Documentation
¶
Overview ¶
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func ConvertIAMError(err error) error
- func ConvertRequestFailureError(err error) error
- func IsTagValueTrue(value string) bool
- type Identity
- type InstanceMetadataClient
- func (client *InstanceMetadataClient) GetHostname(ctx context.Context) (string, error)
- func (client *InstanceMetadataClient) GetID(ctx context.Context) (string, error)
- func (client *InstanceMetadataClient) GetRegion(ctx context.Context) (string, error)
- func (client *InstanceMetadataClient) GetTags(ctx context.Context) (map[string]string, error)
- func (client *InstanceMetadataClient) GetType() types.InstanceMetadataType
- func (client *InstanceMetadataClient) IsAvailable(ctx context.Context) bool
- type InstanceMetadataClientOption
- type Policies
- type Policy
- type PolicyDocument
- type Role
- type SliceOrString
- type Statement
- type Unknown
- type User
Constants ¶
const ( // PolicyVersion is default IAM policy version. PolicyVersion = "2012-10-17" // EffectAllow is the Allow IAM policy effect. EffectAllow = "Allow" // EffectDeny is the Deny IAM policy effect. EffectDeny = "Deny" )
const ( // TagKeyTeleportCreated defines a tag key that indicates the the cloud // resource is created by Teleport. TagKeyTeleportCreated = "teleport.dev/created" // TagKeyTeleportManaged defines a tag key that indicates the the cloud // resource is being managed by Teleport. TagKeyTeleportManaged = "teleport.dev/managed" // TagValueTrue is the tag value "true" in string format. TagValueTrue = "true" )
Variables ¶
This section is empty.
Functions ¶
func ConvertIAMError ¶
ConvertIAMError converts common errors from IAM clients to trace errors.
func ConvertRequestFailureError ¶
ConvertRequestFailureError converts `error` into AWS RequestFailure errors to trace errors. If the provided error is not an `RequestFailure` it returns the error without modifying it.
func IsTagValueTrue ¶
IsTagValueTrue checks whether a tag value is true.
Types ¶
type Identity ¶
type Identity interface {
// GetName returns the identity name.
GetName() string
// GetAccountID returns the AWS account ID the identity belongs to.
GetAccountID() string
// GetPartition returns the AWS partition the identity resides in.
GetPartition() string
// GetType returns the identity resource type.
GetType() string
// Stringer provides textual representation of identity.
fmt.Stringer
}
Identity represents an AWS IAM identity such as user or role.
func GetIdentityWithClient ¶
GetIdentityWithClient determines AWS identity of this Teleport process using the provided STS API client.
func IdentityFromArn ¶
IdentityFromArn returns an `Identity` interface based on the provided ARN.
type InstanceMetadataClient ¶
type InstanceMetadataClient struct {
// contains filtered or unexported fields
}
InstanceMetadataClient is a wrapper for an imds.Client.
func NewInstanceMetadataClient ¶
func NewInstanceMetadataClient(ctx context.Context, opts ...InstanceMetadataClientOption) (*InstanceMetadataClient, error)
NewInstanceMetadataClient creates a new instance metadata client.
func (*InstanceMetadataClient) GetHostname ¶
func (client *InstanceMetadataClient) GetHostname(ctx context.Context) (string, error)
GetHostname gets the hostname set by EC2 that Teleport should use, if any.
func (*InstanceMetadataClient) GetID ¶
func (client *InstanceMetadataClient) GetID(ctx context.Context) (string, error)
GetID gets the EC2 instance's ID.
func (*InstanceMetadataClient) GetRegion ¶
func (client *InstanceMetadataClient) GetRegion(ctx context.Context) (string, error)
GetRegion gets the EC2 instance's region.
func (*InstanceMetadataClient) GetType ¶
func (client *InstanceMetadataClient) GetType() types.InstanceMetadataType
GetType gets the cloud instance type.
func (*InstanceMetadataClient) IsAvailable ¶
func (client *InstanceMetadataClient) IsAvailable(ctx context.Context) bool
IsAvailable checks if instance metadata is available.
type InstanceMetadataClientOption ¶
type InstanceMetadataClientOption func(client *InstanceMetadataClient) error
InstanceMetadataClientOption allows setting options as functional arguments to an InstanceMetadataClient.
func WithIMDSClient ¶
func WithIMDSClient(client *imds.Client) InstanceMetadataClientOption
WithIMDSClient adds a custom internal imds.Client to an InstanceMetadataClient.
type Policies ¶
type Policies interface {
// Upsert creates a new Policy or creates a Policy version if a policy with
// the same name already exists.
Upsert(ctx context.Context, policy *Policy) (arn string, err error)
// Retrieve retrieves a policy and its versions. If the tags list is
// present, the Policy should have all of them, otherwise an error is
// returned.
Retrieve(ctx context.Context, arn string, tags map[string]string) (policy *iam.Policy, policyVersions []*iam.PolicyVersion, err error)
// Attach attaches a policy with `arn` to the provided `identity`.
Attach(ctx context.Context, arn string, identity Identity) error
// AttachBoundary attaches a policy boundary with `arn` to the provided
// `identity`.
AttachBoundary(ctx context.Context, arn string, identity Identity) error
}
Policies set of IAM Policy helper functions defined as an interface to make easier for other packages to mock and test with it.
type Policy ¶
type Policy struct {
// Name is the policy name.
Name string
// Description is the policy description.
Description string
// Tags is the policy tags.
Tags map[string]string
// PolicyDocument is the IAM policy document.
Document *PolicyDocument
}
Policy represents an AWS IAM policy.
type PolicyDocument ¶
type PolicyDocument struct {
// Version is the policy version.
Version string `json:"Version"`
// Statements is a list of the policy statements.
Statements []*Statement `json:"Statement"`
}
PolicyDocument represents a parsed AWS IAM policy document.
Note that PolicyDocument and its Ensure/Delete methods are not currently goroutine-safe. To create a policy using AWS IAM API, dump the object to JSON format using json.Marshal.
func NewPolicyDocument ¶
func NewPolicyDocument(statements ...*Statement) *PolicyDocument
NewPolicyDocument returns new empty AWS IAM policy document.
func ParsePolicyDocument ¶
func ParsePolicyDocument(document string) (*PolicyDocument, error)
ParsePolicyDocument returns parsed AWS IAM policy document.
func (*PolicyDocument) Delete ¶
func (p *PolicyDocument) Delete(effect, action, resource string)
Delete deletes the specified resource action from the policy.
func (*PolicyDocument) Ensure ¶
func (p *PolicyDocument) Ensure(effect, action, resource string) bool
Ensure ensures that the policy document contains the specified resource action.
Returns true if the resource action was already a part of the policy and false otherwise.
func (*PolicyDocument) ForEach ¶
func (p *PolicyDocument) ForEach(fn func(effect, action, resource string))
ForEach loops through each action and resource of each statement.
func (*PolicyDocument) Marshal ¶
func (p *PolicyDocument) Marshal() (string, error)
Marshal formats the PolicyDocument in a "friendly" format, which can be presented to end users.
type Role ¶
type Role struct {
// contains filtered or unexported fields
}
Role represents an AWS IAM role identity.
func (Role) GetAccountID ¶
func (i Role) GetAccountID() string
GetAccountID returns the identity account ID.
func (Role) GetPartition ¶
func (i Role) GetPartition() string
GetPartition returns the identity AWS partition.
type SliceOrString ¶
type SliceOrString []string
SliceOrString defines a type that can be either a single string or a slice.
For example, these types can be either a single string or a slice: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_action.html https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html
func (SliceOrString) MarshalJSON ¶
func (s SliceOrString) MarshalJSON() ([]byte, error)
MarshalJSON implements json.Marshaler.
func (*SliceOrString) UnmarshalJSON ¶
func (s *SliceOrString) UnmarshalJSON(bytes []byte) error
UnmarshalJSON implements json.Unmarshaller.
type Statement ¶
type Statement struct {
// Effect is the statement effect such as Allow or Deny.
Effect string `json:"Effect"`
// Actions is a list of actions.
Actions SliceOrString `json:"Action"`
// Resources is a list of resources.
Resources SliceOrString `json:"Resource"`
}
Statement is a single AWS IAM policy statement.
type Unknown ¶
type Unknown struct {
// contains filtered or unexported fields
}
Unknown represents an unknown/unsupported AWS IAM identity.
func (Unknown) GetAccountID ¶
func (i Unknown) GetAccountID() string
GetAccountID returns the identity account ID.
func (Unknown) GetPartition ¶
func (i Unknown) GetPartition() string
GetPartition returns the identity AWS partition.
type User ¶
type User struct {
// contains filtered or unexported fields
}
User represents an AWS IAM user identity.
func (User) GetAccountID ¶
func (i User) GetAccountID() string
GetAccountID returns the identity account ID.
func (User) GetPartition ¶
func (i User) GetPartition() string
GetPartition returns the identity AWS partition.
Source Files