diff options
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/aws/credentials')
5 files changed, 120 insertions, 10 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go index 894bbc7..4af5921 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go | |||
@@ -50,9 +50,10 @@ package credentials | |||
50 | 50 | ||
51 | import ( | 51 | import ( |
52 | "fmt" | 52 | "fmt" |
53 | "github.com/aws/aws-sdk-go/aws/awserr" | ||
54 | "sync" | 53 | "sync" |
55 | "time" | 54 | "time" |
55 | |||
56 | "github.com/aws/aws-sdk-go/aws/awserr" | ||
56 | ) | 57 | ) |
57 | 58 | ||
58 | // AnonymousCredentials is an empty Credential object that can be used as | 59 | // AnonymousCredentials is an empty Credential object that can be used as |
@@ -83,6 +84,12 @@ type Value struct { | |||
83 | ProviderName string | 84 | ProviderName string |
84 | } | 85 | } |
85 | 86 | ||
87 | // HasKeys returns if the credentials Value has both AccessKeyID and | ||
88 | // SecretAccessKey value set. | ||
89 | func (v Value) HasKeys() bool { | ||
90 | return len(v.AccessKeyID) != 0 && len(v.SecretAccessKey) != 0 | ||
91 | } | ||
92 | |||
86 | // A Provider is the interface for any component which will provide credentials | 93 | // A Provider is the interface for any component which will provide credentials |
87 | // Value. A provider is required to manage its own Expired state, and what to | 94 | // Value. A provider is required to manage its own Expired state, and what to |
88 | // be expired means. | 95 | // be expired means. |
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go index 0ed791b..43d4ed3 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go | |||
@@ -11,6 +11,7 @@ import ( | |||
11 | "github.com/aws/aws-sdk-go/aws/client" | 11 | "github.com/aws/aws-sdk-go/aws/client" |
12 | "github.com/aws/aws-sdk-go/aws/credentials" | 12 | "github.com/aws/aws-sdk-go/aws/credentials" |
13 | "github.com/aws/aws-sdk-go/aws/ec2metadata" | 13 | "github.com/aws/aws-sdk-go/aws/ec2metadata" |
14 | "github.com/aws/aws-sdk-go/aws/request" | ||
14 | "github.com/aws/aws-sdk-go/internal/sdkuri" | 15 | "github.com/aws/aws-sdk-go/internal/sdkuri" |
15 | ) | 16 | ) |
16 | 17 | ||
@@ -142,7 +143,8 @@ func requestCredList(client *ec2metadata.EC2Metadata) ([]string, error) { | |||
142 | } | 143 | } |
143 | 144 | ||
144 | if err := s.Err(); err != nil { | 145 | if err := s.Err(); err != nil { |
145 | return nil, awserr.New("SerializationError", "failed to read EC2 instance role from metadata service", err) | 146 | return nil, awserr.New(request.ErrCodeSerialization, |
147 | "failed to read EC2 instance role from metadata service", err) | ||
146 | } | 148 | } |
147 | 149 | ||
148 | return credsList, nil | 150 | return credsList, nil |
@@ -164,7 +166,7 @@ func requestCred(client *ec2metadata.EC2Metadata, credsName string) (ec2RoleCred | |||
164 | respCreds := ec2RoleCredRespBody{} | 166 | respCreds := ec2RoleCredRespBody{} |
165 | if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil { | 167 | if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil { |
166 | return ec2RoleCredRespBody{}, | 168 | return ec2RoleCredRespBody{}, |
167 | awserr.New("SerializationError", | 169 | awserr.New(request.ErrCodeSerialization, |
168 | fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName), | 170 | fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName), |
169 | err) | 171 | err) |
170 | } | 172 | } |
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go index ace5131..c2b2c5d 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go | |||
@@ -39,6 +39,7 @@ import ( | |||
39 | "github.com/aws/aws-sdk-go/aws/client/metadata" | 39 | "github.com/aws/aws-sdk-go/aws/client/metadata" |
40 | "github.com/aws/aws-sdk-go/aws/credentials" | 40 | "github.com/aws/aws-sdk-go/aws/credentials" |
41 | "github.com/aws/aws-sdk-go/aws/request" | 41 | "github.com/aws/aws-sdk-go/aws/request" |
42 | "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil" | ||
42 | ) | 43 | ) |
43 | 44 | ||
44 | // ProviderName is the name of the credentials provider. | 45 | // ProviderName is the name of the credentials provider. |
@@ -174,7 +175,7 @@ func unmarshalHandler(r *request.Request) { | |||
174 | 175 | ||
175 | out := r.Data.(*getCredentialsOutput) | 176 | out := r.Data.(*getCredentialsOutput) |
176 | if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil { | 177 | if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil { |
177 | r.Error = awserr.New("SerializationError", | 178 | r.Error = awserr.New(request.ErrCodeSerialization, |
178 | "failed to decode endpoint credentials", | 179 | "failed to decode endpoint credentials", |
179 | err, | 180 | err, |
180 | ) | 181 | ) |
@@ -185,11 +186,15 @@ func unmarshalError(r *request.Request) { | |||
185 | defer r.HTTPResponse.Body.Close() | 186 | defer r.HTTPResponse.Body.Close() |
186 | 187 | ||
187 | var errOut errorOutput | 188 | var errOut errorOutput |
188 | if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&errOut); err != nil { | 189 | err := jsonutil.UnmarshalJSONError(&errOut, r.HTTPResponse.Body) |
189 | r.Error = awserr.New("SerializationError", | 190 | if err != nil { |
190 | "failed to decode endpoint credentials", | 191 | r.Error = awserr.NewRequestFailure( |
191 | err, | 192 | awserr.New(request.ErrCodeSerialization, |
193 | "failed to decode error message", err), | ||
194 | r.HTTPResponse.StatusCode, | ||
195 | r.RequestID, | ||
192 | ) | 196 | ) |
197 | return | ||
193 | } | 198 | } |
194 | 199 | ||
195 | // Response body format is not consistent between metadata endpoints. | 200 | // Response body format is not consistent between metadata endpoints. |
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go index b6dbfd2..2e528d1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go | |||
@@ -200,7 +200,7 @@ type AssumeRoleProvider struct { | |||
200 | // by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must | 200 | // by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must |
201 | // have a value between 0 and 1. Any other value may lead to expected behavior. | 201 | // have a value between 0 and 1. Any other value may lead to expected behavior. |
202 | // With a MaxJitterFrac value of 0, default) will no jitter will be used. | 202 | // With a MaxJitterFrac value of 0, default) will no jitter will be used. |
203 | // | 203 | // |
204 | // For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the | 204 | // For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the |
205 | // AssumeRole call will be made with an arbitrary Duration between 27m and | 205 | // AssumeRole call will be made with an arbitrary Duration between 27m and |
206 | // 30m. | 206 | // 30m. |
@@ -258,7 +258,6 @@ func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(* | |||
258 | 258 | ||
259 | // Retrieve generates a new set of temporary credentials using STS. | 259 | // Retrieve generates a new set of temporary credentials using STS. |
260 | func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) { | 260 | func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) { |
261 | |||
262 | // Apply defaults where parameters are not set. | 261 | // Apply defaults where parameters are not set. |
263 | if p.RoleSessionName == "" { | 262 | if p.RoleSessionName == "" { |
264 | // Try to work out a role name that will hopefully end up unique. | 263 | // Try to work out a role name that will hopefully end up unique. |
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go new file mode 100644 index 0000000..20510d9 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go | |||
@@ -0,0 +1,97 @@ | |||
1 | package stscreds | ||
2 | |||
3 | import ( | ||
4 | "fmt" | ||
5 | "io/ioutil" | ||
6 | "strconv" | ||
7 | "time" | ||
8 | |||
9 | "github.com/aws/aws-sdk-go/aws" | ||
10 | "github.com/aws/aws-sdk-go/aws/awserr" | ||
11 | "github.com/aws/aws-sdk-go/aws/client" | ||
12 | "github.com/aws/aws-sdk-go/aws/credentials" | ||
13 | "github.com/aws/aws-sdk-go/service/sts" | ||
14 | "github.com/aws/aws-sdk-go/service/sts/stsiface" | ||
15 | ) | ||
16 | |||
17 | const ( | ||
18 | // ErrCodeWebIdentity will be used as an error code when constructing | ||
19 | // a new error to be returned during session creation or retrieval. | ||
20 | ErrCodeWebIdentity = "WebIdentityErr" | ||
21 | |||
22 | // WebIdentityProviderName is the web identity provider name | ||
23 | WebIdentityProviderName = "WebIdentityCredentials" | ||
24 | ) | ||
25 | |||
26 | // now is used to return a time.Time object representing | ||
27 | // the current time. This can be used to easily test and | ||
28 | // compare test values. | ||
29 | var now = time.Now | ||
30 | |||
31 | // WebIdentityRoleProvider is used to retrieve credentials using | ||
32 | // an OIDC token. | ||
33 | type WebIdentityRoleProvider struct { | ||
34 | credentials.Expiry | ||
35 | |||
36 | client stsiface.STSAPI | ||
37 | ExpiryWindow time.Duration | ||
38 | |||
39 | tokenFilePath string | ||
40 | roleARN string | ||
41 | roleSessionName string | ||
42 | } | ||
43 | |||
44 | // NewWebIdentityCredentials will return a new set of credentials with a given | ||
45 | // configuration, role arn, and token file path. | ||
46 | func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, roleSessionName, path string) *credentials.Credentials { | ||
47 | svc := sts.New(c) | ||
48 | p := NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, path) | ||
49 | return credentials.NewCredentials(p) | ||
50 | } | ||
51 | |||
52 | // NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the | ||
53 | // provided stsiface.STSAPI | ||
54 | func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, path string) *WebIdentityRoleProvider { | ||
55 | return &WebIdentityRoleProvider{ | ||
56 | client: svc, | ||
57 | tokenFilePath: path, | ||
58 | roleARN: roleARN, | ||
59 | roleSessionName: roleSessionName, | ||
60 | } | ||
61 | } | ||
62 | |||
63 | // Retrieve will attempt to assume a role from a token which is located at | ||
64 | // 'WebIdentityTokenFilePath' specified destination and if that is empty an | ||
65 | // error will be returned. | ||
66 | func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) { | ||
67 | b, err := ioutil.ReadFile(p.tokenFilePath) | ||
68 | if err != nil { | ||
69 | errMsg := fmt.Sprintf("unable to read file at %s", p.tokenFilePath) | ||
70 | return credentials.Value{}, awserr.New(ErrCodeWebIdentity, errMsg, err) | ||
71 | } | ||
72 | |||
73 | sessionName := p.roleSessionName | ||
74 | if len(sessionName) == 0 { | ||
75 | // session name is used to uniquely identify a session. This simply | ||
76 | // uses unix time in nanoseconds to uniquely identify sessions. | ||
77 | sessionName = strconv.FormatInt(now().UnixNano(), 10) | ||
78 | } | ||
79 | resp, err := p.client.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{ | ||
80 | RoleArn: &p.roleARN, | ||
81 | RoleSessionName: &sessionName, | ||
82 | WebIdentityToken: aws.String(string(b)), | ||
83 | }) | ||
84 | if err != nil { | ||
85 | return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err) | ||
86 | } | ||
87 | |||
88 | p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow) | ||
89 | |||
90 | value := credentials.Value{ | ||
91 | AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId), | ||
92 | SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey), | ||
93 | SessionToken: aws.StringValue(resp.Credentials.SessionToken), | ||
94 | ProviderName: WebIdentityProviderName, | ||
95 | } | ||
96 | return value, nil | ||
97 | } | ||