Documentation
¶
Index ¶
- Constants
- func AssumeRole(stsClient stscreds.AssumeRoleAPIClient, roleSessionName string, roleArn string, ...) (aws.Credentials, error)
- func AssumeRoleSequence(seedClient stscreds.AssumeRoleAPIClient, ...) (aws.Credentials, error)
- func AssumeRoleWithJWT(jwt string, roleArn string, ...) (aws.Credentials, error)
- func GetConsoleURL(signinToken string, region string, sessionDurationMinutes int) (*url.URL, error)
- func StsClient(proxyURL *string) (*sts.Client, error)
- type AWSFederatedSessionData
- type AWSSigninTokenResponse
- type Condition
- type IPAddress
- type IdentityTokenValue
- type PolicyDocument
- type PolicyDocumentInterface
- type PolicyStatement
- type RoleArnSession
- type STSClientProviderFunc
Constants ¶
View Source
const ( AwsFederatedSigninEndpointTemplate = "https://%v.signin.aws.amazon.com/federation" AwsConsoleURLTemplate = "https://%v.console.aws.amazon.com/" DefaultIssuer = "Red Hat SRE" )
View Source
const (
PolicyVersion = "2012-10-17"
)
Variables ¶
This section is empty.
Functions ¶
func AssumeRole ¶
func AssumeRole( stsClient stscreds.AssumeRoleAPIClient, roleSessionName string, roleArn string, inlinePolicy *PolicyDocument, policyARNs []types.PolicyDescriptorType, externalID string, ) (aws.Credentials, error)
AssumeRole calls STS AssumeRole for roleArn. When externalID is non-empty it is passed as the IAM external ID (cross-account trust).
func AssumeRoleSequence ¶
func AssumeRoleSequence( seedClient stscreds.AssumeRoleAPIClient, roleArnSessionSequence []RoleArnSession, proxyURL *string, stsClientProviderFunc STSClientProviderFunc, ) (aws.Credentials, error)
AssumeRoleSequence assumes each role in order using credentials from the previous step (or seedClient for the first).
func AssumeRoleWithJWT ¶
func AssumeRoleWithJWT(jwt string, roleArn string, stsClient stscreds.AssumeRoleWithWebIdentityAPIClient) (aws.Credentials, error)
AssumeRoleWithJWT exchanges jwt for temporary credentials for roleArn using the given STS client.
func GetConsoleURL ¶ added in v0.1.11
GetConsoleURL builds the federated console login URL for signinToken in region, optionally extending session duration.
Types ¶
type AWSFederatedSessionData ¶ added in v0.1.11
type AWSSigninTokenResponse ¶ added in v0.1.11
type AWSSigninTokenResponse struct {
SigninToken string
}
func GetSigninToken ¶ added in v0.1.11
func GetSigninToken(awsCredentials aws.Credentials, region string) (*AWSSigninTokenResponse, error)
GetSigninToken requests an AWS console federation sign-in token for the given temporary credentials.
type Condition ¶ added in v0.1.41
type Condition struct {
//nolint NotIpAddress is required from AWS Policy
NotIpAddress IPAddress `json:"NotIpAddress"`
}
type IPAddress ¶ added in v0.1.41
type IPAddress struct {
//nolint SourceIp is required from AWS Policy
SourceIp []string `json:"aws:SourceIp"`
}
type IdentityTokenValue ¶ added in v0.1.15
type IdentityTokenValue string
IdentityTokenValue is for retrieving an identity token from the given file name
func (IdentityTokenValue) GetIdentityToken ¶ added in v0.1.15
func (j IdentityTokenValue) GetIdentityToken() ([]byte, error)
GetIdentityToken retrieves the JWT token from the file and returns the contents as a []byte
type PolicyDocument ¶ added in v0.1.41
type PolicyDocument struct {
Version string `json:"Version"`
Statement []PolicyStatement `json:"Statement"`
}
func NewPolicyDocument ¶ added in v0.1.41
func NewPolicyDocument(version string, statements []PolicyStatement) PolicyDocument
func (PolicyDocument) BuildPolicyWithRestrictedIP ¶ added in v0.1.41
func (p PolicyDocument) BuildPolicyWithRestrictedIP(ipAddress IPAddress) (PolicyDocument, error)
func (PolicyDocument) String ¶ added in v0.1.41
func (p PolicyDocument) String() string
type PolicyDocumentInterface ¶ added in v0.1.41
type PolicyDocumentInterface interface {
String() (string, error)
BuildPolicyWithRestrictedIP(ipAddress IPAddress) (PolicyDocument, error)
}
type PolicyStatement ¶ added in v0.1.41
type PolicyStatement struct {
Sid string `json:"Sid"` // Statement ID
Effect string `json:"Effect"` // Allow or Deny
Action []string `json:"Action"` // allowed or denied action
Principal map[string]string `json:",omitempty"` // principal that is allowed or denied
Resource *string `json:",omitempty"` // object or objects that the statement covers
Condition *Condition `json:",omitempty"` // conditions for when a policy is in effect
}
func NewPolicyStatement ¶ added in v0.1.41
func NewPolicyStatement(sid string, affect string, action []string) PolicyStatement
func (PolicyStatement) AddCondition ¶ added in v0.1.41
func (ps PolicyStatement) AddCondition(condition *Condition) PolicyStatement
func (PolicyStatement) AddResource ¶ added in v0.1.41
func (ps PolicyStatement) AddResource(resource *string) PolicyStatement
type RoleArnSession ¶ added in v0.1.23
type RoleArnSession struct {
Name string
RoleSessionName string
RoleArn string
IsCustomerRole bool
Policy *PolicyDocument
PolicyARNs []types.PolicyDescriptorType
// ExternalID is the OCM/AWS STS external ID for this assume step (empty when not used).
ExternalID string
}
RoleArnSession is one step in a chained AssumeRole sequence (seed credentials assume into RoleArn, optionally with session policy and external ID).
type STSClientProviderFunc ¶
type STSClientProviderFunc func(optFns ...func(*config.LoadOptions) error) (stscreds.AssumeRoleAPIClient, error)
STSClientProviderFunc loads an STS AssumeRole API client (e.g. with static credentials from a prior assume step).
var DefaultSTSClientProviderFunc STSClientProviderFunc = func(optnFns ...func(options *config.LoadOptions) error) (stscreds.AssumeRoleAPIClient, error) { cfg, err := config.LoadDefaultConfig(context.TODO(), optnFns...) if err != nil { return nil, fmt.Errorf("failed to load default AWS config: %w", err) } return sts.NewFromConfig(cfg), nil }
DefaultSTSClientProviderFunc is the default STSClientProviderFunc using the AWS SDK default config chain.
Source Files
Click to show internal directories.
Click to hide internal directories.