alks

package module
v0.0.0-...-0e9cb0a Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 24, 2023 License: MIT, MIT Imports: 13 Imported by: 1

README

alks-go

alks-go is a Go client library for accessing the ALKS API.

Documentation: GoDoc

Build Status: Build Status

alks-go requires Go version 1.7 or greater.

Usage

import "github.com/Cox-Automotive/alks-go"

Construct a new ALKS client, then use the various services on the client to access different parts of the ALKS API. Please note that session creation requires username and password. IAM role CRUD operations can work with either username and password or an STS session.

Username/Password Authentication

client, err := alks.NewClient("http://my.alks.url/rest", "username", "password", "my-acct", "my-role")

// create new STS
resp, err := client.CreateSession(2, false)

log.Printf("Session: %v ~~ %v ~~ %v", resp.AccessKey, resp.SecretKey, resp.SessionToken)

STS Authentication - Currently only used for IAM role CRUD

client, err := alks.NewSTSClient("http://my.alks.url/rest", "accessKey", "secretKey", "sessionToken", "account")

// create new role
resp, err := client.CreateIamRole("myRole", "Amazon EC2", false)

log.Printf("Role ARN: %v ~~ Role IP ARN: %v", resp.roleArn, resp.roleIPArn)

client, err := alks.NewSTSClient("http://my.alks.url/rest", "accessKey", "secretKey", "sessionToken", "account")

// create new trust role
resp, err := client.CreateIamTrustRole("myRole", "Cross Account", "arn:aws:iam::123456789123:role/test-role")

log.Printf("Role ARN: %v ~~ Role IP ARN: %v", resp.roleArn, resp.roleIPArn)

Some API methods don't require an account and role to be provided.

client, err := alks.NewClient("http://my.alks.url/rest", "username", "password", "", "")

// list all available account/roles
resp, err := client.GetAccounts()

for _,acct := range resp.Accounts{
    log.Printf("Account %v Role %v IAM %v", acct.Account, acct.Role, acct.IamActive)
}
Unit Tests

You can run the test with Make

make test

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var AlksResponsErrorStrings = "ALKS Errors: %s \nContact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var ErrorStringFull = "[%s] ALKS Error %d Msg: %s\n Contact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var ErrorStringNoReqId = "ALKS Error %d Msg: %s\n Contact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var ErrorStringOnlyCode = "ALKS Error %d\n Contact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var ErrorStringOnlyCodeAndReqId = "[%s] ALKS Error %d\n Contact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var GenericAlksError = "ALKS Errors: Contact the ALKS Team for assistance on Slack at #alks-client-support"
View Source 
var ParseError = "Error parsing ALKS Error response: %s"
View Source 
var ParseErrorReqId = "[%s] Error parsing ALKS Error response: %s"

Functions

func GetRequestID 

func GetRequestID(resp *http.Response) string

GetRequestID returns the ALKS Request ID Header if present or ""

Types

type AccountDetails 

type AccountDetails struct {
	Account string `json:"account,omitempty"`
	Role    string `json:"role,omitempty"`
}

AccountDetails represents the callers Account and Role information for ALKS requests

func (AccountDetails) GetAccountDesc 

func (a AccountDetails) GetAccountDesc() (string, error)

GetAccountDesc parses the Account provided in AccountDetails and returns the account description if present

func (AccountDetails) GetAccountNumber 

func (a AccountDetails) GetAccountNumber() (string, error)

GetAccountNumber parses the Account provided in AccountDetails and returns the account number if present

func (AccountDetails) GetRoleName 

func (a AccountDetails) GetRoleName(stripPrefix bool) (string, error)

GetRoleName returns the AccountDetails Role or parses the role value from the Account

type AccountRole 

type AccountRole struct {
	Account        string         `json:"account"`
	Role           string         `json:"role"`
	IamActive      bool           `json:"iamKeyActive"`
	SkypieaAccount SkypieaAccount `json:"skypieaAccount"`
}

AccountRole is used to represent an ALKS account and role combination

type AccountsResponse 

type AccountsResponse struct {
	Accounts []AccountRole `json:"accountListRole"`
}

AccountsResponse is used to represent a collection of ALKS accounts

type AccountsResponseInt 

type AccountsResponseInt struct {
	BaseResponse
	Accounts map[string][]AccountRole `json:"accountListRole"`
}

AccountsResponseInt is used internally to represent a collection of ALKS accounts

type AddRoleMachineIdentityRequest 

type AddRoleMachineIdentityRequest struct {
	RoleARN string `json:"roleARN"`
}

AddRoleMachineIdentityRequest is used to represent a request for adding a machine identity for a IamRole

type AlksError 

type AlksError struct {
	StatusCode int
	RequestId  string `json:"requestId"`
	Err        error
}

func (*AlksError) Error 

func (r *AlksError) Error() string

type AlksResponseError 

type AlksResponseError struct {
	StatusMessage string   `json:"statusMessage"`
	Errors        []string `json:"errors"`
	RequestId     string   `json:"requestId"`
}

type AllIamUsersResponseType 

type AllIamUsersResponseType struct {
	UserName    string `json:"userName"`
	AccessKeyID string `json:"accessKeyId"`
	Status      string `json:"status"`
	CreateDate  string `json:"createDate"`
}

AllIamUsersResponseType represents iamUser returned by ltks endpoint

type AuthInjecter 

type AuthInjecter interface {
	InjectAuth(req *http.Request) error
}

AuthInjecter is the interface that wraps the InjectAuth method.

Implementations are expect to add their authentication data to request without destroying existing data (if any) and should implement fallbacks when possible. Failing that, an error should be reported to the caller.

type BaseIamUserResponse 

type BaseIamUserResponse struct {
	Action              string `json:"action,omitempty"`
	AddedIAMUserToGroup bool   `json:"addedIAMUserToGroup,omitempty"`
	PartialError        bool   `json:"partialError,omitempty"`
}

BaseIamUserResponse encapsulates shared response fields

type BaseResponse 

type BaseResponse struct {
	StatusMessage string   `json:"statusMessage,omitempty"`
	Errors        []string `json:"errors,omitempty"`
	RequestID     string   `json:"requestId,omitempty"`
}

BaseResponse represents basic fields included in all ALKS REST API responses

func (BaseResponse) GetErrors 

func (b BaseResponse) GetErrors() []string

GetErrors returns a list of error messages from an ALKS response

func (BaseResponse) RequestFailed 

func (b BaseResponse) RequestFailed() bool

RequestFailed returns a boolean indicating if an ALKS response contained an error

type Basic 

type Basic struct {
	Username string `json:"-"`
	Password string `json:"-"`
}

Basic represents LDAP based credentials in the configuration of the ALKS client

func (*Basic) InjectAuth 

func (b *Basic) InjectAuth(req *http.Request) error

InjectAuth will add an Authorization header to an ALKS client request containing the caller's username and password.

type Bearer 

type Bearer struct {
	Token string `json:"-"`
}

Bearer represents an Okta bearer token in the configuration of the ALKS client

func (*Bearer) InjectAuth 

func (b *Bearer) InjectAuth(req *http.Request) error

InjectAuth will add an authorization header to an ALKS client request containing the caller's Okta bearer token.

type Client 

type Client struct {
	Credentials    AuthInjecter
	AccountDetails AccountDetails
	BaseURL        string
	// contains filtered or unexported fields
}

Client represents an ALKS client and contains the account info and base url.

func NewBearerTokenClient 

func NewBearerTokenClient(url string, bearerToken string, account string, role string) (*Client, error)

NewBearerTokenClient will create a new instance of the ALKS Client using Okta Bearer Token auth.

func NewClient 

func NewClient(url string, username string, password string, account string, role string) (*Client, error)

NewClient will create a new instance of the ALKS Client. If you don't yet know the account/role pass them as nil and then invoke GetAccounts().

func NewSTSClient 

func NewSTSClient(url string, accessKey string, secretKey string, token string) (*Client, error)

NewSTSClient will create a new instance of the ALKS Client using STS tokens.

func (*Client) AddRoleMachineIdentity 

func (c *Client) AddRoleMachineIdentity(roleARN string) (*MachineIdentityResponse, *AlksError)

AddRoleMachineIdentity enable machine identity for a IamRole. If no error is returned then you will receieve the arn for the machine identity that was created.

func (*Client) CreateIamRole 

func (c *Client) CreateIamRole(options *CreateIamRoleOptions) (*IamRoleResponse, *AlksError)

CreateIamRole will create a new IAM role in AWS. If no error is returned then you will receive a IamRoleResponse object representing the new role.

func (*Client) CreateIamSession 

func (c *Client) CreateIamSession() (*SessionResponse, *AlksError)

CreateIamSession creates a new IAM STS session. If no error is returned then you will received a IamSessionResponse object containing your session keys.

func (*Client) CreateIamTrustRole 

func (c *Client) CreateIamTrustRole(options *CreateIamRoleOptions) (*IamRoleResponse, *AlksError)

CreateIamTrustRole will create a new IAM trust role on AWS. If no error is returned then you will receive a IamRoleResponse object representing the new role.

func (*Client) CreateIamUser 

func (c *Client) CreateIamUser(options *IamUserOptions) (*CreateIamUserResponse, *AlksError)

CreateIamUser creates an iamUser and secret key for an account. If no error is returned, then you will receive an appropriate success message.

func (*Client) CreateSession 

func (c *Client) CreateSession(sessionDuration int, useIAM bool) (*SessionResponse, *AlksError)

CreateSession will create a new STS session on AWS. If no error is returned then you will receive a SessionResponse object representing your STS session.

func (*Client) DeleteIamRole 

func (c *Client) DeleteIamRole(id string) *AlksError

DeleteIamRole will delete an existing IAM role from AWS. If no error is returned then the deletion was successful.

func (*Client) DeleteIamUser 

func (c *Client) DeleteIamUser(iamUsername string) (*DeleteIamUserResponse, *AlksError)

DeleteIamUser deletes an LTK user for an account. If no error is returned, then you will receive an appropriate success message.

func (*Client) DeleteRoleMachineIdentity 

func (c *Client) DeleteRoleMachineIdentity(roleARN string) (*MachineIdentityResponse, *AlksError)

DeleteRoleMachineIdentity disable machine identity for a IamRole. If no error is returned then you will receieve the arn for the machine identity that was deleted.

func (*Client) Durations 

func (c *Client) Durations() ([]int, error)

Durations will provide the valid session durations

func (*Client) GetAccounts 

func (c *Client) GetAccounts() (*AccountsResponse, *AlksError)

GetAccounts return a list of AccountRoles for an AWS account

func (*Client) GetIamRole 

func (c *Client) GetIamRole(roleName string) (*GetIamRoleResponse, *AlksError)

GetIamRole will request the details about an existing IAM role on AWS. If no error is returned then you will received a IamRoleResponse object representing the existing role. If the role does not exist the IamRoleResponse object will also be nil.

func (*Client) GetIamUser 

func (c *Client) GetIamUser(iamUsername string) (*GetIamUserResponse, *AlksError)

GetIamUser gets a single LTK for an account If no error is returned, then you will receive an LTK for the given account.

func (*Client) GetIamUsers 

func (c *Client) GetIamUsers() (*GetIamUsersResponse, *AlksError)

GetIamUsers gets the LTKs for an account If no error is returned then you will receive a list of LTKs

func (*Client) GetLoginRole 

func (c *Client) GetLoginRole() (*LoginRoleResponse, *AlksError)

GetLoginRole returns the login role corresponding to the current account and role stored in AccountDetails

func (*Client) GetMyLoginRole 

func (c *Client) GetMyLoginRole() (*LoginRoleResponse, *AlksError)

GetMyLoginRole returns the LoginRole corresponding to the clients current STS credentials

func (*Client) IsIamEnabled 

func (c *Client) IsIamEnabled(roleArn string) (*IsIamEnabledResponse, *AlksError)

IsIamEnabled will check if a MI, AccountDetails, or STS assumed role is IAM active or not.

func (*Client) IsUsingSTSCredentials 

func (c *Client) IsUsingSTSCredentials() bool

IsUsingSTSCredentials returns a boolean indicating if the client was configured using AWS STS Credentials for authentication

func (*Client) NewRequest 

func (c *Client) NewRequest(json []byte, method string, endpoint string) (*http.Request, error)

NewRequest will create a new request object for API requests.

func (*Client) SearchRoleMachineIdentity 

func (c *Client) SearchRoleMachineIdentity(roleARN string) (*MachineIdentityResponse, *AlksError)

SearchRoleMachineIdentity searches for a machine identity for a given roleARN If no error is returned then you will receive the arn of the machine identity for the given roleARN

func (*Client) SetUserAgent 

func (c *Client) SetUserAgent(userAgent string)

SetUserAgent sets the client user agent in order to report tool details to ALKS

func (*Client) UpdateIamRole 

func (c *Client) UpdateIamRole(options *UpdateIamRoleRequest) (*UpdateIamRoleResponse, *AlksError)

Updates an IAM role with the given options.

func (*Client) UpdateIamUser 

func (c *Client) UpdateIamUser(options *IamUserOptions) (*UpdateIamUserResponse, *AlksError)

type CreateIamRoleOptions 

type CreateIamRoleOptions struct {
	RoleName                    *string
	RoleType                    *string
	TrustPolicy                 *map[string]interface{}
	IncludeDefaultPolicies      *bool
	AlksAccess                  *bool
	TrustArn                    *string
	TemplateFields              *map[string]string
	MaxSessionDurationInSeconds *int
	Tags                        *[]Tag
}

type CreateIamUserApiResponse 

type CreateIamUserApiResponse struct {
	IAMUserName string `json:"iamUserName"`
	IAMUserArn  string `json:"iamUserArn"`
	AccessKey   string `json:"accessKey"`
	SecretKey   string `json:"secretKey"`
}

CreateIamUserApiResponse represents the response from API

type CreateIamUserRequest 

type CreateIamUserRequest struct {
	AccountDetails
	IamUserName string `json:"iamUserName"`
	Tags        []Tag  `json:"tags,omitempty"`
}

func NewCreateIamUserRequest 

func NewCreateIamUserRequest(options *IamUserOptions) (*CreateIamUserRequest, error)

type CreateIamUserResponse 

type CreateIamUserResponse struct {
	AccountDetails
	BaseResponse
	BaseIamUserResponse
	CreateIamUserApiResponse
}

CreateIamUserResponse is the response to the CLI client

type DeleteIamUserRequest 

type DeleteIamUserRequest struct {
	AccountDetails
	IamUserName string `json:"iamUserName"`
}

DeleteIamUserRequest is used to represent the request body to delete LTKs

type DeleteIamUserResponse 

type DeleteIamUserResponse struct {
	AccountDetails
	BaseResponse
	BaseIamUserResponse
}

type DeleteRoleMachineIdentityRequest 

type DeleteRoleMachineIdentityRequest struct {
	RoleARN string `json:"roleARN"`
}

DeleteRoleMachineIdentityRequest is used to represent a request for deleteing a machine identity for a IamRole

type DeleteRoleRequest 

type DeleteRoleRequest struct {
	RoleName string `json:"roleName"`
}

DeleteRoleRequest is sued to represent a request for deleting an existing IAM role based on the role's name.

type DeleteRoleResponse 

type DeleteRoleResponse struct {
	BaseResponse
	RoleName string `json:"roleName"`
	Status   string `json:"roleArn"`
}

DeleteRoleResponse is used to represent the results of a IAM role deletion request.

type GetIamRoleResponse 

type GetIamRoleResponse struct {
	BaseResponse
	RoleName                    string                 `json:"roleName"`
	RoleType                    string                 `json:"roleType"`
	TrustPolicy                 map[string]interface{} `json:"trustPolicy"`
	RoleArn                     string                 `json:"roleArn"`
	RoleIPArn                   string                 `json:"instanceProfileArn"`
	RoleAddedToIP               bool                   `json:"addedRoleToInstanceProfile"`
	Exists                      bool                   `json:"roleExists"`
	AlksAccess                  bool                   `json:"machineIdentity"`
	Tags                        []Tag                  `json:"tags"`
	MaxSessionDurationInSeconds int                    `json:"maxSessionDurationInSeconds"`
}

GetIamRoleResponse is used to represent a a IAM Role.

type GetIamUserResponse 

type GetIamUserResponse struct {
	BaseResponse
	User IamUser `json:"item"`
}

GetIamUserResponse is used to represent a single long term key.

type GetIamUsersResponse 

type GetIamUsersResponse struct {
	BaseResponse
	IamUsers []AllIamUsersResponseType `json:"longTermKeys"`
}

GetIamUsersResponse is used to represent the list of long term keys

type GetRoleRequest 

type GetRoleRequest struct {
	RoleName string `json:"roleName"`
}

GetRoleRequest is used to represent a request for details about a specific role based on the role's name.

type IamRoleRequest 

type IamRoleRequest struct {
	RoleName                    string                 `json:"roleName"`
	RoleType                    string                 `json:"roleType,omitempty"`
	TrustPolicy                 map[string]interface{} `json:"trustPolicy,omitempty"`
	IncDefPols                  int                    `json:"includeDefaultPolicy,omitempty"`
	AlksAccess                  bool                   `json:"enableAlksAccess,omitempty"`
	TrustArn                    string                 `json:"trustArn,omitempty"`
	TemplateFields              map[string]string      `json:"templateFields,omitempty"`
	MaxSessionDurationInSeconds int                    `json:"maxSessionDurationInSeconds,omitempty"`
	Tags                        []Tag                  `json:"tags,omitempty"`
}

IamRoleRequest is used to represent a new IAM Role request.

func NewIamRoleRequest 

func NewIamRoleRequest(options *CreateIamRoleOptions) (*IamRoleRequest, error)

Creates a new IamRoleRequest object from options

type IamRoleResponse 

type IamRoleResponse struct {
	BaseResponse
	RoleName                    string                 `json:"roleName"`
	RoleType                    string                 `json:"roleType"`
	TrustPolicy                 map[string]interface{} `json:"trustPolicy"`
	RoleArn                     string                 `json:"roleArn"`
	RoleIPArn                   string                 `json:"instanceProfileArn"`
	RoleAddedToIP               bool                   `json:"addedRoleToInstanceProfile"`
	Exists                      bool                   `json:"roleExists"`
	TemplateFields              map[string]string      `json:"templateFields,omitempty"`
	MaxSessionDurationInSeconds int                    `json:"maxSessionDurationInSeconds"`
}

IamRoleResponse is used to represent a a IAM Role.

type IamUser 

type IamUser struct {
	ARN       string `json:"arn"`
	AccountId string `json:"accountId"`
	UserName  string `json:"userName"`
	AccessKey string `json:"accessKey"`
	Tags      []Tag  `json:"tags"`
}

Represents iamUser returned by iam-user endpoint

type IamUserOptions 

type IamUserOptions struct {
	IamUserName *string
	Tags        *[]Tag
}

Used as options for create and update iamUser

type IsIamEnabledRequest 

type IsIamEnabledRequest struct {
	AccountDetails
	RoleArn string `json:"roleArn,omitempty"`
}

type IsIamEnabledResponse 

type IsIamEnabledResponse struct {
	BaseResponse
	AccountDetails
	RoleArn    string `json:"roleArn"`
	IamEnabled bool   `json:"iamEnabled"`
}

IsIamEnabledResponse is used to represent a role that's IAM active or not.

type LoginRole 

type LoginRole struct {
	Account        string `json:"account"`
	IamKeyActive   bool   `json:"iamKeyActive"`
	MaxKeyDuration int    `json:"maxKeyDuration"`
	Role           string `json:"role"`
}

LoginRole represents information about a login role

type LoginRoleResponse 

type LoginRoleResponse struct {
	BaseResponse
	LoginRole LoginRole `json:"loginRole"`
}

LoginRoleResponse represents the response from ALKS containing information about a login role

type MachineIdentityResponse 

type MachineIdentityResponse struct {
	BaseResponse
	MachineIdentityArn string `json:"machineIdentityArn"`
}

MachineIdentityResponse is used to represent the results of a add machine identity or delete machine identity request.

type STS 

type STS struct {
	AccessKey    string `json:"-"`
	SecretKey    string `json:"-"`
	SessionToken string `json:"-"`
}

STS represents AWS STS credentials in the configuration of the ALKS client

func (*STS) InjectAuth 

func (s *STS) InjectAuth(req *http.Request) error

InjectAuth will add ALKS headers to client requests containing the caller's STS credentials.

type SearchRoleMachineIdentityRequest 

type SearchRoleMachineIdentityRequest struct {
	RoleARN string `json:"roleARN"`
}

SearchRoleMachineIdentityRequest is used to represent a request for searching a machine identity for a given IamRole arn

type SessionRequest 

type SessionRequest struct {
	SessionDuration int `json:"sessionTime"`
}

SessionRequest is used to represent a new STS session request.

type SessionResponse 

type SessionResponse struct {
	BaseResponse
	AccessKey       string    `json:"accessKey"`
	SecretKey       string    `json:"secretKey"`
	SessionToken    string    `json:"sessionToken"`
	SessionDuration int       `json:"sessionDuration"`
	Expires         time.Time `json:"expires"`
}

SessionResponse is used to represent a new STS session.

type SkypieaAccount 

type SkypieaAccount struct {
	Account string `json:"Account"`
	Alias   string `json:"alias"`
	Label   string `json:"label"`
}

SkypieaAccount is used to represent Skypiea data

type Tag 

type Tag struct {
	Key   string `json:"key"`
	Value string `json:"value"`
}

Tag struct is used to represent a AWS Tag

type UpdateIamRoleRequest 

type UpdateIamRoleRequest struct {
	RoleName    *string                 `json:"roleName"`
	Tags        *[]Tag                  `json:"tags"`
	TrustPolicy *map[string]interface{} `json:"trustPolicy"`
}

type UpdateIamRoleResponse 

type UpdateIamRoleResponse struct {
	BaseResponse
	RoleArn         *string `json:"roleArn"`
	RoleName        *string `json:"roleName"`
	BasicAuth       *bool   `json:"basicAuthUsed"`
	Exists          *bool   `json:"roleExists"`
	RoleIPArn       *string `json:"instanceProfileArn"`
	MachineIdentity *bool   `json:"isMachineIdentity"`
	Tags            *[]Tag  `json:"tags"`
}

type UpdateIamUserRequest 

type UpdateIamUserRequest struct {
	User struct {
		Tags []Tag `json:"tags"`
	} `json:"user"`
}

func NewUpdateIamUserRequest 

func NewUpdateIamUserRequest(options *IamUserOptions) (*UpdateIamUserRequest, error)

type UpdateIamUserResponse 

type UpdateIamUserResponse struct {
	BaseResponse
	User IamUser `json:"item"`
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.