awsiam

package
v1.78.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AuthVersion       = "2011-06-15"
	AuthMethod        = http.MethodPost
	AuthAction        = "GetCallerIdentity"
	AuthAlgorithm     = "AWS4-HMAC-SHA256"
	StsGlobalEndpoint = "sts.amazonaws.com"
	AuthActionKey     = "Action"
	AuthVersionKey    = "Version"
	AuthAlgorithmKey  = "X-Amz-Algorithm"
	//nolint:gosec
	AuthCredentialKey  = "X-Amz-Credential"
	AuthDateKey        = "X-Amz-Date"
	HostServerIDHeader = "X-LakeFS-Server-ID"
	AuthExpiresKey     = "X-Amz-Expires"
	//nolint:gosec
	AuthSecurityTokenKey = "X-Amz-Security-Token"
	AuthSignedHeadersKey = "X-Amz-SignedHeaders"
	AuthSignatureKey     = "X-Amz-Signature"
	DatetimeFormat       = "20060102T150405Z"
	CredentialTimeFormat = "20060102"

	AWSIAMProviderType = "aws_iam"
)
View Source 
const (
	DefaultSTSLoginExpire  = 15 * time.Minute
	DefaultRefreshInterval = 5 * time.Minute
	DefaultURLPresignTTL   = 1 * time.Minute
	DefaultTokenTTL        = 3600 * time.Minute
)
View Source 
const (
	IdentityTokenKey = "identity_token"
)
View Source 
const (
	ReadWriteExecuteOwnerOnly = 0700
)

Variables

View Source 
var ErrFailedToCreateCacheDir = fmt.Errorf("failed to create cache dir")
View Source 
var ErrInvalidCredentialsFormat = errors.New("missing required parts in query param X-Amz-Credential")
View Source 
var ErrInvalidTokenFormat = fmt.Errorf("token format is invalid")

Functions

func NewExternalLoginInformationFromAWS added in v1.66.0 

func NewExternalLoginInformationFromAWS(tokenInfo *AWSIdentityTokenInfo, params *IAMAuthParams) (*apigen.ExternalLoginInformation, error)

func NewPresignClientLoggerOption added in v1.57.0 

func NewPresignClientLoggerOption(logger logging.Logger, logMode aws.ClientLogMode) func(opts *sts.PresignOptions)

func PresignGetCallerIdentityFromAuthParams 

func PresignGetCallerIdentityFromAuthParams(ctx context.Context, params *IAMAuthParams, stsClient *sts.Client, presignClientOpts ...func(*sts.PresignOptions)) (string, error)

func WithAWSIAMRoleAuthProviderOption added in v1.66.0 

func WithAWSIAMRoleAuthProviderOption(params *IAMAuthParams, logger logging.Logger, client ExternalPrincipalLoginCaller, initialToken *apigen.AuthenticationToken, cacheCallback TokenCacheCallback, presignClientOpts ...func(*sts.PresignOptions)) apigen.ClientOption

WithAWSIAMRoleAuthProviderOption will add authentication provider into the GetClient request, which will return a client authenticated with IAM.

Types

type AWSIdentityTokenInfo 

type AWSIdentityTokenInfo struct {
	Method             string   `json:"method"`
	Host               string   `json:"host"`
	Region             string   `json:"region"`
	Action             string   `json:"action"`
	Date               string   `json:"date"`
	ExpirationDuration string   `json:"expiration_duration"`
	AccessKeyID        string   `json:"access_key_id"`
	Signature          string   `json:"signature"`
	SignedHeaders      []string `json:"signed_headers"`
	Version            string   `json:"version"`
	Algorithm          string   `json:"algorithm"`
	SecurityToken      string   `json:"security_token"`
}

func GenerateIdentityTokenInfo 

func GenerateIdentityTokenInfo(ctx context.Context, params *IAMAuthParams, stsClient *sts.Client, presignClientOpts ...func(*sts.PresignOptions)) (*AWSIdentityTokenInfo, error)

func ParsePresignedURL 

func ParsePresignedURL(presignedURL string) (*AWSIdentityTokenInfo, error)

type ExternalPrincipalLoginCaller added in v1.66.0 

type ExternalPrincipalLoginCaller interface {
	ExternalPrincipalLogin(ctx context.Context, loginInfo apigen.ExternalLoginInformation) (*apigen.AuthenticationToken, error)
}

type ExternalPrincipalLoginClient added in v1.66.0 

type ExternalPrincipalLoginClient struct {
	Client *apigen.ClientWithResponses
}

func (*ExternalPrincipalLoginClient) ExternalPrincipalLogin added in v1.66.0 

func (c *ExternalPrincipalLoginClient) ExternalPrincipalLogin(ctx context.Context, loginInfo apigen.ExternalLoginInformation) (*apigen.AuthenticationToken, error)

type IAMAuthParams 

type IAMAuthParams struct {
	TokenRequestHeaders map[string]string
	URLPresignTTL       time.Duration
	TokenTTL            time.Duration
	RefreshInterval     time.Duration
}

func NewIAMAuthParams 

func NewIAMAuthParams(lakeFSHost string, opts ...IAMAuthParamsOptions) *IAMAuthParams

type IAMAuthParamsOptions 

type IAMAuthParamsOptions = func(params *IAMAuthParams)

func WithRefreshInterval 

func WithRefreshInterval(refreshInterval time.Duration) IAMAuthParamsOptions

func WithTokenRequestHeaders 

func WithTokenRequestHeaders(tokenRequestHeaders map[string]string) IAMAuthParamsOptions

func WithTokenTTL 

func WithTokenTTL(tokenTTL time.Duration) IAMAuthParamsOptions

func WithURLPresignTTL 

func WithURLPresignTTL(urlPresignTTL time.Duration) IAMAuthParamsOptions

type JWTCache added in v1.66.0 

type JWTCache struct {
	FilePath string
}

func NewJWTCache added in v1.66.0 

func NewJWTCache(baseDir, lakectlDir, cacheDir, fileName string) (*JWTCache, error)

func (*JWTCache) ClearCache added in v1.66.0 

func (c *JWTCache) ClearCache() error

func (*JWTCache) GetToken added in v1.66.0 

func (c *JWTCache) GetToken() (*apigen.AuthenticationToken, error)

func (*JWTCache) SaveToken added in v1.66.0 

func (c *JWTCache) SaveToken(token *apigen.AuthenticationToken) error

type SecurityProviderAWSIAMRole added in v1.66.0 

type SecurityProviderAWSIAMRole struct {
	Logger              logging.Logger
	AuthenticationToken *apigen.AuthenticationToken
	Params              *IAMAuthParams
	// lakeFS unauthenticated client to perform login request. Because of legacy we
	// have in the generated client code it must contain authrozation header (e.g empty access/secret key id)
	Client             ExternalPrincipalLoginCaller
	PresignClientOpts  []func(*sts.PresignOptions)
	TokenCacheCallback TokenCacheCallback
}

func NewSecurityProviderAWSIAMRole added in v1.66.0 

func NewSecurityProviderAWSIAMRole(logger logging.Logger, params *IAMAuthParams, client ExternalPrincipalLoginCaller, optionalInitialToken *apigen.AuthenticationToken, cacheCallback TokenCacheCallback, presignClientOpts ...func(*sts.PresignOptions)) *SecurityProviderAWSIAMRole

func (*SecurityProviderAWSIAMRole) GetCurrentToken added in v1.66.0 

func (s *SecurityProviderAWSIAMRole) GetCurrentToken() *apigen.AuthenticationToken

func (*SecurityProviderAWSIAMRole) GetLakeFSTokenFromAWS added in v1.66.0 

func (s *SecurityProviderAWSIAMRole) GetLakeFSTokenFromAWS(ctx context.Context) (*apigen.AuthenticationToken, error)

func (*SecurityProviderAWSIAMRole) Intercept added in v1.66.0 

func (s *SecurityProviderAWSIAMRole) Intercept(ctx context.Context, req *http.Request) error

type TokenCache added in v1.66.0 

type TokenCache struct {
	Token          string `json:"token"`
	ExpirationTime int64  `json:"expiration_time"`
}

type TokenCacheCallback added in v1.66.0 

type TokenCacheCallback func(token *apigen.AuthenticationToken)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.