1 files changed, 258 insertions, 0 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
new file mode 100644
index 0000000..ce41518
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
@@ -0,0 +1,258 @@
+package session
+import (
+        "fmt"
+        "os"
+        "github.com/aws/aws-sdk-go/aws"
+        "github.com/aws/aws-sdk-go/aws/awserr"
+        "github.com/aws/aws-sdk-go/aws/credentials"
+        "github.com/aws/aws-sdk-go/aws/credentials/processcreds"
+        "github.com/aws/aws-sdk-go/aws/credentials/stscreds"
+        "github.com/aws/aws-sdk-go/aws/defaults"
+        "github.com/aws/aws-sdk-go/aws/request"
+        "github.com/aws/aws-sdk-go/internal/shareddefaults"
+)
+func resolveCredentials(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (*credentials.Credentials, error) {
+        switch {
+        case len(envCfg.Profile) != 0:
+                // User explicitly provided an Profile, so load from shared config
+                // first.
+                return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
+        case envCfg.Creds.HasKeys():
+                // Environment credentials
+                return credentials.NewStaticCredentialsFromCreds(envCfg.Creds), nil
+        case len(envCfg.WebIdentityTokenFilePath) != 0:
+                // Web identity token from environment, RoleARN required to also be
+                // set.
+                return assumeWebIdentity(cfg, handlers,
+                        envCfg.WebIdentityTokenFilePath,
+                        envCfg.RoleARN,
+                        envCfg.RoleSessionName,
+                )
+        default:
+                // Fallback to the "default" credential resolution chain.
+                return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
+        }
+}
+// WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but
+// 'AWS_IAM_ROLE_ARN' was not set.
+var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil)
+// WebIdentityEmptyTokenFilePathErr will occur if 'AWS_IAM_ROLE_ARN' was set but
+// 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set.
+var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil)
+func assumeWebIdentity(cfg *aws.Config, handlers request.Handlers,
+        filepath string,
+        roleARN, sessionName string,
+) (*credentials.Credentials, error) {
+        if len(filepath) == 0 {
+                return nil, WebIdentityEmptyTokenFilePathErr
+        }
+        if len(roleARN) == 0 {
+                return nil, WebIdentityEmptyRoleARNErr
+        }
+        creds := stscreds.NewWebIdentityCredentials(
+                &Session{
+                        Config:   cfg,
+                        Handlers: handlers.Copy(),
+                },
+                roleARN,
+                sessionName,
+                filepath,
+        )
+        return creds, nil
+}
+func resolveCredsFromProfile(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (creds *credentials.Credentials, err error) {
+        switch {
+        case sharedCfg.SourceProfile != nil:
+                // Assume IAM role with credentials source from a different profile.
+                creds, err = resolveCredsFromProfile(cfg, envCfg,
+                        *sharedCfg.SourceProfile, handlers, sessOpts,
+                )
+        case sharedCfg.Creds.HasKeys():
+                // Static Credentials from Shared Config/Credentials file.
+                creds = credentials.NewStaticCredentialsFromCreds(
+                        sharedCfg.Creds,
+                )
+        case len(sharedCfg.CredentialProcess) != 0:
+                // Get credentials from CredentialProcess
+                creds = processcreds.NewCredentials(sharedCfg.CredentialProcess)
+        case len(sharedCfg.CredentialSource) != 0:
+                creds, err = resolveCredsFromSource(cfg, envCfg,
+                        sharedCfg, handlers, sessOpts,
+                )
+        case len(sharedCfg.WebIdentityTokenFile) != 0:
+                // Credentials from Assume Web Identity token require an IAM Role, and
+                // that roll will be assumed. May be wrapped with another assume role
+                // via SourceProfile.
+                return assumeWebIdentity(cfg, handlers,
+                        sharedCfg.WebIdentityTokenFile,
+                        sharedCfg.RoleARN,
+                        sharedCfg.RoleSessionName,
+                )
+        default:
+                // Fallback to default credentials provider, include mock errors for
+                // the credential chain so user can identify why credentials failed to
+                // be retrieved.
+                creds = credentials.NewCredentials(&credentials.ChainProvider{
+                        VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
+                        Providers: []credentials.Provider{
+                                &credProviderError{
+                                        Err: awserr.New("EnvAccessKeyNotFound",
+                                                "failed to find credentials in the environment.", nil),
+                                },
+                                &credProviderError{
+                                        Err: awserr.New("SharedCredsLoad",
+                                                fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil),
+                                },
+                                defaults.RemoteCredProvider(*cfg, handlers),
+                        },
+                })
+        }
+        if err != nil {
+                return nil, err
+        }
+        if len(sharedCfg.RoleARN) > 0 {
+                cfgCp := *cfg
+                cfgCp.Credentials = creds
+                return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
+        }
+        return creds, nil
+}
+// valid credential source values
+const (
+        credSourceEc2Metadata  = "Ec2InstanceMetadata"
+        credSourceEnvironment  = "Environment"
+        credSourceECSContainer = "EcsContainer"
+)
+func resolveCredsFromSource(cfg *aws.Config,
+        envCfg envConfig, sharedCfg sharedConfig,
+        handlers request.Handlers,
+        sessOpts Options,
+) (creds *credentials.Credentials, err error) {
+        switch sharedCfg.CredentialSource {
+        case credSourceEc2Metadata:
+                p := defaults.RemoteCredProvider(*cfg, handlers)
+                creds = credentials.NewCredentials(p)
+        case credSourceEnvironment:
+                creds = credentials.NewStaticCredentialsFromCreds(envCfg.Creds)
+        case credSourceECSContainer:
+                if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
+                        return nil, ErrSharedConfigECSContainerEnvVarEmpty
+                }
+                p := defaults.RemoteCredProvider(*cfg, handlers)
+                creds = credentials.NewCredentials(p)
+        default:
+                return nil, ErrSharedConfigInvalidCredSource
+        }
+        return creds, nil
+}
+func credsFromAssumeRole(cfg aws.Config,
+        handlers request.Handlers,
+        sharedCfg sharedConfig,
+        sessOpts Options,
+) (*credentials.Credentials, error) {
+        if len(sharedCfg.MFASerial) != 0 && sessOpts.AssumeRoleTokenProvider == nil {
+                // AssumeRole Token provider is required if doing Assume Role
+                // with MFA.
+                return nil, AssumeRoleTokenProviderNotSetError{}
+        }
+        return stscreds.NewCredentials(
+                &Session{
+                        Config:   &cfg,
+                        Handlers: handlers.Copy(),
+                },
+                sharedCfg.RoleARN,
+                func(opt *stscreds.AssumeRoleProvider) {
+                        opt.RoleSessionName = sharedCfg.RoleSessionName
+                        opt.Duration = sessOpts.AssumeRoleDuration
+                        // Assume role with external ID
+                        if len(sharedCfg.ExternalID) > 0 {
+                                opt.ExternalID = aws.String(sharedCfg.ExternalID)
+                        }
+                        // Assume role with MFA
+                        if len(sharedCfg.MFASerial) > 0 {
+                                opt.SerialNumber = aws.String(sharedCfg.MFASerial)
+                                opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
+                        }
+                },
+        ), nil
+}
+// AssumeRoleTokenProviderNotSetError is an error returned when creating a
+// session when the MFAToken option is not set when shared config is configured
+// load assume a role with an MFA token.
+type AssumeRoleTokenProviderNotSetError struct{}
+// Code is the short id of the error.
+func (e AssumeRoleTokenProviderNotSetError) Code() string {
+        return "AssumeRoleTokenProviderNotSetError"
+}
+// Message is the description of the error
+func (e AssumeRoleTokenProviderNotSetError) Message() string {
+        return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
+}
+// OrigErr is the underlying error that caused the failure.
+func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
+        return nil
+}
+// Error satisfies the error interface.
+func (e AssumeRoleTokenProviderNotSetError) Error() string {
+        return awserr.SprintError(e.Code(), e.Message(), "", nil)
+}
+type credProviderError struct {
+        Err error
+}
+func (c credProviderError) Retrieve() (credentials.Value, error) {
+        return credentials.Value{}, c.Err
+}
+func (c credProviderError) IsExpired() bool {
+        return true
+}

diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go new file mode 100644 index 0000000..ce41518 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
@@ -0,0 +1,258 @@
	1	package session
	2
	3	import (
	4	"fmt"
	5	"os"
	6
	7	"github.com/aws/aws-sdk-go/aws"
	8	"github.com/aws/aws-sdk-go/aws/awserr"
	9	"github.com/aws/aws-sdk-go/aws/credentials"
	10	"github.com/aws/aws-sdk-go/aws/credentials/processcreds"
	11	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	12	"github.com/aws/aws-sdk-go/aws/defaults"
	13	"github.com/aws/aws-sdk-go/aws/request"
	14	"github.com/aws/aws-sdk-go/internal/shareddefaults"
	15	)
	16
	17	func resolveCredentials(cfg *aws.Config,
	18	envCfg envConfig, sharedCfg sharedConfig,
	19	handlers request.Handlers,
	20	sessOpts Options,
	21	) (*credentials.Credentials, error) {
	22
	23	switch {
	24	case len(envCfg.Profile) != 0:
	25	// User explicitly provided an Profile, so load from shared config
	26	// first.
	27	return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
	28
	29	case envCfg.Creds.HasKeys():
	30	// Environment credentials
	31	return credentials.NewStaticCredentialsFromCreds(envCfg.Creds), nil
	32
	33	case len(envCfg.WebIdentityTokenFilePath) != 0:
	34	// Web identity token from environment, RoleARN required to also be
	35	// set.
	36	return assumeWebIdentity(cfg, handlers,
	37	envCfg.WebIdentityTokenFilePath,
	38	envCfg.RoleARN,
	39	envCfg.RoleSessionName,
	40	)
	41
	42	default:
	43	// Fallback to the "default" credential resolution chain.
	44	return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
	45	}
	46	}
	47
	48	// WebIdentityEmptyRoleARNErr will occur if 'AWS_WEB_IDENTITY_TOKEN_FILE' was set but
	49	// 'AWS_IAM_ROLE_ARN' was not set.
	50	var WebIdentityEmptyRoleARNErr = awserr.New(stscreds.ErrCodeWebIdentity, "role ARN is not set", nil)
	51
	52	// WebIdentityEmptyTokenFilePathErr will occur if 'AWS_IAM_ROLE_ARN' was set but
	53	// 'AWS_WEB_IDENTITY_TOKEN_FILE' was not set.
	54	var WebIdentityEmptyTokenFilePathErr = awserr.New(stscreds.ErrCodeWebIdentity, "token file path is not set", nil)
	55
	56	func assumeWebIdentity(cfg *aws.Config, handlers request.Handlers,
	57	filepath string,
	58	roleARN, sessionName string,
	59	) (*credentials.Credentials, error) {
	60
	61	if len(filepath) == 0 {
	62	return nil, WebIdentityEmptyTokenFilePathErr
	63	}
	64
	65	if len(roleARN) == 0 {
	66	return nil, WebIdentityEmptyRoleARNErr
	67	}
	68
	69	creds := stscreds.NewWebIdentityCredentials(
	70	&Session{
	71	Config: cfg,
	72	Handlers: handlers.Copy(),
	73	},
	74	roleARN,
	75	sessionName,
	76	filepath,
	77	)
	78
	79	return creds, nil
	80	}
	81
	82	func resolveCredsFromProfile(cfg *aws.Config,
	83	envCfg envConfig, sharedCfg sharedConfig,
	84	handlers request.Handlers,
	85	sessOpts Options,
	86	) (creds *credentials.Credentials, err error) {
	87
	88	switch {
	89	case sharedCfg.SourceProfile != nil:
	90	// Assume IAM role with credentials source from a different profile.
	91	creds, err = resolveCredsFromProfile(cfg, envCfg,
	92	*sharedCfg.SourceProfile, handlers, sessOpts,
	93	)
	94
	95	case sharedCfg.Creds.HasKeys():
	96	// Static Credentials from Shared Config/Credentials file.
	97	creds = credentials.NewStaticCredentialsFromCreds(
	98	sharedCfg.Creds,
	99	)
	100
	101	case len(sharedCfg.CredentialProcess) != 0:
	102	// Get credentials from CredentialProcess
	103	creds = processcreds.NewCredentials(sharedCfg.CredentialProcess)
	104
	105	case len(sharedCfg.CredentialSource) != 0:
	106	creds, err = resolveCredsFromSource(cfg, envCfg,
	107	sharedCfg, handlers, sessOpts,
	108	)
	109
	110	case len(sharedCfg.WebIdentityTokenFile) != 0:
	111	// Credentials from Assume Web Identity token require an IAM Role, and
	112	// that roll will be assumed. May be wrapped with another assume role
	113	// via SourceProfile.
	114	return assumeWebIdentity(cfg, handlers,
	115	sharedCfg.WebIdentityTokenFile,
	116	sharedCfg.RoleARN,
	117	sharedCfg.RoleSessionName,
	118	)
	119
	120	default:
	121	// Fallback to default credentials provider, include mock errors for
	122	// the credential chain so user can identify why credentials failed to
	123	// be retrieved.
	124	creds = credentials.NewCredentials(&credentials.ChainProvider{
	125	VerboseErrors: aws.BoolValue(cfg.CredentialsChainVerboseErrors),
	126	Providers: []credentials.Provider{
	127	&credProviderError{
	128	Err: awserr.New("EnvAccessKeyNotFound",
	129	"failed to find credentials in the environment.", nil),
	130	},
	131	&credProviderError{
	132	Err: awserr.New("SharedCredsLoad",
	133	fmt.Sprintf("failed to load profile, %s.", envCfg.Profile), nil),
	134	},
	135	defaults.RemoteCredProvider(*cfg, handlers),
	136	},
	137	})
	138	}
	139	if err != nil {
	140	return nil, err
	141	}
	142
	143	if len(sharedCfg.RoleARN) > 0 {
	144	cfgCp := *cfg
	145	cfgCp.Credentials = creds
	146	return credsFromAssumeRole(cfgCp, handlers, sharedCfg, sessOpts)
	147	}
	148
	149	return creds, nil
	150	}
	151
	152	// valid credential source values
	153	const (
	154	credSourceEc2Metadata = "Ec2InstanceMetadata"
	155	credSourceEnvironment = "Environment"
	156	credSourceECSContainer = "EcsContainer"
	157	)
	158
	159	func resolveCredsFromSource(cfg *aws.Config,
	160	envCfg envConfig, sharedCfg sharedConfig,
	161	handlers request.Handlers,
	162	sessOpts Options,
	163	) (creds *credentials.Credentials, err error) {
	164
	165	switch sharedCfg.CredentialSource {
	166	case credSourceEc2Metadata:
	167	p := defaults.RemoteCredProvider(*cfg, handlers)
	168	creds = credentials.NewCredentials(p)
	169
	170	case credSourceEnvironment:
	171	creds = credentials.NewStaticCredentialsFromCreds(envCfg.Creds)
	172
	173	case credSourceECSContainer:
	174	if len(os.Getenv(shareddefaults.ECSCredsProviderEnvVar)) == 0 {
	175	return nil, ErrSharedConfigECSContainerEnvVarEmpty
	176	}
	177
	178	p := defaults.RemoteCredProvider(*cfg, handlers)
	179	creds = credentials.NewCredentials(p)
	180
	181	default:
	182	return nil, ErrSharedConfigInvalidCredSource
	183	}
	184
	185	return creds, nil
	186	}
	187
	188	func credsFromAssumeRole(cfg aws.Config,
	189	handlers request.Handlers,
	190	sharedCfg sharedConfig,
	191	sessOpts Options,
	192	) (*credentials.Credentials, error) {
	193
	194	if len(sharedCfg.MFASerial) != 0 && sessOpts.AssumeRoleTokenProvider == nil {
	195	// AssumeRole Token provider is required if doing Assume Role
	196	// with MFA.
	197	return nil, AssumeRoleTokenProviderNotSetError{}
	198	}
	199
	200	return stscreds.NewCredentials(
	201	&Session{
	202	Config: &cfg,
	203	Handlers: handlers.Copy(),
	204	},
	205	sharedCfg.RoleARN,
	206	func(opt *stscreds.AssumeRoleProvider) {
	207	opt.RoleSessionName = sharedCfg.RoleSessionName
	208	opt.Duration = sessOpts.AssumeRoleDuration
	209
	210	// Assume role with external ID
	211	if len(sharedCfg.ExternalID) > 0 {
	212	opt.ExternalID = aws.String(sharedCfg.ExternalID)
	213	}
	214
	215	// Assume role with MFA
	216	if len(sharedCfg.MFASerial) > 0 {
	217	opt.SerialNumber = aws.String(sharedCfg.MFASerial)
	218	opt.TokenProvider = sessOpts.AssumeRoleTokenProvider
	219	}
	220	},
	221	), nil
	222	}
	223
	224	// AssumeRoleTokenProviderNotSetError is an error returned when creating a
	225	// session when the MFAToken option is not set when shared config is configured
	226	// load assume a role with an MFA token.
	227	type AssumeRoleTokenProviderNotSetError struct{}
	228
	229	// Code is the short id of the error.
	230	func (e AssumeRoleTokenProviderNotSetError) Code() string {
	231	return "AssumeRoleTokenProviderNotSetError"
	232	}
	233
	234	// Message is the description of the error
	235	func (e AssumeRoleTokenProviderNotSetError) Message() string {
	236	return fmt.Sprintf("assume role with MFA enabled, but AssumeRoleTokenProvider session option not set.")
	237	}
	238
	239	// OrigErr is the underlying error that caused the failure.
	240	func (e AssumeRoleTokenProviderNotSetError) OrigErr() error {
	241	return nil
	242	}
	243
	244	// Error satisfies the error interface.
	245	func (e AssumeRoleTokenProviderNotSetError) Error() string {
	246	return awserr.SprintError(e.Code(), e.Message(), "", nil)
	247	}
	248
	249	type credProviderError struct {
	250	Err error
	251	}
	252
	253	func (c credProviderError) Retrieve() (credentials.Value, error) {
	254	return credentials.Value{}, c.Err
	255	}
	256	func (c credProviderError) IsExpired() bool {
	257	return true
	258	}