awsutil

package
v0.0.0-...-52b58a3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 31, 2022 License: Apache-2.0, MPL-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const DefaultRegion = "us-east-1"

"us-east-1 is used because it's where AWS first provides support for new features, is a widely used region, and is the most common one for some services like STS.

Variables

View Source 
var ErrUpstreamRateLimited = errors.New("upstream rate limited")

Functions

func AppendAWSError 

func AppendAWSError(err error) error

AppendAWSError checks if the given error is a known AWS error we modify, and if so then returns a go-multierror, appending the original and the AWS error. If the error is not an AWS error, or not an error we wish to modify, then return the original error.

func CheckAWSError 

func CheckAWSError(err error) error

CheckAWSError will examine an error and convert to a logical error if appropriate. If no appropriate error is found, return nil

func GenerateLoginData 

func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, logger hclog.Logger) (map[string]interface{}, error)

GenerateLoginData populates the necessary data to send to the Vault server for generating a token This is useful for other API clients to use

func GetRegion 

func GetRegion(configuredRegion string) (string, error)

It's impossible to mimic "normal" AWS behavior here because it's not consistent or well-defined. For example, boto3, the Python SDK (which the aws cli uses), loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own approach to walking AWS config and deciding what to use.

Our chosen approach is: 

"More specific takes precedence over less specific."

1. User-provided configuration is the most explicit. 2. Environment variables are potentially shared across many invocations and so they have less precedence. 3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. 4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence.

This approach should be used in future updates to this logic.

func RetrieveCreds 

func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)

Types

type CredentialsConfig 

type CredentialsConfig struct {
	// The access key if static credentials are being used
	AccessKey string

	// The secret key if static credentials are being used
	SecretKey string

	// The session token if it is being used
	SessionToken string

	// The IAM endpoint to use; if not set will use the default
	IAMEndpoint string

	// The STS endpoint to use; if not set will use the default
	STSEndpoint string

	// If specified, the region will be provided to the config of the
	// EC2RoleProvider's client. This may be useful if you want to e.g. reuse
	// the client elsewhere.
	Region string

	// The filename for the shared credentials provider, if being used
	Filename string

	// The profile for the shared credentials provider, if being used
	Profile string

	// The role ARN to use if using the web identity token provider
	RoleARN string

	// The role session name to use if using the web identity token provider
	RoleSessionName string

	// The web identity token file to use if using the web identity token provider
	WebIdentityTokenFile string

	// The http.Client to use, or nil for the client to use its default
	HTTPClient *http.Client

	// The max retries to set on the client. This is a pointer because the zero
	// value has meaning. A nil pointer will use the default value.
	MaxRetries *int

	// The logger to use for credential acquisition debugging
	Logger hclog.Logger
}

func NewCredentialsConfig 

func NewCredentialsConfig(opt ...Option) (*CredentialsConfig, error)

GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.

Supported options: WithAccessKey, WithSecretKey, WithLogger, WithStsEndpoint, WithIamEndpoint, WithMaxRetries, WithRegion, WithHttpClient.

func (*CredentialsConfig) CreateAccessKey 

func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)

CreateAccessKey creates a new access/secret key pair.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout

When WithValidityCheckTimeout is non-zero, it specifies a timeout to wait on the created credentials to be valid and ready for use.

func (*CredentialsConfig) DeleteAccessKey 

func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error

DeleteAccessKey deletes an access key.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUserName

func (*CredentialsConfig) GenerateCredentialChain 

func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)

GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.

Supported options: WithEnvironmentCredentials, WithSharedCredentials

func (*CredentialsConfig) GetCallerIdentity 

func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)

GetCallerIdentity runs sts.GetCallerIdentity for the current set credentials. This can be used to check that credentials are valid, in addition to checking details about the effective logged in account and user ID.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithValidityCheckTimeout

func (*CredentialsConfig) GetSession 

func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)

GetSession returns an AWS session configured according to the various values in the CredentialsConfig object. This can be passed into iam.New or sts.New as appropriate.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithClientType

func (*CredentialsConfig) RotateKeys 

func (c *CredentialsConfig) RotateKeys(opt ...Option) error

RotateKeys takes the access key and secret key from this credentials config and first creates a new access/secret key, then deletes the old access key. If deletion of the old access key is successful, the new access key/secret key are written into the credentials config and nil is returned. On any error, the old credentials are not overwritten. This ensures that any generated new secret key never leaves this function in case of an error, even though it will still result in an extraneous access key existing; we do also try to delete the new one to clean up, although it's unlikely that will work if the old one could not be deleted.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout. Note that WithValidityCheckTimeout here, when non-zero, controls the WithValidityCheckTimeout option on access key creation. See CreateAccessKey for more details.

type MockIAM 

type MockIAM struct {
	iamiface.IAMAPI

	CreateAccessKeyOutput *iam.CreateAccessKeyOutput
	DeleteAccessKeyOutput *iam.DeleteAccessKeyOutput
	GetUserOutput         *iam.GetUserOutput
}

func (*MockIAM) CreateAccessKey 

func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)

func (*MockIAM) DeleteAccessKey 

func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)

func (*MockIAM) GetUser 

func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)

type Option 

type Option func(*options) error

Option - how Options are passed as arguments

func WithAccessKey 

func WithAccessKey(with string) Option

WithAccessKey allows passing an access key to use for operations

func WithAwsSession 

func WithAwsSession(with *session.Session) Option

WithAwsSession allows controlling the session passed into the client

func WithClientType 

func WithClientType(with string) Option

WithClientType allows choosing the client type to use

func WithEnvironmentCredentials 

func WithEnvironmentCredentials(with bool) Option

WithEnvironmentCredentials allows controlling whether environment credentials are used

func WithHttpClient 

func WithHttpClient(with *http.Client) Option

WithHttpClient allows passing a custom client to use

func WithIamEndpoint 

func WithIamEndpoint(with string) Option

WithIamEndpoint allows passing a custom IAM endpoint

func WithLogger 

func WithLogger(with hclog.Logger) Option

WithLogger allows passing a logger to use

func WithMaxRetries 

func WithMaxRetries(with *int) Option

WithMaxRetries allows passing custom max retries to set

func WithRegion 

func WithRegion(with string) Option

WithRegion allows passing a custom region

func WithSecretKey 

func WithSecretKey(with string) Option

WithSecretKey allows passing a secret key to use for operations

func WithSharedCredentials 

func WithSharedCredentials(with bool) Option

WithSharedCredentials allows controlling whether shared credentials are used

func WithStsEndpoint 

func WithStsEndpoint(with string) Option

WithStsEndpoint allows passing a custom STS endpoint

func WithUsername 

func WithUsername(with string) Option

WithUsername allows passing the user name to use for an operation

func WithValidityCheckTimeout 

func WithValidityCheckTimeout(with time.Duration) Option

WithValidityCheckTimeout allows passing a timeout for operations that can wait on success.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.