credentialexchange

package
v0.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 31, 2025 License: MIT Imports: 16 Imported by: 0

Documentation

Overview

credentialexchange

Handles all the main flows for exchanging credentials for AWS temporary creds.

Currently supports SAML as posted by an IdP to an ACS endpoint in AWS AWS_WEB_IDENTITY_TOKEN_FILE and optionally can specify the exact role to choose,

if the TOKEN corresponds to the `chained role`.

Index

Constants

View Source
const (
	SELF_NAME        = "aws-cli-auth"
	WEB_ID_TOKEN_VAR = "AWS_WEB_IDENTITY_TOKEN_FILE"
	AWS_ROLE_ARN     = "AWS_ROLE_ARN"
	INI_CONF_SECTION = "role"
)

Variables

View Source
var (
	ErrUnableAssume        = errors.New("unable to assume")
	ErrUnableSessionCreate = errors.New("unable to create a sesion")
	ErrTokenExpired        = errors.New("token expired")
	ErrMissingEnvVar       = errors.New("missing env var")
	ErrUnmarshalCred       = errors.New("unable to unmarshal credential from string")
)
View Source
var (
	ErrSectionNotFound = errors.New("section not found")
	ErrConfigFailure   = errors.New("config error")
)
View Source
var (
	ErrUnableToLoadAWSCred        = errors.New("unable to laod AWS credential")
	ErrCannotLockDir              = errors.New("unable to create lock dir")
	ErrUnableToRetrieveSections   = errors.New("unable to retrieve sections")
	ErrUnableToLoadDueToLock      = errors.New("cannot load secret due to lock error")
	ErrUnableToAcquireLock        = errors.New("cannot acquire lock")
	ErrUnmarshallingSecret        = errors.New("cannot unmarshal secret")
	ErrFailedToClearSecretStorage = errors.New("failed to clear secret storage on OS")
)

Functions

func ConfigIniFile

func ConfigIniFile(basePath string) string

func GetWebIdTokenFileContents

func GetWebIdTokenFileContents() (string, error)

GetWebIdTokenFileContents reads the contents of the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable. Used only with specific assume

func HomeDir

func HomeDir() string

func IsValid

func IsValid(ctx context.Context, currentCreds *AWSCredentials, reloadBeforeTime int, svc AuthSamlApi) (bool, error)

IsValid checks current credentials and returns them if they are still valid if reloadTimeBefore is less than time left on the creds then it will re-request a login

func KeyRoleConverter

func KeyRoleConverter(key string) string

KeyRoleConverter Converts a key back to a role

func MergeRoleChain

func MergeRoleChain(role string, roleChain []string, insertRoleIntoChain bool) []string

MergeRoleChain inserts the main role into the role chain.

This is mainly used with AWS SSO flow where the SSO user credentials are used to assume the target role(s).

func ReloadBeforeExpiry

func ReloadBeforeExpiry(expiry time.Time, reloadBeforeSeconds int) bool

ReloadBeforeExpiry returns true if the time to expiry is less than the specified time in seconds false if there is more than required time in seconds before needing to recycle credentials

func RoleKeyConverter

func RoleKeyConverter(role string) string

RoleKeyConverter converts a role to a key used for storing in key store

func SessionName

func SessionName(username, selfName string) string

func SetCredentials

func SetCredentials(creds *AWSCredentials, config CredentialConfig) error

func WriteIniSection

func WriteIniSection(role string) error

WriteIniSection update ini sections in own config file

Types

type AWSCredentials

type AWSCredentials struct {
	Version         int
	AWSAccessKey    string    `json:"AccessKeyId"`
	AWSSecretKey    string    `json:"SecretAccessKey"`
	AWSSessionToken string    `json:"SessionToken"`
	PrincipalARN    string    `json:"-"`
	Expires         time.Time `json:"Expiration"`
}

AWSCredentials is a representation of the returned credential

func AssumeRoleInChain

func AssumeRoleInChain(ctx context.Context, baseCreds *AWSCredentials, svc AuthSamlApi, username string, roles []string, conf CredentialConfig) (*AWSCredentials, error)

AssumeRoleInChain loops over all the roles provided If none are provided it will return the baseCreds

func LoginAwsWebToken

func LoginAwsWebToken(ctx context.Context, username string, svc authWebTokenApi) (*AWSCredentials, error)

LoginAwsWebToken

func LoginStsSaml

func LoginStsSaml(ctx context.Context, samlResponse string, role AWSRole, svc AuthSamlApi) (*AWSCredentials, error)

LoginStsSaml exchanges saml response for STS creds

func (*AWSCredentials) FromRoleCredString

func (a *AWSCredentials) FromRoleCredString(cred string) (*AWSCredentials, error)

type AWSRole

type AWSRole struct {
	RoleARN      string
	PrincipalARN string
	Name         string
	Duration     int
}

AWSRole aws role attributes

type AWSRoleConfig

type AWSRoleConfig struct {
	RoleARN      string
	PrincipalARN string
	Name         string
}

AWSRole aws role attributes

type AuthSamlApi

type AuthSamlApi interface {
	AssumeRoleWithSAML(ctx context.Context, params *sts.AssumeRoleWithSAMLInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithSAMLOutput, error)
	GetCallerIdentity(ctx context.Context, params *sts.GetCallerIdentityInput, optFns ...func(*sts.Options)) (*sts.GetCallerIdentityOutput, error)
	AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}

type BaseConfig

type BaseConfig struct {
	Role                 string
	RoleChain            []string
	Username             string
	CfgSectionName       string
	StoreInProfile       bool
	DoKillHangingProcess bool
	ReloadBeforeTime     int
}

type CredentialConfig

type CredentialConfig struct {
	BaseConfig         BaseConfig
	ProviderUrl        string
	PrincipalArn       string
	AcsUrl             string
	Duration           int
	IsSso              bool
	SsoRegion          string
	SsoRole            string
	SsoUserEndpoint    string
	SsoCredFedEndpoint string
}

type SecretStore

type SecretStore struct {
	AWSCredentials *AWSCredentials
	AWSCredJson    string
	// contains filtered or unexported fields
}

SecretStore

func NewSecretStore

func NewSecretStore(roleArn, namer, baseDir, username string) (*SecretStore, error)

func (*SecretStore) AWSCredential

func (s *SecretStore) AWSCredential() (*AWSCredentials, error)

func (*SecretStore) Clear

func (s *SecretStore) Clear() error

func (*SecretStore) ClearAll

func (s *SecretStore) ClearAll() error

ClearAll loops through all the sections in the INI file deletes them from the keychain implementation on the OS

func (*SecretStore) SaveAWSCredential

func (s *SecretStore) SaveAWSCredential(cred *AWSCredentials) error

func (*SecretStore) WithKeyring

func (s *SecretStore) WithKeyring(keyring keyring.Keyring) *SecretStore

func (*SecretStore) WithLocker

func (s *SecretStore) WithLocker(locker lockgate.Locker) *SecretStore

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL