Documentation ¶
Index ¶
- Constants
- Variables
- func AppendAWSError(err error) error
- func CheckAWSError(err error) error
- func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, ...) (map[string]interface{}, error)
- func GetRegion(configuredRegion string) (string, error)
- func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)
- type CredentialsConfig
- func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)
- func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error
- func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)
- func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)
- func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)
- func (c *CredentialsConfig) RotateKeys(opt ...Option) error
- type MockIAM
- type Option
- func WithAccessKey(with string) Option
- func WithAwsSession(with *session.Session) Option
- func WithClientType(with string) Option
- func WithEnvironmentCredentials(with bool) Option
- func WithHttpClient(with *http.Client) Option
- func WithIamEndpoint(with string) Option
- func WithLogger(with hclog.Logger) Option
- func WithMaxRetries(with *int) Option
- func WithRegion(with string) Option
- func WithSecretKey(with string) Option
- func WithSharedCredentials(with bool) Option
- func WithStsEndpoint(with string) Option
- func WithUsername(with string) Option
- func WithValidityCheckTimeout(with time.Duration) Option
Constants ¶
const DefaultRegion = "us-east-1"
"us-east-1 is used because it's where AWS first provides support for new features, is a widely used region, and is the most common one for some services like STS.
Variables ¶
var ErrUpstreamRateLimited = errors.New("upstream rate limited")
Functions ¶
func AppendAWSError ¶
AppendAWSError checks if the given error is a known AWS error we modify, and if so then returns a go-multierror, appending the original and the AWS error. If the error is not an AWS error, or not an error we wish to modify, then return the original error.
func CheckAWSError ¶
CheckAWSError will examine an error and convert to a logical error if appropriate. If no appropriate error is found, return nil
func GenerateLoginData ¶
func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, logger hclog.Logger) (map[string]interface{}, error)
GenerateLoginData populates the necessary data to send to the Vault server for generating a token This is useful for other API clients to use
func GetRegion ¶
It's impossible to mimic "normal" AWS behavior here because it's not consistent or well-defined. For example, boto3, the Python SDK (which the aws cli uses), loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own approach to walking AWS config and deciding what to use.
Our chosen approach is:
"More specific takes precedence over less specific."
1. User-provided configuration is the most explicit. 2. Environment variables are potentially shared across many invocations and so they have less precedence. 3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. 4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence.
This approach should be used in future updates to this logic.
func RetrieveCreds ¶
func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)
Types ¶
type CredentialsConfig ¶
type CredentialsConfig struct { // The access key if static credentials are being used AccessKey string // The secret key if static credentials are being used SecretKey string // The session token if it is being used SessionToken string // The IAM endpoint to use; if not set will use the default IAMEndpoint string // The STS endpoint to use; if not set will use the default STSEndpoint string // If specified, the region will be provided to the config of the // EC2RoleProvider's client. This may be useful if you want to e.g. reuse // the client elsewhere. Region string // The filename for the shared credentials provider, if being used Filename string // The profile for the shared credentials provider, if being used Profile string // The role ARN to use if using the web identity token provider RoleARN string // The role session name to use if using the web identity token provider RoleSessionName string // The web identity token file to use if using the web identity token provider WebIdentityTokenFile string // The http.Client to use, or nil for the client to use its default HTTPClient *http.Client // The max retries to set on the client. This is a pointer because the zero // value has meaning. A nil pointer will use the default value. MaxRetries *int // The logger to use for credential acquisition debugging Logger hclog.Logger }
func NewCredentialsConfig ¶
func NewCredentialsConfig(opt ...Option) (*CredentialsConfig, error)
GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.
Supported options: WithAccessKey, WithSecretKey, WithLogger, WithStsEndpoint, WithIamEndpoint, WithMaxRetries, WithRegion, WithHttpClient.
func (*CredentialsConfig) CreateAccessKey ¶
func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)
CreateAccessKey creates a new access/secret key pair.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout
When WithValidityCheckTimeout is non-zero, it specifies a timeout to wait on the created credentials to be valid and ready for use.
func (*CredentialsConfig) DeleteAccessKey ¶
func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error
DeleteAccessKey deletes an access key.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUserName
func (*CredentialsConfig) GenerateCredentialChain ¶
func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)
GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.
Supported options: WithEnvironmentCredentials, WithSharedCredentials
func (*CredentialsConfig) GetCallerIdentity ¶
func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)
GetCallerIdentity runs sts.GetCallerIdentity for the current set credentials. This can be used to check that credentials are valid, in addition to checking details about the effective logged in account and user ID.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithValidityCheckTimeout
func (*CredentialsConfig) GetSession ¶
func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)
GetSession returns an AWS session configured according to the various values in the CredentialsConfig object. This can be passed into iam.New or sts.New as appropriate.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithClientType
func (*CredentialsConfig) RotateKeys ¶
func (c *CredentialsConfig) RotateKeys(opt ...Option) error
RotateKeys takes the access key and secret key from this credentials config and first creates a new access/secret key, then deletes the old access key. If deletion of the old access key is successful, the new access key/secret key are written into the credentials config and nil is returned. On any error, the old credentials are not overwritten. This ensures that any generated new secret key never leaves this function in case of an error, even though it will still result in an extraneous access key existing; we do also try to delete the new one to clean up, although it's unlikely that will work if the old one could not be deleted.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout. Note that WithValidityCheckTimeout here, when non-zero, controls the WithValidityCheckTimeout option on access key creation. See CreateAccessKey for more details.
type MockIAM ¶
type MockIAM struct { iamiface.IAMAPI CreateAccessKeyOutput *iam.CreateAccessKeyOutput DeleteAccessKeyOutput *iam.DeleteAccessKeyOutput GetUserOutput *iam.GetUserOutput }
func (*MockIAM) CreateAccessKey ¶
func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
func (*MockIAM) DeleteAccessKey ¶
func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
func (*MockIAM) GetUser ¶
func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)
type Option ¶
type Option func(*options) error
Option - how Options are passed as arguments
func WithAccessKey ¶
WithAccessKey allows passing an access key to use for operations
func WithAwsSession ¶
WithAwsSession allows controlling the session passed into the client
func WithClientType ¶
WithClientType allows choosing the client type to use
func WithEnvironmentCredentials ¶
WithEnvironmentCredentials allows controlling whether environment credentials are used
func WithHttpClient ¶
WithHttpClient allows passing a custom client to use
func WithIamEndpoint ¶
WithIamEndpoint allows passing a custom IAM endpoint
func WithLogger ¶
func WithLogger(with hclog.Logger) Option
WithLogger allows passing a logger to use
func WithMaxRetries ¶
WithMaxRetries allows passing custom max retries to set
func WithSecretKey ¶
WithSecretKey allows passing a secret key to use for operations
func WithSharedCredentials ¶
WithSharedCredentials allows controlling whether shared credentials are used
func WithStsEndpoint ¶
WithStsEndpoint allows passing a custom STS endpoint
func WithUsername ¶
WithUsername allows passing the user name to use for an operation
func WithValidityCheckTimeout ¶
WithValidityCheckTimeout allows passing a timeout for operations that can wait on success.