Documentation ¶
Index ¶
- Constants
- Variables
- func AppendAWSError(err error) error
- func CheckAWSError(err error) error
- func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, ...) (map[string]interface{}, error)
- func GetRegion(configuredRegion string) (string, error)
- func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)
- type CredentialsConfig
- func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)
- func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error
- func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)
- func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)
- func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)
- func (c *CredentialsConfig) IAMClient(opt ...Option) (iamiface.IAMAPI, error)
- func (c *CredentialsConfig) RotateKeys(opt ...Option) error
- func (c *CredentialsConfig) STSClient(opt ...Option) (stsiface.STSAPI, error)
- type FetchTokenContents
- type IAMAPIFunc
- type MockIAM
- func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
- func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
- func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)
- func (m *MockIAM) ListAccessKeys(*iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
- type MockIAMOption
- func WithCreateAccessKeyError(e error) MockIAMOption
- func WithCreateAccessKeyOutput(o *iam.CreateAccessKeyOutput) MockIAMOption
- func WithDeleteAccessKeyError(e error) MockIAMOption
- func WithGetUserError(e error) MockIAMOption
- func WithGetUserOutput(o *iam.GetUserOutput) MockIAMOption
- func WithListAccessKeysError(e error) MockIAMOption
- func WithListAccessKeysOutput(o *iam.ListAccessKeysOutput) MockIAMOption
- type MockSTS
- type MockSTSOption
- type Option
- func MockOptionErr(withErr error) Option
- func WithAccessKey(with string) Option
- func WithAwsSession(with *session.Session) Option
- func WithClientType(with string) Option
- func WithEnvironmentCredentials(with bool) Option
- func WithHttpClient(with *http.Client) Option
- func WithIAMAPIFunc(with IAMAPIFunc) Option
- func WithIamEndpoint(with string) Option
- func WithLogger(with hclog.Logger) Option
- func WithMaxRetries(with *int) Option
- func WithRegion(with string) Option
- func WithRoleArn(with string) Option
- func WithRoleExternalId(with string) Option
- func WithRoleSessionName(with string) Option
- func WithRoleTags(with map[string]string) Option
- func WithSTSAPIFunc(with STSAPIFunc) Option
- func WithSecretKey(with string) Option
- func WithSharedCredentials(with bool) Option
- func WithSkipWebIdentityValidity(with bool) Option
- func WithStsEndpoint(with string) Option
- func WithUsername(with string) Option
- func WithValidityCheckTimeout(with time.Duration) Option
- func WithWebIdentityToken(with string) Option
- func WithWebIdentityTokenFetcher(with stscreds.TokenFetcher) Option
- func WithWebIdentityTokenFile(with string) Option
- type STSAPIFunc
Constants ¶
const DefaultRegion = "us-east-1"
"us-east-1 is used because it's where AWS first provides support for new features, is a widely used region, and is the most common one for some services like STS.
Variables ¶
var ErrUpstreamRateLimited = errors.New("upstream rate limited")
Functions ¶
func AppendAWSError ¶
AppendAWSError checks if the given error is a known AWS error we modify, and if so then returns a go-multierror, appending the original and the AWS error. If the error is not an AWS error, or not an error we wish to modify, then return the original error.
func CheckAWSError ¶
CheckAWSError will examine an error and convert to a logical error if appropriate. If no appropriate error is found, return nil
func GenerateLoginData ¶
func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string, logger hclog.Logger) (map[string]interface{}, error)
GenerateLoginData populates the necessary data to send to the Vault server for generating a token This is useful for other API clients to use
func GetRegion ¶
It's impossible to mimic "normal" AWS behavior here because it's not consistent or well-defined. For example, boto3, the Python SDK (which the aws cli uses), loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own approach to walking AWS config and deciding what to use.
Our chosen approach is:
"More specific takes precedence over less specific."
1. User-provided configuration is the most explicit. 2. Environment variables are potentially shared across many invocations and so they have less precedence. 3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. 4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence.
This approach should be used in future updates to this logic.
func RetrieveCreds ¶
func RetrieveCreds(accessKey, secretKey, sessionToken string, logger hclog.Logger) (*credentials.Credentials, error)
Types ¶
type CredentialsConfig ¶
type CredentialsConfig struct { // The access key if static credentials are being used AccessKey string // The secret key if static credentials are being used SecretKey string // The session token if it is being used SessionToken string // The IAM endpoint to use; if not set will use the default IAMEndpoint string // The STS endpoint to use; if not set will use the default STSEndpoint string // If specified, the region will be provided to the config of the // EC2RoleProvider's client. This may be useful if you want to e.g. reuse // the client elsewhere. If not specified, the region will be determined // by the environment variables "AWS_REGION" or "AWS_DEFAULT_REGION". // Otherwise the default value is us-east-1. Region string // The filename for the shared credentials provider, if being used Filename string // The profile for the shared credentials provider, if being used Profile string // The role arn to use when creating either a web identity role provider // or a ec2-instance role provider. RoleARN string // The role session name to use when creating either a web identity role provider // or a ec2-instance role provider. RoleSessionName string // The role external ID to use when creating a ec2-instance role provider. RoleExternalId string // The role tags to use when creating a ec2-instance role provider. RoleTags map[string]string // The web identity token file to use if using the web identity token provider WebIdentityTokenFile string // The web identity token (contents, not the file path) to use with the web // identity token provider WebIdentityToken string // The web identity token fetcher to use with the web identity token provider WebIdentityTokenFetcher stscreds.TokenFetcher // The http.Client to use, or nil for the client to use its default HTTPClient *http.Client // The max retries to set on the client. This is a pointer because the zero // value has meaning. A nil pointer will use the default value. MaxRetries *int // The logger to use for credential acquisition debugging Logger hclog.Logger }
func NewCredentialsConfig ¶ added in v0.1.3
func NewCredentialsConfig(opt ...Option) (*CredentialsConfig, error)
NewCredentialsConfig creates a CredentialsConfig with the provided options.
Supported options: WithAccessKey, WithSecretKey, WithLogger, WithStsEndpoint, WithIamEndpoint, WithMaxRetries, WithRegion, WithHttpClient, WithRoleArn, WithRoleSessionName, WithRoleExternalId, WithRoleTags, WithWebIdentityTokenFile, WithWebIdentityToken, WithWebIdentityTokenFetcher.
func (*CredentialsConfig) CreateAccessKey ¶ added in v0.1.3
func (c *CredentialsConfig) CreateAccessKey(opt ...Option) (*iam.CreateAccessKeyOutput, error)
CreateAccessKey creates a new access/secret key pair.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout, WithIAMAPIFunc, WithSTSAPIFunc
When WithValidityCheckTimeout is non-zero, it specifies a timeout to wait on the created credentials to be valid and ready for use.
func (*CredentialsConfig) DeleteAccessKey ¶ added in v0.1.3
func (c *CredentialsConfig) DeleteAccessKey(accessKeyId string, opt ...Option) error
DeleteAccessKey deletes an access key.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUserName, WithIAMAPIFunc
func (*CredentialsConfig) GenerateCredentialChain ¶
func (c *CredentialsConfig) GenerateCredentialChain(opt ...Option) (*credentials.Credentials, error)
GenerateCredentialChain uses the config to generate a credential chain suitable for creating AWS sessions and clients.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithSkipWebIdentityValidity
func (*CredentialsConfig) GetCallerIdentity ¶ added in v0.1.4
func (c *CredentialsConfig) GetCallerIdentity(opt ...Option) (*sts.GetCallerIdentityOutput, error)
GetCallerIdentity runs sts.GetCallerIdentity for the current set credentials. This can be used to check that credentials are valid, in addition to checking details about the effective logged in account and user ID.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithValidityCheckTimeout
func (*CredentialsConfig) GetSession ¶ added in v0.1.3
func (c *CredentialsConfig) GetSession(opt ...Option) (*session.Session, error)
GetSession returns an AWS session configured according to the various values in the CredentialsConfig object. This can be passed into iam.New or sts.New as appropriate.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithClientType
func (*CredentialsConfig) IAMClient ¶ added in v0.1.6
func (c *CredentialsConfig) IAMClient(opt ...Option) (iamiface.IAMAPI, error)
IAMClient returns an IAM client.
Supported options: WithSession, WithIAMAPIFunc.
If WithIAMAPIFunc is supplied, the included function is used as the IAM client constructor instead. This can be used for Mocking the IAM API.
func (*CredentialsConfig) RotateKeys ¶ added in v0.1.3
func (c *CredentialsConfig) RotateKeys(opt ...Option) error
RotateKeys takes the access key and secret key from this credentials config and first creates a new access/secret key, then deletes the old access key. If deletion of the old access key is successful, the new access key/secret key are written into the credentials config and nil is returned. On any error, the old credentials are not overwritten. This ensures that any generated new secret key never leaves this function in case of an error, even though it will still result in an extraneous access key existing; we do also try to delete the new one to clean up, although it's unlikely that will work if the old one could not be deleted.
Supported options: WithEnvironmentCredentials, WithSharedCredentials, WithAwsSession, WithUsername, WithValidityCheckTimeout, WithIAMAPIFunc, WithSTSAPIFunc
Note that WithValidityCheckTimeout here, when non-zero, controls the WithValidityCheckTimeout option on access key creation. See CreateAccessKey for more details.
func (*CredentialsConfig) STSClient ¶ added in v0.1.6
func (c *CredentialsConfig) STSClient(opt ...Option) (stsiface.STSAPI, error)
STSClient returns a STS client.
Supported options: WithSession, WithSTSAPIFunc.
If WithSTSAPIFunc is supplied, the included function is used as the STS client constructor instead. This can be used for Mocking the STS API.
type FetchTokenContents ¶ added in v0.2.3
type FetchTokenContents []byte
FetchTokenContents allows the use of the content of a token in the WebIdentityProvider, instead of the path to a token. Useful with a serviceaccount token requested directly from the EKS/K8s API, for example.
func (FetchTokenContents) FetchToken ¶ added in v0.2.3
func (f FetchTokenContents) FetchToken(_ aws.Context) ([]byte, error)
type IAMAPIFunc ¶ added in v0.1.6
IAMAPIFunc is a factory function for returning an IAM interface, useful for supplying mock interfaces for testing IAM. The session is passed into the function in the same way as done with the standard iam.New() constructor.
func NewMockIAM ¶ added in v0.1.6
func NewMockIAM(opts ...MockIAMOption) IAMAPIFunc
NewMockIAM provides a factory function to use with the WithIAMAPIFunc option.
type MockIAM ¶
type MockIAM struct { iamiface.IAMAPI CreateAccessKeyOutput *iam.CreateAccessKeyOutput CreateAccessKeyError error DeleteAccessKeyError error ListAccessKeysOutput *iam.ListAccessKeysOutput ListAccessKeysError error GetUserOutput *iam.GetUserOutput GetUserError error }
MockIAM provides a way to mock the AWS IAM API.
func (*MockIAM) CreateAccessKey ¶
func (m *MockIAM) CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
func (*MockIAM) DeleteAccessKey ¶
func (m *MockIAM) DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
func (*MockIAM) GetUser ¶
func (m *MockIAM) GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)
func (*MockIAM) ListAccessKeys ¶ added in v0.2.0
func (m *MockIAM) ListAccessKeys(*iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
type MockIAMOption ¶ added in v0.1.6
MockIAMOption is a function for setting the various fields on a MockIAM object.
func WithCreateAccessKeyError ¶ added in v0.1.6
func WithCreateAccessKeyError(e error) MockIAMOption
WithCreateAccessKeyError sets the error output for the CreateAccessKey method.
func WithCreateAccessKeyOutput ¶ added in v0.1.6
func WithCreateAccessKeyOutput(o *iam.CreateAccessKeyOutput) MockIAMOption
WithCreateAccessKeyOutput sets the output for the CreateAccessKey method.
func WithDeleteAccessKeyError ¶ added in v0.1.6
func WithDeleteAccessKeyError(e error) MockIAMOption
WithDeleteAccessKeyError sets the error output for the DeleteAccessKey method.
func WithGetUserError ¶ added in v0.1.6
func WithGetUserError(e error) MockIAMOption
WithGetUserError sets the error output for the GetUser method.
func WithGetUserOutput ¶ added in v0.1.6
func WithGetUserOutput(o *iam.GetUserOutput) MockIAMOption
WithGetUserOutput sets the output for the GetUser method.
func WithListAccessKeysError ¶ added in v0.2.0
func WithListAccessKeysError(e error) MockIAMOption
WithListAccessKeysError sets the error output for the ListAccessKeys method.
func WithListAccessKeysOutput ¶ added in v0.2.0
func WithListAccessKeysOutput(o *iam.ListAccessKeysOutput) MockIAMOption
WithListAccessKeysOutput sets the output for the ListAccessKeys method.
type MockSTS ¶ added in v0.1.6
type MockSTS struct { stsiface.STSAPI GetCallerIdentityOutput *sts.GetCallerIdentityOutput GetCallerIdentityError error }
MockSTS provides a way to mock the AWS STS API.
func (*MockSTS) GetCallerIdentity ¶ added in v0.1.6
func (m *MockSTS) GetCallerIdentity(_ *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
type MockSTSOption ¶ added in v0.1.6
MockSTSOption is a function for setting the various fields on a MockSTS object.
func WithGetCallerIdentityError ¶ added in v0.1.6
func WithGetCallerIdentityError(e error) MockSTSOption
WithGetCallerIdentityError sets the error output for the GetCallerIdentity method.
func WithGetCallerIdentityOutput ¶ added in v0.1.6
func WithGetCallerIdentityOutput(o *sts.GetCallerIdentityOutput) MockSTSOption
WithGetCallerIdentityOutput sets the output for the GetCallerIdentity method.
type Option ¶ added in v0.1.3
type Option func(*options) error
Option - how Options are passed as arguments
func MockOptionErr ¶ added in v0.1.6
MockOptionErr provides a mock option error for use with testing.
func WithAccessKey ¶ added in v0.1.3
WithAccessKey allows passing an access key to use for operations
func WithAwsSession ¶ added in v0.1.3
WithAwsSession allows controlling the session passed into the client
func WithClientType ¶ added in v0.1.3
WithClientType allows choosing the client type to use
func WithEnvironmentCredentials ¶ added in v0.1.3
WithEnvironmentCredentials allows controlling whether environment credentials are used
func WithHttpClient ¶ added in v0.1.3
WithHttpClient allows passing a custom client to use
func WithIAMAPIFunc ¶ added in v0.1.6
func WithIAMAPIFunc(with IAMAPIFunc) Option
WithIAMAPIFunc allows passing in an IAM interface constructor for mocking the AWS IAM API.
func WithIamEndpoint ¶ added in v0.1.3
WithIamEndpoint allows passing a custom IAM endpoint
func WithLogger ¶ added in v0.1.3
func WithLogger(with hclog.Logger) Option
WithLogger allows passing a logger to use
func WithMaxRetries ¶ added in v0.1.3
WithMaxRetries allows passing custom max retries to set
func WithRegion ¶ added in v0.1.3
WithRegion allows passing a custom region
func WithRoleArn ¶ added in v0.2.1
WithRoleArn allows passing a role arn to use when creating either a web identity role provider or a ec2-instance role provider.
func WithRoleExternalId ¶ added in v0.2.1
WithRoleExternalId allows passing a external id to use when creating a ec2-instance role provider. If not set, the role will be assumed in the same account. If set, the RoleARN must be set.
func WithRoleSessionName ¶ added in v0.2.1
WithRoleSessionName allows passing a session name to use when creating either a web identity role provider or a ec2-instance role provider. If set, the RoleARN must be set.
func WithRoleTags ¶ added in v0.2.1
WithRoleTags allows passing tags to use when creating a ec2-instance role provider. If set, the RoleARN must be set.
func WithSTSAPIFunc ¶ added in v0.1.6
func WithSTSAPIFunc(with STSAPIFunc) Option
WithSTSAPIFunc allows passing in a STS interface constructor for mocking the AWS STS API.
func WithSecretKey ¶ added in v0.1.3
WithSecretKey allows passing a secret key to use for operations
func WithSharedCredentials ¶ added in v0.1.3
WithSharedCredentials allows controlling whether shared credentials are used
func WithSkipWebIdentityValidity ¶ added in v0.2.3
WithSkipWebIdentityValidity allows controlling whether the validity check is skipped for the web identity provider
func WithStsEndpoint ¶ added in v0.1.3
WithStsEndpoint allows passing a custom STS endpoint
func WithUsername ¶ added in v0.1.3
WithUsername allows passing the user name to use for an operation
func WithValidityCheckTimeout ¶ added in v0.1.4
WithValidityCheckTimeout allows passing a timeout for operations that can wait on success.
func WithWebIdentityToken ¶ added in v0.2.3
WithWebIdentityToken allows passing a web identity token to use for the assumed role. If set, the RoleARN must be set.
func WithWebIdentityTokenFetcher ¶ added in v0.3.0
func WithWebIdentityTokenFetcher(with stscreds.TokenFetcher) Option
WithWebIdentityTokenFetcher allows passing an STS TokenFetcher which allows the AWS SDK client automatically to refresh the web identity token from any source.
func WithWebIdentityTokenFile ¶ added in v0.2.1
WithWebIdentityTokenFile allows passing a web identity token file to use for the assumed role. If set, the RoleARN must be set.
type STSAPIFunc ¶ added in v0.1.6
STSAPIFunc is a factory function for returning a STS interface, useful for supplying mock interfaces for testing STS. The session is passed into the function in the same way as done with the standard sts.New() constructor.
func NewMockSTS ¶ added in v0.1.6
func NewMockSTS(opts ...MockSTSOption) STSAPIFunc
NewMockSTS provides a factory function to use with the WithSTSAPIFunc option.
If withGetCallerIdentityError is supplied, calls to GetCallerIdentity will return the supplied error. Otherwise, a basic mock API output is returned.