Documentation
¶
Overview ¶
Package aws implements the AWS credential provider for moat.
Unlike other providers that inject credentials via proxy headers, AWS uses a credential endpoint pattern. The provider exposes an HTTP endpoint that returns temporary credentials from STS AssumeRole in ECS container format.
The container is configured with AWS_CONTAINER_CREDENTIALS_FULL_URI pointing to the proxy's credential endpoint, allowing AWS SDKs to automatically fetch credentials when needed.
Grant flow:
- User provides IAM role ARN via `moat grant aws`
- ARN is validated and tested with STS AssumeRole
- Role ARN stored in Credential.Token, region/duration in Metadata
Runtime flow:
- Container makes AWS API call
- AWS SDK detects AWS_CONTAINER_CREDENTIALS_FULL_URI
- SDK fetches credentials from proxy endpoint
- Proxy calls STS AssumeRole and returns temporary credentials
- SDK uses credentials for the API call
Index ¶
- Constants
- func ConfigToJSON(cfg *Config) (string, error)
- func GetCredentialHelper() []byte
- func WithGrantOptions(ctx context.Context, role, region, sessionDuration, externalID, profile string) context.Context
- type Config
- type CredentialProvider
- type CredentialProviderConfig
- type Credentials
- type EndpointHandler
- type Provider
- func (p *Provider) Cleanup(cleanupPath string)
- func (p *Provider) ConfigureProxy(pc provider.ProxyConfigurer, cred *provider.Credential)
- func (p *Provider) ContainerEnv(cred *provider.Credential) []string
- func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
- func (p *Provider) Grant(ctx context.Context) (*provider.Credential, error)
- func (p *Provider) ImpliedDependencies() []string
- func (p *Provider) Name() string
- func (p *Provider) RegisterEndpoints(mux *http.ServeMux, cred *provider.Credential)
- type STSAssumeRoler
Constants ¶
const ( MetaKeyRegion = "region" MetaKeySessionDuration = "session_duration" MetaKeyExternalID = "external_id" MetaKeyProfile = "profile" )
Metadata keys for AWS credentials.
const ( DefaultRegion = "us-east-1" DefaultSessionDuration = 15 * time.Minute )
Default values.
const CredentialHelperScript = `` /* 1160-byte string literal not displayed */
CredentialHelperScript is a shell script that fetches AWS credentials from the moat proxy. It implements the AWS credential_process interface.
This requires curl, which is always installed as a base package in containers built with the dependency system (see internal/deps/dockerfile.go). Since --grant aws requires the aws dependency for the AWS CLI, curl is guaranteed to be present in any container using AWS credentials.
Variables ¶
This section is empty.
Functions ¶
func ConfigToJSON ¶
ConfigToJSON serializes Config to JSON for storage.
func GetCredentialHelper ¶
func GetCredentialHelper() []byte
GetCredentialHelper returns the credential helper script as bytes.
Types ¶
type Config ¶
type Config struct {
RoleARN string
Region string
SessionDuration time.Duration
ExternalID string
Profile string // AWS shared config profile (AWS_PROFILE) used to assume the role
}
Config holds AWS IAM role configuration.
func ConfigFromCredential ¶
func ConfigFromCredential(cred *provider.Credential) (*Config, error)
ConfigFromCredential extracts Config from a stored credential. Supports both new format (Metadata) and legacy format (Scopes) for backwards compatibility.
func ParseRoleARN ¶
ParseRoleARN validates an IAM role ARN and returns a Config. ARN format: arn:PARTITION:iam::ACCOUNT_ID:role/ROLE_NAME Supported partitions: aws, aws-cn, aws-us-gov
type CredentialProvider ¶ added in v0.5.0
type CredentialProvider struct {
// contains filtered or unexported fields
}
CredentialProvider manages AWS credential fetching and caching for proxy use. It creates an http.Handler that serves credentials in ECS container format.
func NewCredentialProvider ¶ added in v0.5.0
func NewCredentialProvider(ctx context.Context, cfg CredentialProviderConfig, sessionName string) (*CredentialProvider, error)
NewCredentialProvider creates a new AWS credential provider. If cfg.Profile is non-empty, it is used as the AWS shared config profile (equivalent to AWS_PROFILE) so the correct source identity is used for AssumeRole regardless of which process creates the provider.
func (*CredentialProvider) GetCredentials ¶ added in v0.5.0
func (p *CredentialProvider) GetCredentials(ctx context.Context) (*Credentials, error)
GetCredentials returns cached credentials or fetches new ones.
func (*CredentialProvider) Handler ¶ added in v0.5.0
func (p *CredentialProvider) Handler() http.Handler
Handler returns an HTTP handler for serving credentials.
func (*CredentialProvider) Region ¶ added in v0.5.0
func (p *CredentialProvider) Region() string
Region returns the configured AWS region.
func (*CredentialProvider) RoleARN ¶ added in v0.5.0
func (p *CredentialProvider) RoleARN() string
RoleARN returns the configured IAM role ARN.
func (*CredentialProvider) SetAuthToken ¶ added in v0.5.0
func (p *CredentialProvider) SetAuthToken(token string)
SetAuthToken sets the required auth token for the credential endpoint.
type CredentialProviderConfig ¶ added in v0.5.0
type CredentialProviderConfig struct {
RoleARN string
Region string
SessionDuration time.Duration
ExternalID string
Profile string // AWS shared config profile (AWS_PROFILE) used to assume the role
}
CredentialProviderConfig holds the configuration needed to create a CredentialProvider.
type Credentials ¶
type Credentials struct {
AccessKeyID string
SecretAccessKey string
SessionToken string
Expiration time.Time
}
Credentials holds temporary AWS credentials.
type EndpointHandler ¶
type EndpointHandler struct {
// contains filtered or unexported fields
}
EndpointHandler serves AWS credentials via HTTP in ECS container format.
func NewEndpointHandler ¶
func NewEndpointHandler(cred *provider.Credential) *EndpointHandler
NewEndpointHandler creates a new AWS credential endpoint handler.
func (*EndpointHandler) Region ¶
func (h *EndpointHandler) Region() string
Region returns the configured AWS region.
func (*EndpointHandler) RoleARN ¶
func (h *EndpointHandler) RoleARN() string
RoleARN returns the configured IAM role ARN.
func (*EndpointHandler) ServeHTTP ¶
func (h *EndpointHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP implements http.Handler, returning credentials in credential_process format.
func (*EndpointHandler) SetAuthToken ¶
func (h *EndpointHandler) SetAuthToken(token string)
SetAuthToken sets the required auth token for the credential endpoint.
func (*EndpointHandler) SetSTSClient ¶
func (h *EndpointHandler) SetSTSClient(client STSAssumeRoler)
SetSTSClient sets a custom STS client (for testing).
type Provider ¶
type Provider struct{}
Provider implements provider.CredentialProvider and provider.EndpointProvider for AWS credentials via STS AssumeRole.
func (*Provider) ConfigureProxy ¶
func (p *Provider) ConfigureProxy(pc provider.ProxyConfigurer, cred *provider.Credential)
ConfigureProxy is a no-op for AWS since it uses the endpoint pattern. AWS credentials are served via RegisterEndpoints, not header injection.
func (*Provider) ContainerEnv ¶
func (p *Provider) ContainerEnv(cred *provider.Credential) []string
ContainerEnv returns nil; the run manager sets AWS_CONTAINER_CREDENTIALS_FULL_URI.
func (*Provider) ContainerMounts ¶
func (p *Provider) ContainerMounts(cred *provider.Credential, containerHome string) ([]provider.MountConfig, string, error)
ContainerMounts returns nil; AWS doesn't require any mounts.
func (*Provider) ImpliedDependencies ¶
ImpliedDependencies returns dependencies implied by AWS grant.
func (*Provider) RegisterEndpoints ¶
func (p *Provider) RegisterEndpoints(mux *http.ServeMux, cred *provider.Credential)
RegisterEndpoints registers the AWS credential endpoint handler. The handler serves temporary credentials from STS AssumeRole.
type STSAssumeRoler ¶
type STSAssumeRoler interface {
AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
}
STSAssumeRoler interface for STS AssumeRole operation (enables testing).
Source Files