vault

package
v4.4.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 20, 2018 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MaxSessionDuration    = time.Hour * 36
	MinSessionDuration    = time.Minute * 15
	MinAssumeRoleDuration = time.Minute * 15
	MaxAssumeRoleDuration = time.Hour * 12

	DefaultSessionDuration    = time.Hour * 4
	DefaultAssumeRoleDuration = time.Minute * 15
)

Variables

This section is empty.

Functions

func ConfigPath 

func ConfigPath() (string, error)

ConfigPath returns either $AWS_CONFIG_FILE or ~/.aws/config

func CreateConfig 

func CreateConfig() error

CreateConfig will create the config directory and file if they do not exist

func GetUsernameFromSession 

func GetUsernameFromSession(sess *session.Session) (string, error)

GetUsernameFromSession returns the IAM username (or root) associated with the current aws session

func IsSessionKey 

func IsSessionKey(s string) bool

Types

type Config 

type Config struct {
	Path string
	// contains filtered or unexported fields
}

Config is an abstraction over what is in ~/.aws/config

func LoadConfig 

func LoadConfig(path string) (*Config, error)

LoadConfig loads and parses a config. No error is returned if the file doesn't exist

func LoadConfigFromEnv 

func LoadConfigFromEnv() (*Config, error)

LoadConfigFromEnv finds the config file from the environment

func (*Config) Add 

func (c *Config) Add(profile Profile) error

Add the profile to the configuration file

func (*Config) FormatCredentialError 

func (c *Config) FormatCredentialError(err error, profileName string) string

FormatCredentialError formats errors with some user friendly context

func (*Config) Profile 

func (c *Config) Profile(name string) (Profile, bool)

Profile returns the profile with the matching name. If there isn't any, an empty profile with the provided name is returned, along with false.

func (*Config) Profiles 

func (c *Config) Profiles() []Profile

Profiles returns all the profiles in the config

func (*Config) SourceProfile 

func (c *Config) SourceProfile(name string) (Profile, bool)

SourceProfile returns the source profile of the given profile. If there isn't any, the named profile, a new profile is returned. False is only returned if no profile by the name exists.

type KeyringProvider 

type KeyringProvider struct {
	Keyring keyring.Keyring
	Profile string
	Region  string
}

func (*KeyringProvider) Delete 

func (p *KeyringProvider) Delete() error

func (*KeyringProvider) IsExpired 

func (p *KeyringProvider) IsExpired() bool

func (*KeyringProvider) Retrieve 

func (p *KeyringProvider) Retrieve() (val credentials.Value, err error)

func (*KeyringProvider) Store 

func (p *KeyringProvider) Store(val credentials.Value) error

type KeyringSession 

type KeyringSession struct {
	Profile
	Name      string
	SessionID string
}

func (KeyringSession) IsExpired 

func (ks KeyringSession) IsExpired() bool

type KeyringSessions 

type KeyringSessions struct {
	Keyring keyring.Keyring
	Config  *Config
}

func NewKeyringSessions 

func NewKeyringSessions(k keyring.Keyring, cfg *Config) (*KeyringSessions, error)

func (*KeyringSessions) Delete 

func (s *KeyringSessions) Delete(profile string) (n int, err error)

Delete deletes any sessions for a specific profile, expects the profile to be provided, not the source

func (*KeyringSessions) Retrieve 

func (s *KeyringSessions) Retrieve(profile string) (creds sts.Credentials, err error)

Retrieve searches sessions for specific profile, expects the profile to be provided, not the source

func (*KeyringSessions) Sessions 

func (s *KeyringSessions) Sessions() ([]KeyringSession, error)

func (*KeyringSessions) Store 

func (s *KeyringSessions) Store(profile string, session sts.Credentials, expires time.Time) error

Store stores a sessions for a specific profile, expects the profile to be provided, not the source

type Profile 

type Profile struct {
	Name            string `ini:"-"`
	MFASerial       string `ini:"mfa_serial,omitempty"`
	RoleARN         string `ini:"role_arn,omitempty"`
	ExternalID      string `ini:"external_id,omitempty"`
	Region          string `ini:"region,omitempty"`
	SourceProfile   string `ini:"source_profile,omitempty"`
	RoleSessionName string `ini:"role_session_name,omitempty"`
}

func (Profile) Hash 

func (p Profile) Hash() ([]byte, error)

type Rotator 

type Rotator struct {
	Keyring   keyring.Keyring
	MfaToken  string
	MfaPrompt prompt.PromptFunc
	Config    *Config
}

func (*Rotator) Rotate 

func (r *Rotator) Rotate(profile string) error

Rotate creates a new key and deletes the old one

type VaultCredentials 

type VaultCredentials struct {
	*credentials.Credentials
	// contains filtered or unexported fields
}

func NewVaultCredentials 

func NewVaultCredentials(k keyring.Keyring, profile string, opts VaultOptions) (*VaultCredentials, error)

func (*VaultCredentials) Expires 

func (v *VaultCredentials) Expires() time.Time

type VaultOptions 

type VaultOptions struct {
	SessionDuration    time.Duration
	AssumeRoleDuration time.Duration
	ExpiryWindow       time.Duration
	MfaToken           string
	MfaPrompt          prompt.PromptFunc
	NoSession          bool
	Config             *Config
	MasterCreds        *credentials.Value
	Region             string
}

func (VaultOptions) ApplyDefaults 

func (o VaultOptions) ApplyDefaults() VaultOptions

func (VaultOptions) Validate 

func (o VaultOptions) Validate() error

type VaultProvider 

type VaultProvider struct {
	credentials.Expiry
	VaultOptions
	// contains filtered or unexported fields
}

func NewVaultProvider 

func NewVaultProvider(k keyring.Keyring, profile string, opts VaultOptions) (*VaultProvider, error)

func (*VaultProvider) Retrieve 

func (p *VaultProvider) Retrieve() (credentials.Value, error)

Retrieve returns credentials protected by a GetSessionToken. If there is an associated role in the profile then AssumeRole is applied. The benefit of a session is that it doesn't require MFA or a user prompt to access the keychain item, much like sudo.

func (*VaultProvider) RetrieveWithoutSessionToken 

func (p *VaultProvider) RetrieveWithoutSessionToken() (credentials.Value, error)

RetrieveWithoutSessionToken returns credentials that are either the master credentials or a session created with AssumeRole. This allows for usecases where a token created with AssumeRole wouldn't work.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.