vax

package module
v0.0.0-...-8c9517e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2018 License: CC0-1.0 Imports: 3 Imported by: 0

README

vax

Vax is a Golang AWS credentials provider using the Hashicorp Vault AWS secret engine.

Vax pulls STS credentials from the configured path, and passes them back to an AWS SDK credentials object by implementing the credentials.Provider interface.

Usage

This example assumes you wish to pull credentials from a role named myrole in an AWS secrets engine mounted at aws, and that you have set the env vars VAULT_ADDR and VAULT_TOKEN with the appropriate values:

package main

import (
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
	"github.com/daveadams/vax"
	"log"
)

const (
    SecretsEngineMount = "aws"
    EngineRoleName     = "myrole"
)

func main() {
    stsSvc := sts.New(session.Must(session.NewSession()), &aws.Config{
        Credentials: vax.NewVaultProviderCredentials(SecretsEngineMount, EngineRoleName),
    })

    resp, err := stsSvc.GetCallerIdentity(&sts.GetCallerIdentityInput{})
    if err != nil {
        log.Fatalf("ERROR: %s", err)
    }

    log.Printf("Hello, %s from account %s\n", *resp.Arn, *resp.Account)
}

The provider will seamlessly request new credentials from the provider whenever they expire. So long as the Vault session tied to the Vault token itself does not expire, the credentials should continue to be valid.

License

This software is public domain. No rights are reserved. See LICENSE for more information.

Documentation

Overview

Vax is a Golang AWS credentials provider using the Hashicorp Vault AWS secret engine.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewVaultProviderCredentials 

func NewVaultProviderCredentials(enginePath string, roleName string) *credentials.Credentials

An extra shortcut to avoid needing to import credentials into your source file or call nested functions. Call this to return a new Credentials object using the VaultProvider.

Types

type VaultProvider 

type VaultProvider struct {
	// The full Vault API path to the STS credentials endpoint.
	StsCredsPath string

	// The TTL of the STS credentials in the form of a Go duration string.
	TTL string

	// The `vault.Client` object used to interact with Vault.
	VaultClient *vault.Client

	// compose with credentials.Expiry to get free IsExpired()
	credentials.Expiry
	// contains filtered or unexported fields
}

The VaultProvider object implements the AWS SDK `credentials.Provider` interface. Use the `NewVaultProvider` function to construct the object with default settings, or if you need to configure the `vault.Client` object, TTL, or path yourself, you can build the object by hand.

func NewVaultProvider 

func NewVaultProvider(enginePath string, roleName string) *VaultProvider

Creates a new VaultProvider. Supply the path where the AWS secrets engine is mounted as well as the role name to fetch from. The VaultProvider is initialized with a default client, which uses the VAULT_ADDR and VAULT_TOKEN environment variables to configure itself. This also sets a default TTL of 30 minutes for the credentials' lifetime.

func (*VaultProvider) Retrieve 

func (vp *VaultProvider) Retrieve() (credentials.Value, error)

Implements the Retrieve() function for the AWS SDK credentials.Provider interface.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.