goawsvault

package module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 13, 2021 License: MIT Imports: 11 Imported by: 0

README

Go + AWS(ECS) + Vault = goawsvault

Usage

go get github.com/driftprogramming/goawsvault@v1.0.0

Examples example/usage.go Three different cases to login vault client and renew the vault client token automatically.

package example

import (
	"context"
	"os"

	"github.com/driftprogramming/goawsvault"
	"github.com/hashicorp/vault/api"
)

func vaultLoginExample() *api.Client {
	vaultClient := goawsvault.Login("https://vault.mycompany.net", "auth/mycompany-dev/login", map[string]interface{}{"role_id": "developer"})
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

func vaultLoginWithinAwsEcsContainerAutomaticallyExample() *api.Client {
	vaultClient := goawsvault.LoginWithinAwsEcsContainerAutomatically("https://vault.mycompany.net", "eu-west-1")
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

func vaultLoginByAwsRoleArn() *api.Client {
	_ = os.Setenv("AWS_ACCESS_KEY_ID", "AKKKAFYN9K3AUY74SNY39") // the parent aws credentials to call aws api to assume the specific role
	_ = os.Setenv("AWS_SECRET_ACCESS_KEY", "ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8")
	vaultClient := goawsvault.LoginByAwsRoleArn("https://vault.mycompany.net", "arn:aws:iam::468785217309:role/my-application-service-dev", "eu-west-1")
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Login 

func Login(vaultHost string, loginPath string, data map[string]interface{}) *api.Client

Login In general, this method just call the vault login path you specified here. We usually use this to login in local env for developers. e.g: loginPath: auth/mycompany-dev/login data: map[string]interface{}{"role_id": "developer"}

func LoginByAwsRoleArn 

func LoginByAwsRoleArn(vaultHost string, awsRoleArn string, awsRegion string) *api.Client

LoginByAwsRoleArn A classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) is required for this function to execute AWS API to query the specific role. In general, you need to setup the AWS credential in env vars like this: _=os.Setenv("AWS_ACCESS_KEY_ID","AKKKAFYN9K3AUY74SNY39") _=os.Setenv("AWS_SECRET_ACCESS_KEY","ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8") Please note that you need to setup the trust configuration in AWS role console to make sure this credential have permission to query the awsRoleArn.

func LoginWithinAwsEcsContainerAutomatically 

func LoginWithinAwsEcsContainerAutomatically(vaultHost string, awsRegion string) *api.Client

LoginWithinAwsEcsContainerAutomatically If the aws ecs container is running under a specific aws assume role, and this role is configured on Vault server side, then this method will query the aws assume role's credential in ECS container automatically and return a Vault client with valid token. NO need any other classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)

Types

type TokenManager 

type TokenManager struct {
	// contains filtered or unexported fields
}

func NewTokenManager 

func NewTokenManager(ctx context.Context, client *vault.Client) *TokenManager

func (*TokenManager) MonitoringForToken 

func (tm *TokenManager) MonitoringForToken()

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.