iamauth

package module
v0.0.0-...-76a921d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 22, 2023 License: MPL-2.0 Imports: 26 Imported by: 5

README

consul-awsauth

This contains the implementation for Consul's AWS IAM auth method.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateLoginData 

func GenerateLoginData(in *LoginInput) (map[string]interface{}, error)

GenerateLoginData populates the necessary data to send for the bearer token. https://github.com/hashicorp/go-secure-stdlib/blob/main/awsutil/generate_credentials.go#L232-L301

Types

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

func NewAuthenticator 

func NewAuthenticator(config *Config, logger hclog.Logger) (*Authenticator, error)

func (*Authenticator) ValidateLogin 

func (a *Authenticator) ValidateLogin(ctx context.Context, loginToken string) (*IdentityDetails, error)

ValidateLogin determines if the identity in the loginToken is permitted to login. If so, it returns details about the identity. Otherwise, an error is returned.

type BearerToken 

type BearerToken struct {
	// contains filtered or unexported fields
}

BearerToken is a login "token" for an IAM auth method. It is a signed sts:GetCallerIdentity request in JSON format. Optionally, it can include a signed embedded iam:GetRole or iam:GetUser request in the headers.

func NewBearerToken 

func NewBearerToken(loginToken string, config *Config) (*BearerToken, error)

func (*BearerToken) GetCallerIdentityRequest 

func (t *BearerToken) GetCallerIdentityRequest() (*http.Request, error)

GetCallerIdentityRequest returns the sts:GetCallerIdentity request decoded from the bearer token.

func (*BearerToken) GetEntityRequest 

func (t *BearerToken) GetEntityRequest() (*http.Request, error)

GetEntityRequest returns the iam:GetUser or iam:GetRole request from the request details, if present, embedded in the headers of the sts:GetCallerIdentity request.

func (*BearerToken) UnmarshalJSON 

func (t *BearerToken) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the bearer token details which contains an HTTP request (a signed sts:GetCallerIdentity request).

type Config 

type Config struct {
	BoundIAMPrincipalARNs  []string
	EnableIAMEntityDetails bool
	IAMEntityTags          []string
	ServerIDHeaderValue    string
	MaxRetries             int
	IAMEndpoint            string
	STSEndpoint            string
	AllowedSTSHeaderValues []string

	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

func (*Config) Validate 

func (c *Config) Validate() error

type IdentityDetails 

type IdentityDetails struct {
	EntityName string
	EntityId   string
	AccountId  string

	EntityPath string
	EntityTags map[string]string
}

type LoginInput 

type LoginInput struct {
	Creds            *credentials.Credentials
	IncludeIAMEntity bool
	STSEndpoint      string
	STSRegion        string

	Logger hclog.Logger

	ServerIDHeaderValue string
	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

Source Files

View all Source files

Directories

Path Synopsis
internal
glob
stringslice

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.