Documentation
¶
Overview ¶
Package aws abstracts interacting with certain aspects of AWS, such as creating IAM roles and user, account keys, and access tokens.
Index ¶
- Constants
- type APIClient
- type AccountWarehouse
- func (wh *AccountWarehouse) GetAwsAccount() string
- func (wh *AccountWarehouse) GetServiceAccounts(ctx context.Context, _ string) (<-chan *clouds.Account, error)
- func (wh *AccountWarehouse) ManageAccountKeys(_ context.Context, _, accountID string, _, maxKeyTTL time.Duration, ...) (int, int, error)
- func (wh *AccountWarehouse) MintTokenWithTTL(ctx context.Context, params *ResourceParams) (*ResourceTokenResult, error)
- func (wh *AccountWarehouse) RemoveServiceAccount(_ context.Context, _, userName string) error
- type MockAwsClient
- func (m *MockAwsClient) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
- func (m *MockAwsClient) CreateAccessKey(input *iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
- func (m *MockAwsClient) CreateLoginProfile(input *iam.CreateLoginProfileInput) (*iam.CreateLoginProfileOutput, error)
- func (m *MockAwsClient) CreateRole(input *iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
- func (m *MockAwsClient) CreateUser(input *iam.CreateUserInput) (*iam.CreateUserOutput, error)
- func (m *MockAwsClient) DeleteAccessKey(input *iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
- func (m *MockAwsClient) DeleteLoginProfile(input *iam.DeleteLoginProfileInput) (*iam.DeleteLoginProfileOutput, error)
- func (m *MockAwsClient) DeleteUser(input *iam.DeleteUserInput) (*iam.DeleteUserOutput, error)
- func (m *MockAwsClient) DeleteUserPolicy(input *iam.DeleteUserPolicyInput) (*iam.DeleteUserPolicyOutput, error)
- func (m *MockAwsClient) GetCallerIdentity(_ *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
- func (m *MockAwsClient) GetLoginProfile(input *iam.GetLoginProfileInput) (*iam.GetLoginProfileOutput, error)
- func (m *MockAwsClient) GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
- func (m *MockAwsClient) GetUser(input *iam.GetUserInput) (*iam.GetUserOutput, error)
- func (m *MockAwsClient) ListAccessKeys(input *iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
- func (m *MockAwsClient) ListUserPolicies(input *iam.ListUserPoliciesInput) (*iam.ListUserPoliciesOutput, error)
- func (m *MockAwsClient) ListUsers(_ *iam.ListUsersInput) (*iam.ListUsersOutput, error)
- func (m *MockAwsClient) PutRolePolicy(input *iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
- func (m *MockAwsClient) PutUserPolicy(input *iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
- func (m *MockAwsClient) UpdateLoginProfile(input *iam.UpdateLoginProfileInput) (*iam.UpdateLoginProfileOutput, error)
- type ResourceParams
- type ResourceTokenResult
Constants ¶
View Source
const ( // TemporaryCredMaxTTL is the maximum TTL for an AWS access token. TemporaryCredMaxTTL = 12 * time.Hour // S3ItemFormat is the canonical item format identifier for S3 buckets. S3ItemFormat = "s3bucket" // RedshiftItemFormat is the canonical item format identifier for Redshift clusters. RedshiftItemFormat = "redshift" // RedshiftConsoleItemFormat is the canonical item format identifier for the Redshift console. RedshiftConsoleItemFormat = "redshift-console" // HumanInterfacePrefix is the canonical prefix for interface URNs that grant console access to AWS resources. HumanInterfacePrefix = "web:aws:" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type APIClient ¶
type APIClient interface {
ListUsers(input *iam.ListUsersInput) (*iam.ListUsersOutput, error)
ListAccessKeys(input *iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
DeleteAccessKey(input *iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
GetCallerIdentity(input *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
CreateAccessKey(input *iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
PutRolePolicy(input *iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
ListUserPolicies(input *iam.ListUserPoliciesInput) (*iam.ListUserPoliciesOutput, error)
PutUserPolicy(input *iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
DeleteUserPolicy(input *iam.DeleteUserPolicyInput) (*iam.DeleteUserPolicyOutput, error)
GetUser(input *iam.GetUserInput) (*iam.GetUserOutput, error)
CreateUser(input *iam.CreateUserInput) (*iam.CreateUserOutput, error)
DeleteUser(input *iam.DeleteUserInput) (*iam.DeleteUserOutput, error)
GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
CreateRole(input *iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
CreateLoginProfile(input *iam.CreateLoginProfileInput) (*iam.CreateLoginProfileOutput, error)
UpdateLoginProfile(input *iam.UpdateLoginProfileInput) (*iam.UpdateLoginProfileOutput, error)
GetLoginProfile(input *iam.GetLoginProfileInput) (*iam.GetLoginProfileOutput, error)
DeleteLoginProfile(input *iam.DeleteLoginProfileInput) (*iam.DeleteLoginProfileOutput, error)
}
APIClient is a wrapper around the AWS SDK that can be mocked for unit testing.
func NewAPIClient ¶
NewAPIClient creates a new APIClient that delegates to the AWS SDK using the default AWS credentials provider.
type AccountWarehouse ¶
type AccountWarehouse struct {
// contains filtered or unexported fields
}
AccountWarehouse is used to create AWS IAM Users and temporary credentials
func NewWarehouse ¶
func NewWarehouse(_ context.Context, awsClient APIClient) (*AccountWarehouse, error)
NewWarehouse creates a new AccountWarehouse using the provided client and options.
func (*AccountWarehouse) GetAwsAccount ¶
func (wh *AccountWarehouse) GetAwsAccount() string
GetAwsAccount returns the AWS account used by this AccountWarehouse for creating IAM users, roles, and policies.
func (*AccountWarehouse) GetServiceAccounts ¶ added in v0.9.7
func (wh *AccountWarehouse) GetServiceAccounts(ctx context.Context, _ string) (<-chan *clouds.Account, error)
GetServiceAccounts returns IAM users created by this warehouse in the warehouse AWS account.
func (*AccountWarehouse) ManageAccountKeys ¶ added in v0.9.7
func (wh *AccountWarehouse) ManageAccountKeys(_ context.Context, _, accountID string, _, maxKeyTTL time.Duration, now time.Time, keysPerAccount int64) (int, int, error)
ManageAccountKeys is the main method where key removal happens
func (*AccountWarehouse) MintTokenWithTTL ¶
func (wh *AccountWarehouse) MintTokenWithTTL(ctx context.Context, params *ResourceParams) (*ResourceTokenResult, error)
MintTokenWithTTL returns an AccountKey or an AccessToken depending on the TTL requested.
func (*AccountWarehouse) RemoveServiceAccount ¶ added in v0.9.7
func (wh *AccountWarehouse) RemoveServiceAccount(_ context.Context, _, userName string) error
RemoveServiceAccount removes an AWS IAM user (project parameter is ignored).
type MockAwsClient ¶ added in v0.9.7
type MockAwsClient struct {
Account string
UserID string
Roles []*iam.Role
RolePolicies []*iam.PutRolePolicyInput
AssumedRoles []*sts.AssumeRoleInput
Users []*iam.User
UserPolicies []*iam.PutUserPolicyInput
AccessKeys []*iam.AccessKey
FullLoginProfile []*fullLoginProfile
}
MockAwsClient for testing
func NewMockAPIClient ¶ added in v0.9.7
func NewMockAPIClient(account string, userID string) *MockAwsClient
NewMockAPIClient provides an API client implementation suitable for unit tests.
func (*MockAwsClient) AssumeRole ¶ added in v0.9.7
func (m *MockAwsClient) AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
AssumeRole ...
func (*MockAwsClient) CreateAccessKey ¶ added in v0.9.7
func (m *MockAwsClient) CreateAccessKey(input *iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
CreateAccessKey ...
func (*MockAwsClient) CreateLoginProfile ¶ added in v0.9.8
func (m *MockAwsClient) CreateLoginProfile(input *iam.CreateLoginProfileInput) (*iam.CreateLoginProfileOutput, error)
CreateLoginProfile ...
func (*MockAwsClient) CreateRole ¶ added in v0.9.7
func (m *MockAwsClient) CreateRole(input *iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
CreateRole ...
func (*MockAwsClient) CreateUser ¶ added in v0.9.7
func (m *MockAwsClient) CreateUser(input *iam.CreateUserInput) (*iam.CreateUserOutput, error)
CreateUser ...
func (*MockAwsClient) DeleteAccessKey ¶ added in v0.9.7
func (m *MockAwsClient) DeleteAccessKey(input *iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
DeleteAccessKey ...
func (*MockAwsClient) DeleteLoginProfile ¶ added in v0.9.10
func (m *MockAwsClient) DeleteLoginProfile(input *iam.DeleteLoginProfileInput) (*iam.DeleteLoginProfileOutput, error)
DeleteLoginProfile ...
func (*MockAwsClient) DeleteUser ¶ added in v0.9.10
func (m *MockAwsClient) DeleteUser(input *iam.DeleteUserInput) (*iam.DeleteUserOutput, error)
DeleteUser ...
func (*MockAwsClient) DeleteUserPolicy ¶ added in v0.9.10
func (m *MockAwsClient) DeleteUserPolicy(input *iam.DeleteUserPolicyInput) (*iam.DeleteUserPolicyOutput, error)
DeleteUserPolicy ...
func (*MockAwsClient) GetCallerIdentity ¶ added in v0.9.7
func (m *MockAwsClient) GetCallerIdentity(_ *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
GetCallerIdentity ...
func (*MockAwsClient) GetLoginProfile ¶ added in v0.9.8
func (m *MockAwsClient) GetLoginProfile(input *iam.GetLoginProfileInput) (*iam.GetLoginProfileOutput, error)
GetLoginProfile ...
func (*MockAwsClient) GetRole ¶ added in v0.9.7
func (m *MockAwsClient) GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
GetRole ...
func (*MockAwsClient) GetUser ¶ added in v0.9.7
func (m *MockAwsClient) GetUser(input *iam.GetUserInput) (*iam.GetUserOutput, error)
GetUser ...
func (*MockAwsClient) ListAccessKeys ¶ added in v0.9.7
func (m *MockAwsClient) ListAccessKeys(input *iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
ListAccessKeys ...
func (*MockAwsClient) ListUserPolicies ¶ added in v0.9.10
func (m *MockAwsClient) ListUserPolicies(input *iam.ListUserPoliciesInput) (*iam.ListUserPoliciesOutput, error)
ListUserPolicies ...
func (*MockAwsClient) ListUsers ¶ added in v0.9.7
func (m *MockAwsClient) ListUsers(_ *iam.ListUsersInput) (*iam.ListUsersOutput, error)
ListUsers ...
func (*MockAwsClient) PutRolePolicy ¶ added in v0.9.7
func (m *MockAwsClient) PutRolePolicy(input *iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
PutRolePolicy ...
func (*MockAwsClient) PutUserPolicy ¶ added in v0.9.7
func (m *MockAwsClient) PutUserPolicy(input *iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
PutUserPolicy ...
func (*MockAwsClient) UpdateLoginProfile ¶ added in v0.9.8
func (m *MockAwsClient) UpdateLoginProfile(input *iam.UpdateLoginProfileInput) (*iam.UpdateLoginProfileOutput, error)
UpdateLoginProfile ...
type ResourceParams ¶
type ResourceParams struct {
UserID string
TTL time.Duration
MaxKeyTTL time.Duration
ManagedKeysPerAccount int
Vars map[string]string
TargetRoles []string
TargetScopes []string
DamResourceID string
DamViewID string
DamRoleID string
DamInterfaceID string
ServiceTemplate *pb.ServiceTemplate
}
ResourceParams contains all the arguments necessary to call MintTokenWithTTL on an AWS AccountWarehouse.
Source Files
Click to show internal directories.
Click to hide internal directories.