that // begins with "ASIA". The latter are temporary credentials access keys that // are created using AWS STS operations. DynamicAWS // StaticOther denotes the presence of an Access Key Id that does not follow // the AKIA/ASIA convention outlined by AWS. StaticOther // Unknown is a catch-all for everything else. Unknown )
func GetCredentialType ¶ added in v0.2.0
func GetCredentialType(cc *awsutil.CredentialsConfig) CredentialType
GetCredentialType returns the credential type based on the given AccessKey/RoleARN. See CredentialType definition for more information.
Source Files