Documentation
¶
Overview ¶
Package aws holds AWS-side helpers used by cluster-facing seictl commands.
Index ¶
Constants ¶
const (
IAMPath = "/seictl/"
)
Variables ¶
This section is empty.
Functions ¶
func AssertECRDigestRef ¶
AssertECRDigestRef returns an actionable error if ref is not a digest-pinned ECR reference. Used at render time to guarantee manifests never carry a tag.
func CredsHint ¶
func CredsHint() string
CredsHint returns a one-line remediation for the "no AWS credentials resolvable" case. It reads AWS_PROFILE and ~/.aws/config so the message names a profile the engineer can actually use, instead of a generic "Unable to locate credentials".
func ResolveDigest ¶
ResolveDigest converts an ECR image reference (registry/repo:tag) into its sha256 digest. Already-digested refs are returned as-is without an ECR round-trip.
Account + region come from the hostname rather than constants so the resolver works for any ECR registry the validate-layer policy admits.
Types ¶
type Caller ¶
func GetCaller ¶
GetCaller resolves the active AWS principal via STS GetCallerIdentity. Errors map to ExitIdentity / CatAWSUnavailable — this is a read of auth state, not a creation. When the failure is "no credentials resolvable" (vs e.g. permission denied), the message is prefixed with CredsHint() so the engineer sees the specific remediation.
type EngineerScope ¶
func (EngineerScope) PolicyARN ¶
func (e EngineerScope) PolicyARN() string
func (EngineerScope) PolicyName ¶
func (e EngineerScope) PolicyName() string
func (EngineerScope) RoleARN ¶
func (e EngineerScope) RoleARN() string
func (EngineerScope) RoleName ¶
func (e EngineerScope) RoleName() string
type IAMArtifact ¶
type IAMArtifact struct {
Kind string // "Policy" | "Role" | "Attachment"
ARN string
Action string // "create" | "exists" | "would-create"
}
func ProvisionIAM ¶
func ProvisionIAM(ctx context.Context, scope EngineerScope, dryRun bool) ([]IAMArtifact, *clioutput.Error)
ProvisionIAM is idempotent: re-running on a fully-onboarded engineer returns all "exists" actions and performs no mutation.
type PodIdentityArtifact ¶
type PodIdentityArtifact struct {
Kind string // always "PodIdentityAssociation"
AssociationID string
RoleARN string
Action string // "create" | "exists" | "would-create"
}
func EnsurePodIdentity ¶
func EnsurePodIdentity(ctx context.Context, b PodIdentityBinding, dryRun bool) (PodIdentityArtifact, *clioutput.Error)
EnsurePodIdentity creates the workload SA association if it doesn't exist. EKS exposes no Get-by-tuple API, so we list-then-match. A pre-existing association bound to a different role is a hard failure — silently rebinding could grant the engineer access to the wrong S3 prefix.
type PodIdentityBinding ¶
type PodIdentityBinding struct {
Cluster string
Namespace string
ServiceAccount string
RoleARN string
Region string
}
PodIdentityBinding identifies one Pod Identity association uniquely via the (cluster, namespace, serviceAccount) tuple, plus the role to bind. This shape mirrors EKS's natural key.
Source Files