diff options
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go')
-rw-r--r-- | vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go new file mode 100644 index 0000000..20510d9 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go | |||
@@ -0,0 +1,97 @@ | |||
1 | package stscreds | ||
2 | |||
3 | import ( | ||
4 | "fmt" | ||
5 | "io/ioutil" | ||
6 | "strconv" | ||
7 | "time" | ||
8 | |||
9 | "github.com/aws/aws-sdk-go/aws" | ||
10 | "github.com/aws/aws-sdk-go/aws/awserr" | ||
11 | "github.com/aws/aws-sdk-go/aws/client" | ||
12 | "github.com/aws/aws-sdk-go/aws/credentials" | ||
13 | "github.com/aws/aws-sdk-go/service/sts" | ||
14 | "github.com/aws/aws-sdk-go/service/sts/stsiface" | ||
15 | ) | ||
16 | |||
17 | const ( | ||
18 | // ErrCodeWebIdentity will be used as an error code when constructing | ||
19 | // a new error to be returned during session creation or retrieval. | ||
20 | ErrCodeWebIdentity = "WebIdentityErr" | ||
21 | |||
22 | // WebIdentityProviderName is the web identity provider name | ||
23 | WebIdentityProviderName = "WebIdentityCredentials" | ||
24 | ) | ||
25 | |||
26 | // now is used to return a time.Time object representing | ||
27 | // the current time. This can be used to easily test and | ||
28 | // compare test values. | ||
29 | var now = time.Now | ||
30 | |||
31 | // WebIdentityRoleProvider is used to retrieve credentials using | ||
32 | // an OIDC token. | ||
33 | type WebIdentityRoleProvider struct { | ||
34 | credentials.Expiry | ||
35 | |||
36 | client stsiface.STSAPI | ||
37 | ExpiryWindow time.Duration | ||
38 | |||
39 | tokenFilePath string | ||
40 | roleARN string | ||
41 | roleSessionName string | ||
42 | } | ||
43 | |||
44 | // NewWebIdentityCredentials will return a new set of credentials with a given | ||
45 | // configuration, role arn, and token file path. | ||
46 | func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, roleSessionName, path string) *credentials.Credentials { | ||
47 | svc := sts.New(c) | ||
48 | p := NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, path) | ||
49 | return credentials.NewCredentials(p) | ||
50 | } | ||
51 | |||
52 | // NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the | ||
53 | // provided stsiface.STSAPI | ||
54 | func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, path string) *WebIdentityRoleProvider { | ||
55 | return &WebIdentityRoleProvider{ | ||
56 | client: svc, | ||
57 | tokenFilePath: path, | ||
58 | roleARN: roleARN, | ||
59 | roleSessionName: roleSessionName, | ||
60 | } | ||
61 | } | ||
62 | |||
63 | // Retrieve will attempt to assume a role from a token which is located at | ||
64 | // 'WebIdentityTokenFilePath' specified destination and if that is empty an | ||
65 | // error will be returned. | ||
66 | func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) { | ||
67 | b, err := ioutil.ReadFile(p.tokenFilePath) | ||
68 | if err != nil { | ||
69 | errMsg := fmt.Sprintf("unable to read file at %s", p.tokenFilePath) | ||
70 | return credentials.Value{}, awserr.New(ErrCodeWebIdentity, errMsg, err) | ||
71 | } | ||
72 | |||
73 | sessionName := p.roleSessionName | ||
74 | if len(sessionName) == 0 { | ||
75 | // session name is used to uniquely identify a session. This simply | ||
76 | // uses unix time in nanoseconds to uniquely identify sessions. | ||
77 | sessionName = strconv.FormatInt(now().UnixNano(), 10) | ||
78 | } | ||
79 | resp, err := p.client.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{ | ||
80 | RoleArn: &p.roleARN, | ||
81 | RoleSessionName: &sessionName, | ||
82 | WebIdentityToken: aws.String(string(b)), | ||
83 | }) | ||
84 | if err != nil { | ||
85 | return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err) | ||
86 | } | ||
87 | |||
88 | p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow) | ||
89 | |||
90 | value := credentials.Value{ | ||
91 | AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId), | ||
92 | SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey), | ||
93 | SessionToken: aws.StringValue(resp.Credentials.SessionToken), | ||
94 | ProviderName: WebIdentityProviderName, | ||
95 | } | ||
96 | return value, nil | ||
97 | } | ||