vault

package
Version: v4.2.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 1, 2018 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (
	MaxSessionDuration    = time.Hour * 36
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15
)

Variables

This section is empty.

Functions

func ConfigPath

func ConfigPath() (string, error)

ConfigPath returns either $AWS_CONFIG_FILE or ~/.aws/config

func GetUsernameFromSession

func GetUsernameFromSession(sess *session.Session) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsSessionKey

func IsSessionKey(s string) bool

Types

type Config

type Config struct {
	Path string
	// contains filtered or unexported fields
}

Config is an abstraction over what is in ~/.aws/config

func LoadConfig

func LoadConfig(path string) (*Config, error)

LoadConfig loads and parses a config. No error is returned if the file doesn't exist

func LoadConfigFromEnv

func LoadConfigFromEnv() (*Config, error)

LoadConfigFromEnv finds the config file from the environment

func (*Config) Add

func (c *Config) Add(profile Profile) error

Add the profile to the configuration file

func (*Config) FormatCredentialError

func (c *Config) FormatCredentialError(err error, profileName string) string

FormatCredentialError formats errors with some user friendly context

func (*Config) Profile

func (c *Config) Profile(name string) (Profile, bool)

Profile returns the profile with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*Config) Profiles

func (c *Config) Profiles() []Profile

Profiles returns all the profiles in the config

func (*Config) SourceProfile

func (c *Config) SourceProfile(name string) (Profile, bool)

SourceProfile returns the source profile of the given profile. If there isn't any, the named profile, a new profile is returned. False is only returned if no profile by the name exists.

type KeyringProvider

type KeyringProvider struct {
	Keyring keyring.Keyring
	Profile string
}

func (*KeyringProvider) Delete

func (p *KeyringProvider) Delete() error

func (*KeyringProvider) IsExpired

func (p *KeyringProvider) IsExpired() bool

func (*KeyringProvider) Retrieve

func (p *KeyringProvider) Retrieve() (val credentials.Value, err error)

func (*KeyringProvider) Store

func (p *KeyringProvider) Store(val credentials.Value) error

type KeyringSession

type KeyringSession struct {
	Profile
	Name      string
	SessionID string
}

func (KeyringSession) IsExpired

func (ks KeyringSession) IsExpired() bool

type KeyringSessions

type KeyringSessions struct {
	Keyring keyring.Keyring
	Config  *Config
}

func NewKeyringSessions

func NewKeyringSessions(k keyring.Keyring, cfg *Config) (*KeyringSessions, error)

func (*KeyringSessions) Delete

func (s *KeyringSessions) Delete(profile string) (n int, err error)

Delete deletes any sessions for a specific profile, expects the profile to be provided, not the source

func (*KeyringSessions) Retrieve

func (s *KeyringSessions) Retrieve(profile string) (creds sts.Credentials, err error)

Retrieve searches sessions for specific profile, expects the profile to be provided, not the source

func (*KeyringSessions) Sessions

func (s *KeyringSessions) Sessions() ([]KeyringSession, error)

func (*KeyringSessions) Store

func (s *KeyringSessions) Store(profile string, session sts.Credentials, expires time.Time) error

Store stores a sessions for a specific profile, expects the profile to be provided, not the source

type Profile

type Profile struct {
	Name            string `ini:"-"`
	MFASerial       string `ini:"mfa_serial,omitempty"`
	RoleARN         string `ini:"role_arn,omitempty"`
	Region          string `ini:"region,omitempty"`
	SourceProfile   string `ini:"source_profile,omitempty"`
	RoleSessionName string `ini:"role_session_name,omitempty"`
}

func (Profile) Hash

func (p Profile) Hash() ([]byte, error)

type Rotator

type Rotator struct {
	Keyring   keyring.Keyring
	MfaToken  string
	MfaPrompt prompt.PromptFunc
	Config    *Config
}

func (*Rotator) Rotate

func (r *Rotator) Rotate(profile string) error

Rotate creates a new key and deletes the old one

type VaultCredentials

type VaultCredentials struct {
	*credentials.Credentials
	// contains filtered or unexported fields
}

func NewVaultCredentials

func NewVaultCredentials(k keyring.Keyring, profile string, opts VaultOptions) (*VaultCredentials, error)

func (*VaultCredentials) Expires

func (v *VaultCredentials) Expires() time.Time

type VaultOptions

type VaultOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	MfaToken           string
	MfaPrompt          prompt.PromptFunc
	NoSession          bool
	Config             *Config
	MasterCreds        *credentials.Value
}

func (VaultOptions) ApplyDefaults

func (o VaultOptions) ApplyDefaults() VaultOptions

func (VaultOptions) Validate

func (o VaultOptions) Validate() error

type VaultProvider

type VaultProvider struct {
	credentials.Expiry
	VaultOptions
	// contains filtered or unexported fields
}

func NewVaultProvider

func NewVaultProvider(k keyring.Keyring, profile string, opts VaultOptions) (*VaultProvider, error)

func (*VaultProvider) Retrieve

func (p *VaultProvider) Retrieve() (credentials.Value, error)

Retrieve returns credentials protected by a GetSessionToken. If there is an associated role in the profile then AssumeRole is applied. The benefit of a session is that it doesn't require MFA or a user prompt to access the keychain item, much like sudo.

func (*VaultProvider) RetrieveWithoutSessionToken

func (p *VaultProvider) RetrieveWithoutSessionToken() (credentials.Value, error)

RetrieveWithoutSessionToken returns credentials that are either the master credentials or a session created with AssumeRole. This allows for usecases where a token created with AssumeRole wouldn't work.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL