Documentation
¶
Overview ¶
Package aws implements the AWS credential provider for moat.
Unlike other providers that inject credentials via proxy headers, AWS uses a credential endpoint pattern. The provider exposes an HTTP endpoint that returns temporary credentials from STS AssumeRole in ECS container format.
The container is configured with AWS_CONTAINER_CREDENTIALS_FULL_URI pointing to the proxy's credential endpoint, allowing AWS SDKs to automatically fetch credentials when needed.
Grant flow:
- User provides IAM role ARN via `moat grant aws`
- ARN is validated and tested with STS AssumeRole
- Role ARN stored in Credential.Token, region/duration in Metadata
Runtime flow:
- Container makes AWS API call
- AWS SDK detects AWS_CONTAINER_CREDENTIALS_FULL_URI
- SDK fetches credentials from proxy endpoint
- Proxy calls STS AssumeRole and returns temporary credentials
- SDK uses credentials for the API call
Index ¶
- Constants
- func ConfigToJSON(cfg *Config) (string, error)
- func GetCredentialHelper() []byte
- func WithGrantOptions(ctx context.Context, role, region, sessionDuration, externalID string) context.Context
- type Config
- type Credentials
- type EndpointHandler
- type Provider
- func (p *Provider) Cleanup(cleanupPath string)
- func (p *Provider) ConfigureProxy(pc provider.ProxyConfigurer, cred *provider.Credential)
- func (p *Provider) ContainerEnv(cred *provider.Credential) []string
- func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
- func (p *Provider) Grant(ctx context.Context) (*provider.Credential, error)
- func (p *Provider) ImpliedDependencies() []string
- func (p *Provider) Name() string
- func (p *Provider) RegisterEndpoints(mux *http.ServeMux, cred *provider.Credential)
- type STSAssumeRoler
Constants ¶
const ( MetaKeyRegion = "region" MetaKeySessionDuration = "session_duration" MetaKeyExternalID = "external_id" )
Metadata keys for AWS credentials.
const ( DefaultRegion = "us-east-1" DefaultSessionDuration = 15 * time.Minute )
Default values.
const CredentialHelperScript = `` /* 322-byte string literal not displayed */
CredentialHelperScript is a shell script that fetches AWS credentials from the AgentOps proxy. It implements the AWS credential_process interface.
This requires curl, which is always installed as a base package in containers built with the dependency system (see internal/deps/dockerfile.go). Since --grant aws requires the aws dependency for the AWS CLI, curl is guaranteed to be present in any container using AWS credentials.
Variables ¶
This section is empty.
Functions ¶
func ConfigToJSON ¶
ConfigToJSON serializes Config to JSON for storage.
func GetCredentialHelper ¶
func GetCredentialHelper() []byte
GetCredentialHelper returns the credential helper script as bytes.
Types ¶
type Config ¶
Config holds AWS IAM role configuration.
func ConfigFromCredential ¶
func ConfigFromCredential(cred *provider.Credential) (*Config, error)
ConfigFromCredential extracts Config from a stored credential. Supports both new format (Metadata) and legacy format (Scopes) for backwards compatibility.
func ParseRoleARN ¶
ParseRoleARN validates an IAM role ARN and returns a Config. ARN format: arn:PARTITION:iam::ACCOUNT_ID:role/ROLE_NAME Supported partitions: aws, aws-cn, aws-us-gov
type Credentials ¶
type Credentials struct {
AccessKeyID string
SecretAccessKey string
SessionToken string
Expiration time.Time
}
Credentials holds temporary AWS credentials.
type EndpointHandler ¶
type EndpointHandler struct {
// contains filtered or unexported fields
}
EndpointHandler serves AWS credentials via HTTP in ECS container format.
func NewEndpointHandler ¶
func NewEndpointHandler(cred *provider.Credential) *EndpointHandler
NewEndpointHandler creates a new AWS credential endpoint handler.
func (*EndpointHandler) Region ¶
func (h *EndpointHandler) Region() string
Region returns the configured AWS region.
func (*EndpointHandler) RoleARN ¶
func (h *EndpointHandler) RoleARN() string
RoleARN returns the configured IAM role ARN.
func (*EndpointHandler) ServeHTTP ¶
func (h *EndpointHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP implements http.Handler, returning credentials in credential_process format.
func (*EndpointHandler) SetAuthToken ¶
func (h *EndpointHandler) SetAuthToken(token string)
SetAuthToken sets the required auth token for the credential endpoint.
func (*EndpointHandler) SetSTSClient ¶
func (h *EndpointHandler) SetSTSClient(client STSAssumeRoler)
SetSTSClient sets a custom STS client (for testing).
type Provider ¶
type Provider struct{}
Provider implements provider.CredentialProvider and provider.EndpointProvider for AWS credentials via STS AssumeRole.
func (*Provider) ConfigureProxy ¶
func (p *Provider) ConfigureProxy(pc provider.ProxyConfigurer, cred *provider.Credential)
ConfigureProxy is a no-op for AWS since it uses the endpoint pattern. AWS credentials are served via RegisterEndpoints, not header injection.
func (*Provider) ContainerEnv ¶
func (p *Provider) ContainerEnv(cred *provider.Credential) []string
ContainerEnv returns nil; the run manager sets AWS_CONTAINER_CREDENTIALS_FULL_URI.
func (*Provider) ContainerMounts ¶
func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
ContainerMounts returns nil; AWS doesn't require any mounts.
func (*Provider) ImpliedDependencies ¶
ImpliedDependencies returns dependencies implied by AWS grant.
func (*Provider) RegisterEndpoints ¶
func (p *Provider) RegisterEndpoints(mux *http.ServeMux, cred *provider.Credential)
RegisterEndpoints registers the AWS credential endpoint handler. The handler serves temporary credentials from STS AssumeRole.
type STSAssumeRoler ¶
type STSAssumeRoler interface {
AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}
STSAssumeRoler interface for STS AssumeRole operation (enables testing).
Source Files