5 files changed, 120 insertions, 10 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go
index 894bbc7..4af5921 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go
@@ -50,9 +50,10 @@ package credentials
 import (
        "fmt"
-        "github.com/aws/aws-sdk-go/aws/awserr"
        "sync"
        "time"
+        "github.com/aws/aws-sdk-go/aws/awserr"
 )
 // AnonymousCredentials is an empty Credential object that can be used as
@@ -83,6 +84,12 @@ type Value struct {
        ProviderName string
 }
+// HasKeys returns if the credentials Value has both AccessKeyID and
+// SecretAccessKey value set.
+func (v Value) HasKeys() bool {
+        return len(v.AccessKeyID) != 0 && len(v.SecretAccessKey) != 0
+}
 // A Provider is the interface for any component which will provide credentials
 // Value. A provider is required to manage its own Expired state, and what to
 // be expired means.
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go
index 0ed791b..43d4ed3 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go
@@ -11,6 +11,7 @@ import (
        "github.com/aws/aws-sdk-go/aws/client"
        "github.com/aws/aws-sdk-go/aws/credentials"
        "github.com/aws/aws-sdk-go/aws/ec2metadata"
+        "github.com/aws/aws-sdk-go/aws/request"
        "github.com/aws/aws-sdk-go/internal/sdkuri"
 )
@@ -142,7 +143,8 @@ func requestCredList(client *ec2metadata.EC2Metadata) ([]string, error) {
        }
        if err := s.Err(); err != nil {
-                return nil, awserr.New("SerializationError", "failed to read EC2 instance role from metadata service", err)
+                return nil, awserr.New(request.ErrCodeSerialization,
+                        "failed to read EC2 instance role from metadata service", err)
        }
        return credsList, nil
@@ -164,7 +166,7 @@ func requestCred(client *ec2metadata.EC2Metadata, credsName string) (ec2RoleCred
        respCreds := ec2RoleCredRespBody{}
        if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil {
                return ec2RoleCredRespBody{},
-                        awserr.New("SerializationError",
+                        awserr.New(request.ErrCodeSerialization,
                                fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName),
                                err)
        }
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
index ace5131..c2b2c5d 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
@@ -39,6 +39,7 @@ import (
        "github.com/aws/aws-sdk-go/aws/client/metadata"
        "github.com/aws/aws-sdk-go/aws/credentials"
        "github.com/aws/aws-sdk-go/aws/request"
+        "github.com/aws/aws-sdk-go/private/protocol/json/jsonutil"
 )
 // ProviderName is the name of the credentials provider.
@@ -174,7 +175,7 @@ func unmarshalHandler(r *request.Request) {
        out := r.Data.(*getCredentialsOutput)
        if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil {
-                r.Error = awserr.New("SerializationError",
+                r.Error = awserr.New(request.ErrCodeSerialization,
                        "failed to decode endpoint credentials",
                        err,
                )
@@ -185,11 +186,15 @@ func unmarshalError(r *request.Request) {
        defer r.HTTPResponse.Body.Close()
        var errOut errorOutput
-        if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&errOut); err != nil {
+        err := jsonutil.UnmarshalJSONError(&errOut, r.HTTPResponse.Body)
-                r.Error = awserr.New("SerializationError",
+        if err != nil {
-                        "failed to decode endpoint credentials",
+                r.Error = awserr.NewRequestFailure(
-                        err,
+                        awserr.New(request.ErrCodeSerialization,
+                                "failed to decode error message", err),
+                        r.HTTPResponse.StatusCode,
+                        r.RequestID,
                )
+                return
        }
        // Response body format is not consistent between metadata endpoints.
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go
index b6dbfd2..2e528d1 100644
--- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go
@@ -200,7 +200,7 @@ type AssumeRoleProvider struct {
        // by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must
        // have a value between 0 and 1. Any other value may lead to expected behavior.
        // With a MaxJitterFrac value of 0, default) will no jitter will be used.
-        // 
+        //
        // For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the
        // AssumeRole call will be made with an arbitrary Duration between 27m and
        // 30m.
@@ -258,7 +258,6 @@ func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(*
 // Retrieve generates a new set of temporary credentials using STS.
 func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
        // Apply defaults where parameters are not set.
        if p.RoleSessionName == "" {
                // Try to work out a role name that will hopefully end up unique.
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go
new file mode 100644
index 0000000..20510d9
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go
@@ -0,0 +1,97 @@
+package stscreds
+import (
+        "fmt"
+        "io/ioutil"
+        "strconv"
+        "time"
+        "github.com/aws/aws-sdk-go/aws"
+        "github.com/aws/aws-sdk-go/aws/awserr"
+        "github.com/aws/aws-sdk-go/aws/client"
+        "github.com/aws/aws-sdk-go/aws/credentials"
+        "github.com/aws/aws-sdk-go/service/sts"
+        "github.com/aws/aws-sdk-go/service/sts/stsiface"
+)
+const (
+        // ErrCodeWebIdentity will be used as an error code when constructing
+        // a new error to be returned during session creation or retrieval.
+        ErrCodeWebIdentity = "WebIdentityErr"
+        // WebIdentityProviderName is the web identity provider name
+        WebIdentityProviderName = "WebIdentityCredentials"
+)
+// now is used to return a time.Time object representing
+// the current time. This can be used to easily test and
+// compare test values.
+var now = time.Now
+// WebIdentityRoleProvider is used to retrieve credentials using
+// an OIDC token.
+type WebIdentityRoleProvider struct {
+        credentials.Expiry
+        client       stsiface.STSAPI
+        ExpiryWindow time.Duration
+        tokenFilePath   string
+        roleARN         string
+        roleSessionName string
+}
+// NewWebIdentityCredentials will return a new set of credentials with a given
+// configuration, role arn, and token file path.
+func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, roleSessionName, path string) *credentials.Credentials {
+        svc := sts.New(c)
+        p := NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, path)
+        return credentials.NewCredentials(p)
+}
+// NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the
+// provided stsiface.STSAPI
+func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, path string) *WebIdentityRoleProvider {
+        return &WebIdentityRoleProvider{
+                client:          svc,
+                tokenFilePath:   path,
+                roleARN:         roleARN,
+                roleSessionName: roleSessionName,
+        }
+}
+// Retrieve will attempt to assume a role from a token which is located at
+// 'WebIdentityTokenFilePath' specified destination and if that is empty an
+// error will be returned.
+func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) {
+        b, err := ioutil.ReadFile(p.tokenFilePath)
+        if err != nil {
+                errMsg := fmt.Sprintf("unable to read file at %s", p.tokenFilePath)
+                return credentials.Value{}, awserr.New(ErrCodeWebIdentity, errMsg, err)
+        }
+        sessionName := p.roleSessionName
+        if len(sessionName) == 0 {
+                // session name is used to uniquely identify a session. This simply
+                // uses unix time in nanoseconds to uniquely identify sessions.
+                sessionName = strconv.FormatInt(now().UnixNano(), 10)
+        }
+        resp, err := p.client.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{
+                RoleArn:          &p.roleARN,
+                RoleSessionName:  &sessionName,
+                WebIdentityToken: aws.String(string(b)),
+        })
+        if err != nil {
+                return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err)
+        }
+        p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow)
+        value := credentials.Value{
+                AccessKeyID:     aws.StringValue(resp.Credentials.AccessKeyId),
+                SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
+                SessionToken:    aws.StringValue(resp.Credentials.SessionToken),
+                ProviderName:    WebIdentityProviderName,
+        }
+        return value, nil
+}

diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go index 894bbc7..4af5921 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/credentials.go
@@ -50,9 +50,10 @@ package credentials
50		50
51	import (	51	import (
52	"fmt"	52	"fmt"
53	"github.com/aws/aws-sdk-go/aws/awserr"
54	"sync"	53	"sync"
55	"time"	54	"time"
		55
		56	"github.com/aws/aws-sdk-go/aws/awserr"
56	)	57	)
57		58
58	// AnonymousCredentials is an empty Credential object that can be used as	59	// AnonymousCredentials is an empty Credential object that can be used as
@@ -83,6 +84,12 @@ type Value struct {
83	ProviderName string	84	ProviderName string
84	}	85	}
85		86
		87	// HasKeys returns if the credentials Value has both AccessKeyID and
		88	// SecretAccessKey value set.
		89	func (v Value) HasKeys() bool {
		90	return len(v.AccessKeyID) != 0 && len(v.SecretAccessKey) != 0
		91	}
		92
86	// A Provider is the interface for any component which will provide credentials	93	// A Provider is the interface for any component which will provide credentials
87	// Value. A provider is required to manage its own Expired state, and what to	94	// Value. A provider is required to manage its own Expired state, and what to
88	// be expired means.	95	// be expired means.


diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go index 0ed791b..43d4ed3 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds/ec2_role_provider.go
@@ -11,6 +11,7 @@ import (
11	"github.com/aws/aws-sdk-go/aws/client"	11	"github.com/aws/aws-sdk-go/aws/client"
12	"github.com/aws/aws-sdk-go/aws/credentials"	12	"github.com/aws/aws-sdk-go/aws/credentials"
13	"github.com/aws/aws-sdk-go/aws/ec2metadata"	13	"github.com/aws/aws-sdk-go/aws/ec2metadata"
		14	"github.com/aws/aws-sdk-go/aws/request"
14	"github.com/aws/aws-sdk-go/internal/sdkuri"	15	"github.com/aws/aws-sdk-go/internal/sdkuri"
15	)	16	)
16		17
@@ -142,7 +143,8 @@ func requestCredList(client *ec2metadata.EC2Metadata) ([]string, error) {
142	}	143	}
143		144
144	if err := s.Err(); err != nil {	145	if err := s.Err(); err != nil {
145	return nil, awserr.New("SerializationError", "failed to read EC2 instance role from metadata service", err)	146	return nil, awserr.New(request.ErrCodeSerialization,
		147	"failed to read EC2 instance role from metadata service", err)
146	}	148	}
147		149
148	return credsList, nil	150	return credsList, nil
@@ -164,7 +166,7 @@ func requestCred(client *ec2metadata.EC2Metadata, credsName string) (ec2RoleCred
164	respCreds := ec2RoleCredRespBody{}	166	respCreds := ec2RoleCredRespBody{}
165	if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil {	167	if err := json.NewDecoder(strings.NewReader(resp)).Decode(&respCreds); err != nil {
166	return ec2RoleCredRespBody{},	168	return ec2RoleCredRespBody{},
167	awserr.New("SerializationError",	169	awserr.New(request.ErrCodeSerialization,
168	fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName),	170	fmt.Sprintf("failed to decode %s EC2 instance role credentials", credsName),
169	err)	171	err)
170	}	172	}


diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go index ace5131..c2b2c5d 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/endpointcreds/provider.go
@@ -39,6 +39,7 @@ import (
39	"github.com/aws/aws-sdk-go/aws/client/metadata"	39	"github.com/aws/aws-sdk-go/aws/client/metadata"
40	"github.com/aws/aws-sdk-go/aws/credentials"	40	"github.com/aws/aws-sdk-go/aws/credentials"
41	"github.com/aws/aws-sdk-go/aws/request"	41	"github.com/aws/aws-sdk-go/aws/request"
		42	"github.com/aws/aws-sdk-go/private/protocol/json/jsonutil"
42	)	43	)
43		44
44	// ProviderName is the name of the credentials provider.	45	// ProviderName is the name of the credentials provider.
@@ -174,7 +175,7 @@ func unmarshalHandler(r *request.Request) {
174		175
175	out := r.Data.(*getCredentialsOutput)	176	out := r.Data.(*getCredentialsOutput)
176	if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil {	177	if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&out); err != nil {
177	r.Error = awserr.New("SerializationError",	178	r.Error = awserr.New(request.ErrCodeSerialization,
178	"failed to decode endpoint credentials",	179	"failed to decode endpoint credentials",
179	err,	180	err,
180	)	181	)
@@ -185,11 +186,15 @@ func unmarshalError(r *request.Request) {
185	defer r.HTTPResponse.Body.Close()	186	defer r.HTTPResponse.Body.Close()
186		187
187	var errOut errorOutput	188	var errOut errorOutput
188	if err := json.NewDecoder(r.HTTPResponse.Body).Decode(&errOut); err != nil {	189	err := jsonutil.UnmarshalJSONError(&errOut, r.HTTPResponse.Body)
189	r.Error = awserr.New("SerializationError",	190	if err != nil {
190	"failed to decode endpoint credentials",	191	r.Error = awserr.NewRequestFailure(
191	err,	192	awserr.New(request.ErrCodeSerialization,
		193	"failed to decode error message", err),
		194	r.HTTPResponse.StatusCode,
		195	r.RequestID,
192	)	196	)
		197	return
193	}	198	}
194		199
195	// Response body format is not consistent between metadata endpoints.	200	// Response body format is not consistent between metadata endpoints.


diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go index b6dbfd2..2e528d1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go
@@ -200,7 +200,7 @@ type AssumeRoleProvider struct {
200	// by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must	200	// by a random percentage between 0 and MaxJitterFraction. MaxJitterFrac must
201	// have a value between 0 and 1. Any other value may lead to expected behavior.	201	// have a value between 0 and 1. Any other value may lead to expected behavior.
202	// With a MaxJitterFrac value of 0, default) will no jitter will be used.	202	// With a MaxJitterFrac value of 0, default) will no jitter will be used.
203	//	203	//
204	// For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the	204	// For example, with a Duration of 30m and a MaxJitterFrac of 0.1, the
205	// AssumeRole call will be made with an arbitrary Duration between 27m and	205	// AssumeRole call will be made with an arbitrary Duration between 27m and
206	// 30m.	206	// 30m.
@@ -258,7 +258,6 @@ func NewCredentialsWithClient(svc AssumeRoler, roleARN string, options ...func(*
258		258
259	// Retrieve generates a new set of temporary credentials using STS.	259	// Retrieve generates a new set of temporary credentials using STS.
260	func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) {	260	func (p *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
261
262	// Apply defaults where parameters are not set.	261	// Apply defaults where parameters are not set.
263	if p.RoleSessionName == "" {	262	if p.RoleSessionName == "" {
264	// Try to work out a role name that will hopefully end up unique.	263	// Try to work out a role name that will hopefully end up unique.


diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go new file mode 100644 index 0000000..20510d9 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/web_identity_provider.go
@@ -0,0 +1,97 @@
		1	package stscreds
		2
		3	import (
		4	"fmt"
		5	"io/ioutil"
		6	"strconv"
		7	"time"
		8
		9	"github.com/aws/aws-sdk-go/aws"
		10	"github.com/aws/aws-sdk-go/aws/awserr"
		11	"github.com/aws/aws-sdk-go/aws/client"
		12	"github.com/aws/aws-sdk-go/aws/credentials"
		13	"github.com/aws/aws-sdk-go/service/sts"
		14	"github.com/aws/aws-sdk-go/service/sts/stsiface"
		15	)
		16
		17	const (
		18	// ErrCodeWebIdentity will be used as an error code when constructing
		19	// a new error to be returned during session creation or retrieval.
		20	ErrCodeWebIdentity = "WebIdentityErr"
		21
		22	// WebIdentityProviderName is the web identity provider name
		23	WebIdentityProviderName = "WebIdentityCredentials"
		24	)
		25
		26	// now is used to return a time.Time object representing
		27	// the current time. This can be used to easily test and
		28	// compare test values.
		29	var now = time.Now
		30
		31	// WebIdentityRoleProvider is used to retrieve credentials using
		32	// an OIDC token.
		33	type WebIdentityRoleProvider struct {
		34	credentials.Expiry
		35
		36	client stsiface.STSAPI
		37	ExpiryWindow time.Duration
		38
		39	tokenFilePath string
		40	roleARN string
		41	roleSessionName string
		42	}
		43
		44	// NewWebIdentityCredentials will return a new set of credentials with a given
		45	// configuration, role arn, and token file path.
		46	func NewWebIdentityCredentials(c client.ConfigProvider, roleARN, roleSessionName, path string) *credentials.Credentials {
		47	svc := sts.New(c)
		48	p := NewWebIdentityRoleProvider(svc, roleARN, roleSessionName, path)
		49	return credentials.NewCredentials(p)
		50	}
		51
		52	// NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the
		53	// provided stsiface.STSAPI
		54	func NewWebIdentityRoleProvider(svc stsiface.STSAPI, roleARN, roleSessionName, path string) *WebIdentityRoleProvider {
		55	return &WebIdentityRoleProvider{
		56	client: svc,
		57	tokenFilePath: path,
		58	roleARN: roleARN,
		59	roleSessionName: roleSessionName,
		60	}
		61	}
		62
		63	// Retrieve will attempt to assume a role from a token which is located at
		64	// 'WebIdentityTokenFilePath' specified destination and if that is empty an
		65	// error will be returned.
		66	func (p *WebIdentityRoleProvider) Retrieve() (credentials.Value, error) {
		67	b, err := ioutil.ReadFile(p.tokenFilePath)
		68	if err != nil {
		69	errMsg := fmt.Sprintf("unable to read file at %s", p.tokenFilePath)
		70	return credentials.Value{}, awserr.New(ErrCodeWebIdentity, errMsg, err)
		71	}
		72
		73	sessionName := p.roleSessionName
		74	if len(sessionName) == 0 {
		75	// session name is used to uniquely identify a session. This simply
		76	// uses unix time in nanoseconds to uniquely identify sessions.
		77	sessionName = strconv.FormatInt(now().UnixNano(), 10)
		78	}
		79	resp, err := p.client.AssumeRoleWithWebIdentity(&sts.AssumeRoleWithWebIdentityInput{
		80	RoleArn: &p.roleARN,
		81	RoleSessionName: &sessionName,
		82	WebIdentityToken: aws.String(string(b)),
		83	})
		84	if err != nil {
		85	return credentials.Value{}, awserr.New(ErrCodeWebIdentity, "failed to retrieve credentials", err)
		86	}
		87
		88	p.SetExpiration(aws.TimeValue(resp.Credentials.Expiration), p.ExpiryWindow)
		89
		90	value := credentials.Value{
		91	AccessKeyID: aws.StringValue(resp.Credentials.AccessKeyId),
		92	SecretAccessKey: aws.StringValue(resp.Credentials.SecretAccessKey),
		93	SessionToken: aws.StringValue(resp.Credentials.SessionToken),
		94	ProviderName: WebIdentityProviderName,
		95	}
		96	return value, nil
		97	}