awsutil

package module
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2024 License: MPL-2.0 Imports: 26 Imported by: 27

Documentation

Index

Constants

View Source 
const DefaultRegion = "us-east-1"

"us-east-1 is used because it's where AWS first provides support for new features, is a widely used region, and is the most common one for some services like STS.

Variables

View Source 
var ErrUpstreamRateLimited = errors.New("upstream rate limited")

Functions

func AppendAWSError 

func AppendAWSError(err error) error

AppendAWSError checks if the given error is a known AWS error we modify, and if so then returns a go-multierror, appending the original and the AWS error. If the error is not an AWS error, or not an error we wish to modify, then return the original error.

func CheckAWSError 

func CheckAWSError(err error) error

CheckAWSError will examine an error and convert to a logical error if appropriate. If no appropriate error is found, return nil

func GenerateLoginData 

func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, logger hclog.Logger) (map[string]interface{}, error)

GenerateLoginData populates the necessary data to send to the Vault server for generating a token This is useful for other API clients to use

func GetRegion 

func GetRegion(configuredRegion string) (string, error)

It's impossible to mimic "normal" AWS behavior here because it's not consistent or well-defined. For example, boto3, the Python SDK (which the aws cli uses), loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own approach to walking AWS config and deciding what to use.

Our chosen approach is: 

"More specific takes precedence over less specific."

1. User-provided configuration is the most explicit. 2. Environment variables are potentially shared across many invocations and so they have less precedence. 3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. 4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence.

This approach should be used in future updates to this logic.

func RetrieveCreds 

func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)

Types

type CredentialsConfig 

type CredentialsConfig struct {
	// The access key if static credentials are being used
	AccessKey string

	// The secret key if static credentials are being used
	SecretKey string

	// The session token if it is being used
	SessionToken string

	// The IAM endpoint to use; if not set will use the default
	IAMEndpoint string

	// The STS endpoint to use; if not set will use the default
	STSEndpoint string

	// If specified, the region will be provided to the config of the
	// EC2RoleProvider's client. This may be useful if you want to e.g. reuse
	// the client elsewhere. If not specified, the region will be determined
	// by the environment variables "AWS_REGION" or "AWS_DEFAULT_REGION".
	// Otherwise the default value is us-east-1.
	Region string

	// The filename for the shared credentials provider, if being used
	Filename string

	// The profile for the shared credentials provider, if being used
	Profile string

	// The role arn to use when creating either a web identity role provider
	// or a ec2-instance role provider.
	RoleARN string

	// The role session name to use when creating either a web identity role provider
	// or a ec2-instance role provider.
	RoleSessionName string

	// The role external ID to use when creating a ec2-instance role provider.
	RoleExternalId string

	// The role tags to use when creating a ec2-instance role provider.
	RoleTags map[string]string

	// The web identity token file to use if using the web identity token provider
	WebIdentityTokenFile string

	// The web identity token (contents, not the file path) to use with the web
	// identity token provider
	WebIdentityToken string

	// The web identity token fetcher to use with the web identity token provider
	WebIdentityTokenFetcher stscreds.TokenFetcher

	// The http.Client to use, or nil for the client to use its default
	HTTPClient *http.Client

	// The max retries to set on the client. This is a pointer because the zero
	// value has meaning. A nil pointer will use the default value.
	MaxRetries *int

	// The logger to use for credential acquisition debugging
	Logger hclog.Logger
}

func NewCredentialsConfig added in v0.1.3 

func NewCredentialsConfig(opt ...Option) (*CredentialsConfig, error)

NewCredentialsConfig creates a CredentialsConfig with the provided options.

Supported options: WithAccessKey, WithSecretKey, WithLogger, WithStsEndpoint, WithIamEndpoint, WithMaxRetries, WithRegion, WithHttpClient, WithRoleArn, WithRoleSessionName, WithRoleExternalId, WithRoleTags, WithWebIdentityTokenFile, WithWebIdentityToken, WithWebIdentityTokenFetcher.

func (*CredentialsConfig) CreateAccessKey added in v0.1.3 

func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)

CreateAccessKey creates a new access/secret key pair.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout, WithIAMAPIFunc, WithSTSAPIFunc

When WithValidityCheckTimeout is non-zero, it specifies a timeout to wait on the created credentials to be valid and ready for use.

func (*CredentialsConfig) DeleteAccessKey added in v0.1.3 

func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error

DeleteAccessKey deletes an access key.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUserName, WithIAMAPIFunc

func (*CredentialsConfig) GenerateCredentialChain 

func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)

GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithSkipWebIdentityValidity

func (*CredentialsConfig) GetCallerIdentity added in v0.1.4 

func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)

GetCallerIdentity runs sts.GetCallerIdentity for the current set credentials. This can be used to check that credentials are valid, in addition to checking details about the effective logged in account and user ID.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithValidityCheckTimeout

func (*CredentialsConfig) GetSession added in v0.1.3 

func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)

GetSession returns an AWS session configured according to the various values in the CredentialsConfig object. This can be passed into iam.New or sts.New as appropriate.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithClientType

func (*CredentialsConfig) IAMClient added in v0.1.6 

func (c *CredentialsConfig) IAMClient(opt ...Option) (iamiface.IAMAPI, error)

IAMClient returns an IAM client.

Supported options: WithSession, WithIAMAPIFunc.

If WithIAMAPIFunc is supplied, the included function is used as the IAM client constructor instead. This can be used for Mocking the IAM API.

func (*CredentialsConfig) RotateKeys added in v0.1.3 

func (c *CredentialsConfig) RotateKeys(opt ...Option) error

RotateKeys takes the access key and secret key from this credentials config and first creates a new access/secret key, then deletes the old access key. If deletion of the old access key is successful, the new access key/secret key are written into the credentials config and nil is returned. On any error, the old credentials are not overwritten. This ensures that any generated new secret key never leaves this function in case of an error, even though it will still result in an extraneous access key existing; we do also try to delete the new one to clean up, although it's unlikely that will work if the old one could not be deleted.

Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout, WithIAMAPIFunc, WithSTSAPIFunc

Note that WithValidityCheckTimeout here, when non-zero, controls the WithValidityCheckTimeout option on access key creation. See CreateAccessKey for more details.

func (*CredentialsConfig) STSClient added in v0.1.6 

func (c *CredentialsConfig) STSClient(opt ...Option) (stsiface.STSAPI, error)

STSClient returns a STS client.

Supported options: WithSession, WithSTSAPIFunc.

If WithSTSAPIFunc is supplied, the included function is used as the STS client constructor instead. This can be used for Mocking the STS API.

type FetchTokenContents added in v0.2.3 

type FetchTokenContents []byte

FetchTokenContents allows the use of the content of a token in the WebIdentityProvider, instead of the path to a token. Useful with a serviceaccount token requested directly from the EKS/K8s API, for example.

func (FetchTokenContents) FetchToken added in v0.2.3 

func (f FetchTokenContents) FetchToken(_ aws.Context) ([]byte, error)

type IAMAPIFunc added in v0.1.6 

type IAMAPIFunc func(sess *session.Session) (iamiface.IAMAPI, error)

IAMAPIFunc is a factory function for returning an IAM interface, useful for supplying mock interfaces for testing IAM. The session is passed into the function in the same way as done with the standard iam.New() constructor.

func NewMockIAM added in v0.1.6 

func NewMockIAM(opts ...MockIAMOption) IAMAPIFunc

NewMockIAM provides a factory function to use with the WithIAMAPIFunc option.

type MockIAM 

type MockIAM struct {
	iamiface.IAMAPI

	CreateAccessKeyOutput *iam.CreateAccessKeyOutput
	CreateAccessKeyError  error
	DeleteAccessKeyError  error
	ListAccessKeysOutput  *iam.ListAccessKeysOutput
	ListAccessKeysError   error
	GetUserOutput         *iam.GetUserOutput
	GetUserError          error
}

MockIAM provides a way to mock the AWS IAM API.

func (*MockIAM) CreateAccessKey 

func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)

func (*MockIAM) DeleteAccessKey 

func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)

func (*MockIAM) GetUser 

func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)

func (*MockIAM) ListAccessKeys added in v0.2.0 

func (m *MockIAM) ListAccessKeys(*iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)

type MockIAMOption added in v0.1.6 

type MockIAMOption func(m *MockIAM) error

MockIAMOption is a function for setting the various fields on a MockIAM object.

func WithCreateAccessKeyError added in v0.1.6 

func WithCreateAccessKeyError(e error) MockIAMOption

WithCreateAccessKeyError sets the error output for the CreateAccessKey method.

func WithCreateAccessKeyOutput added in v0.1.6 

func WithCreateAccessKeyOutput(o *iam.CreateAccessKeyOutput) MockIAMOption

WithCreateAccessKeyOutput sets the output for the CreateAccessKey method.

func WithDeleteAccessKeyError added in v0.1.6 

func WithDeleteAccessKeyError(e error) MockIAMOption

WithDeleteAccessKeyError sets the error output for the DeleteAccessKey method.

func WithGetUserError added in v0.1.6 

func WithGetUserError(e error) MockIAMOption

WithGetUserError sets the error output for the GetUser method.

func WithGetUserOutput added in v0.1.6 

func WithGetUserOutput(o *iam.GetUserOutput) MockIAMOption

WithGetUserOutput sets the output for the GetUser method.

func WithListAccessKeysError added in v0.2.0 

func WithListAccessKeysError(e error) MockIAMOption

WithListAccessKeysError sets the error output for the ListAccessKeys method.

func WithListAccessKeysOutput added in v0.2.0 

func WithListAccessKeysOutput(o *iam.ListAccessKeysOutput) MockIAMOption

WithListAccessKeysOutput sets the output for the ListAccessKeys method.

type MockSTS added in v0.1.6 

type MockSTS struct {
	stsiface.STSAPI

	GetCallerIdentityOutput *sts.GetCallerIdentityOutput
	GetCallerIdentityError  error
}

MockSTS provides a way to mock the AWS STS API.

func (*MockSTS) GetCallerIdentity added in v0.1.6 

func (m *MockSTS) GetCallerIdentity(_ *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)

type MockSTSOption added in v0.1.6 

type MockSTSOption func(m *MockSTS) error

MockSTSOption is a function for setting the various fields on a MockSTS object.

func WithGetCallerIdentityError added in v0.1.6 

func WithGetCallerIdentityError(e error) MockSTSOption

WithGetCallerIdentityError sets the error output for the GetCallerIdentity method.

func WithGetCallerIdentityOutput added in v0.1.6 

func WithGetCallerIdentityOutput(o *sts.GetCallerIdentityOutput) MockSTSOption

WithGetCallerIdentityOutput sets the output for the GetCallerIdentity method.

type Option added in v0.1.3 

type Option func(*options) error

Option - how Options are passed as arguments

func MockOptionErr added in v0.1.6 

func MockOptionErr(withErr error) Option

MockOptionErr provides a mock option error for use with testing.

func WithAccessKey added in v0.1.3 

func WithAccessKey(with string) Option

WithAccessKey allows passing an access key to use for operations

func WithAwsSession added in v0.1.3 

func WithAwsSession(with *session.Session) Option

WithAwsSession allows controlling the session passed into the client

func WithClientType added in v0.1.3 

func WithClientType(with string) Option

WithClientType allows choosing the client type to use

func WithEnvironmentCredentials added in v0.1.3 

func WithEnvironmentCredentials(with bool) Option

WithEnvironmentCredentials allows controlling whether environment credentials are used

func WithHttpClient added in v0.1.3 

func WithHttpClient(with *http.Client) Option

WithHttpClient allows passing a custom client to use

func WithIAMAPIFunc added in v0.1.6 

func WithIAMAPIFunc(with IAMAPIFunc) Option

WithIAMAPIFunc allows passing in an IAM interface constructor for mocking the AWS IAM API.

func WithIamEndpoint added in v0.1.3 

func WithIamEndpoint(with string) Option

WithIamEndpoint allows passing a custom IAM endpoint

func WithLogger added in v0.1.3 

func WithLogger(with hclog.Logger) Option

WithLogger allows passing a logger to use

func WithMaxRetries added in v0.1.3 

func WithMaxRetries(with *int) Option

WithMaxRetries allows passing custom max retries to set

func WithRegion added in v0.1.3 

func WithRegion(with string) Option

WithRegion allows passing a custom region

func WithRoleArn added in v0.2.1 

func WithRoleArn(with string) Option

WithRoleArn allows passing a role arn to use when creating either a web identity role provider or a ec2-instance role provider.

func WithRoleExternalId added in v0.2.1 

func WithRoleExternalId(with string) Option

WithRoleExternalId allows passing a external id to use when creating a ec2-instance role provider. If not set, the role will be assumed in the same account. If set, the RoleARN must be set.

func WithRoleSessionName added in v0.2.1 

func WithRoleSessionName(with string) Option

WithRoleSessionName allows passing a session name to use when creating either a web identity role provider or a ec2-instance role provider. If set, the RoleARN must be set.

func WithRoleTags added in v0.2.1 

func WithRoleTags(with map[string]string) Option

WithRoleTags allows passing tags to use when creating a ec2-instance role provider. If set, the RoleARN must be set.

func WithSTSAPIFunc added in v0.1.6 

func WithSTSAPIFunc(with STSAPIFunc) Option

WithSTSAPIFunc allows passing in a STS interface constructor for mocking the AWS STS API.

func WithSecretKey added in v0.1.3 

func WithSecretKey(with string) Option

WithSecretKey allows passing a secret key to use for operations

func WithSharedCredentials added in v0.1.3 

func WithSharedCredentials(with bool) Option

WithSharedCredentials allows controlling whether shared credentials are used

func WithSkipWebIdentityValidity added in v0.2.3 

func WithSkipWebIdentityValidity(with bool) Option

WithSkipWebIdentityValidity allows controlling whether the validity check is skipped for the web identity provider

func WithStsEndpoint added in v0.1.3 

func WithStsEndpoint(with string) Option

WithStsEndpoint allows passing a custom STS endpoint

func WithUsername added in v0.1.3 

func WithUsername(with string) Option

WithUsername allows passing the user name to use for an operation

func WithValidityCheckTimeout added in v0.1.4 

func WithValidityCheckTimeout(with time.Duration) Option

WithValidityCheckTimeout allows passing a timeout for operations that can wait on success.

func WithWebIdentityToken added in v0.2.3 

func WithWebIdentityToken(with string) Option

WithWebIdentityToken allows passing a web identity token to use for the assumed role. If set, the RoleARN must be set.

func WithWebIdentityTokenFetcher added in v0.3.0 

func WithWebIdentityTokenFetcher(with stscreds.TokenFetcher) Option

WithWebIdentityTokenFetcher allows passing an STS TokenFetcher which allows the AWS SDK client automatically to refresh the web identity token from any source.

func WithWebIdentityTokenFile added in v0.2.1 

func WithWebIdentityTokenFile(with string) Option

WithWebIdentityTokenFile allows passing a web identity token file to use for the assumed role. If set, the RoleARN must be set.

type STSAPIFunc added in v0.1.6 

type STSAPIFunc func(sess *session.Session) (stsiface.STSAPI, error)

STSAPIFunc is a factory function for returning a STS interface, useful for supplying mock interfaces for testing STS. The session is passed into the function in the same way as done with the standard sts.New() constructor.

func NewMockSTS added in v0.1.6 

func NewMockSTS(opts ...MockSTSOption) STSAPIFunc

NewMockSTS provides a factory function to use with the WithSTSAPIFunc option.

If withGetCallerIdentityError is supplied, calls to GetCallerIdentity will return the supplied error. Otherwise, a basic mock API output is returned.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.