feat(train): add new command to interact with aws and train models
This commit is contained in:
43
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
generated
vendored
Normal file
43
vendor/github.com/aws/aws-sdk-go-v2/credentials/CHANGELOG.md
generated
vendored
Normal file
@ -0,0 +1,43 @@
|
||||
# v1.4.2 (2021-09-17)
|
||||
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.4.1 (2021-09-10)
|
||||
|
||||
* **Documentation**: Fixes the AssumeRoleProvider's documentation for using custom TokenProviders.
|
||||
|
||||
# v1.4.0 (2021-08-27)
|
||||
|
||||
* **Feature**: Adds support for Tags and TransitiveTagKeys to stscreds.AssumeRoleProvider. Closes https://github.com/aws/aws-sdk-go-v2/issues/723
|
||||
* **Feature**: Updated `github.com/aws/smithy-go` to latest version
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.3.3 (2021-08-19)
|
||||
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.3.2 (2021-08-04)
|
||||
|
||||
* **Dependency Update**: Updated `github.com/aws/smithy-go` to latest version.
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.3.1 (2021-07-15)
|
||||
|
||||
* **Dependency Update**: Updated `github.com/aws/smithy-go` to latest version
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.3.0 (2021-06-25)
|
||||
|
||||
* **Feature**: Updated `github.com/aws/smithy-go` to latest version
|
||||
* **Bug Fix**: Fixed example usages of aws.CredentialsCache ([#1275](https://github.com/aws/aws-sdk-go-v2/pull/1275))
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.2.1 (2021-05-20)
|
||||
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
||||
# v1.2.0 (2021-05-14)
|
||||
|
||||
* **Feature**: Constant has been added to modules to enable runtime version inspection for reporting.
|
||||
* **Dependency Update**: Updated to the latest SDK module versions
|
||||
|
202
vendor/github.com/aws/aws-sdk-go-v2/credentials/LICENSE.txt
generated
vendored
Normal file
202
vendor/github.com/aws/aws-sdk-go-v2/credentials/LICENSE.txt
generated
vendored
Normal file
@ -0,0 +1,202 @@
|
||||
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
4
vendor/github.com/aws/aws-sdk-go-v2/credentials/doc.go
generated
vendored
Normal file
4
vendor/github.com/aws/aws-sdk-go-v2/credentials/doc.go
generated
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
/*
|
||||
Package credentials provides types for retrieving credentials from credentials sources.
|
||||
*/
|
||||
package credentials
|
58
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/doc.go
generated
vendored
Normal file
58
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/doc.go
generated
vendored
Normal file
@ -0,0 +1,58 @@
|
||||
// Package ec2rolecreds provides the credentials provider implementation for
|
||||
// retrieving AWS credentials from Amazon EC2 Instance Roles via Amazon EC2 IMDS.
|
||||
//
|
||||
// Concurrency and caching
|
||||
//
|
||||
// The Provider is not safe to be used concurrently, and does not provide any
|
||||
// caching of credentials retrieved. You should wrap the Provider with a
|
||||
// `aws.CredentialsCache` to provide concurrency safety, and caching of
|
||||
// credentials.
|
||||
//
|
||||
// Loading credentials with the SDK's AWS Config
|
||||
//
|
||||
// The EC2 Instance role credentials provider will automatically be the resolved
|
||||
// credential provider int he credential chain if no other credential provider is
|
||||
// resolved first.
|
||||
//
|
||||
// To explicitly instruct the SDK's credentials resolving to use the EC2 Instance
|
||||
// role for credentials, you specify a `credentials_source` property in the config
|
||||
// profile the SDK will load.
|
||||
//
|
||||
// [default]
|
||||
// credential_source = Ec2InstanceMetadata
|
||||
//
|
||||
// Loading credentials with the Provider directly
|
||||
//
|
||||
// Another way to use the EC2 Instance role credentials provider is to create it
|
||||
// directly and assign it as the credentials provider for an API client.
|
||||
//
|
||||
// The following example creates a credentials provider for a command, and wraps
|
||||
// it with the CredentialsCache before assigning the provider to the Amazon S3 API
|
||||
// client's Credentials option.
|
||||
//
|
||||
// provider := imds.New(imds.Options{})
|
||||
//
|
||||
// // Create the service client value configured for credentials.
|
||||
// svc := s3.New(s3.Options{
|
||||
// Credentials: aws.NewCredentialsCache(provider),
|
||||
// })
|
||||
//
|
||||
// If you need more control, you can set the configuration options on the
|
||||
// credentials provider using the imds.Options type to configure the EC2 IMDS
|
||||
// API Client and ExpiryWindow of the retrieved credentials.
|
||||
//
|
||||
// provider := imds.New(imds.Options{
|
||||
// // See imds.Options type's documentation for more options available.
|
||||
// Client: imds.New(Options{
|
||||
// HTTPClient: customHTTPClient,
|
||||
// }),
|
||||
//
|
||||
// // Modify how soon credentials expire prior to their original expiry time.
|
||||
// ExpiryWindow: 5 * time.Minute,
|
||||
// })
|
||||
//
|
||||
// EC2 IMDS API Client
|
||||
//
|
||||
// See the github.com/aws/aws-sdk-go-v2/feature/ec2/imds module for more details on
|
||||
// configuring the client, and options available.
|
||||
package ec2rolecreds
|
174
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go
generated
vendored
Normal file
174
vendor/github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds/provider.go
generated
vendored
Normal file
@ -0,0 +1,174 @@
|
||||
package ec2rolecreds
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"path"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
|
||||
"github.com/aws/smithy-go"
|
||||
)
|
||||
|
||||
// ProviderName provides a name of EC2Role provider
|
||||
const ProviderName = "EC2RoleProvider"
|
||||
|
||||
// GetMetadataAPIClient provides the interface for an EC2 IMDS API client for the
|
||||
// GetMetadata operation.
|
||||
type GetMetadataAPIClient interface {
|
||||
GetMetadata(context.Context, *imds.GetMetadataInput, ...func(*imds.Options)) (*imds.GetMetadataOutput, error)
|
||||
}
|
||||
|
||||
// A Provider retrieves credentials from the EC2 service, and keeps track if
|
||||
// those credentials are expired.
|
||||
//
|
||||
// The New function must be used to create the Provider.
|
||||
//
|
||||
// p := &ec2rolecreds.New(ec2rolecreds.Options{
|
||||
// Client: imds.New(imds.Options{}),
|
||||
//
|
||||
// // Expire the credentials 10 minutes before IAM states they should.
|
||||
// // Proactively refreshing the credentials.
|
||||
// ExpiryWindow: 10 * time.Minute
|
||||
// })
|
||||
type Provider struct {
|
||||
options Options
|
||||
}
|
||||
|
||||
// Options is a list of user settable options for setting the behavior of the Provider.
|
||||
type Options struct {
|
||||
// The API client that will be used by the provider to make GetMetadata API
|
||||
// calls to EC2 IMDS.
|
||||
//
|
||||
// If nil, the provider will default to the EC2 IMDS client.
|
||||
Client GetMetadataAPIClient
|
||||
}
|
||||
|
||||
// New returns an initialized Provider value configured to retrieve
|
||||
// credentials from EC2 Instance Metadata service.
|
||||
func New(optFns ...func(*Options)) *Provider {
|
||||
options := Options{}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&options)
|
||||
}
|
||||
|
||||
if options.Client == nil {
|
||||
options.Client = imds.New(imds.Options{})
|
||||
}
|
||||
|
||||
return &Provider{
|
||||
options: options,
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve retrieves credentials from the EC2 service.
|
||||
// Error will be returned if the request fails, or unable to extract
|
||||
// the desired credentials.
|
||||
func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
credsList, err := requestCredList(ctx, p.options.Client)
|
||||
if err != nil {
|
||||
return aws.Credentials{Source: ProviderName}, err
|
||||
}
|
||||
|
||||
if len(credsList) == 0 {
|
||||
return aws.Credentials{Source: ProviderName},
|
||||
fmt.Errorf("unexpected empty EC2 IMDS role list")
|
||||
}
|
||||
credsName := credsList[0]
|
||||
|
||||
roleCreds, err := requestCred(ctx, p.options.Client, credsName)
|
||||
if err != nil {
|
||||
return aws.Credentials{Source: ProviderName}, err
|
||||
}
|
||||
|
||||
creds := aws.Credentials{
|
||||
AccessKeyID: roleCreds.AccessKeyID,
|
||||
SecretAccessKey: roleCreds.SecretAccessKey,
|
||||
SessionToken: roleCreds.Token,
|
||||
Source: ProviderName,
|
||||
|
||||
CanExpire: true,
|
||||
Expires: roleCreds.Expiration,
|
||||
}
|
||||
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
// A ec2RoleCredRespBody provides the shape for unmarshaling credential
|
||||
// request responses.
|
||||
type ec2RoleCredRespBody struct {
|
||||
// Success State
|
||||
Expiration time.Time
|
||||
AccessKeyID string
|
||||
SecretAccessKey string
|
||||
Token string
|
||||
|
||||
// Error state
|
||||
Code string
|
||||
Message string
|
||||
}
|
||||
|
||||
const iamSecurityCredsPath = "/iam/security-credentials/"
|
||||
|
||||
// requestCredList requests a list of credentials from the EC2 service. If
|
||||
// there are no credentials, or there is an error making or receiving the
|
||||
// request
|
||||
func requestCredList(ctx context.Context, client GetMetadataAPIClient) ([]string, error) {
|
||||
resp, err := client.GetMetadata(ctx, &imds.GetMetadataInput{
|
||||
Path: iamSecurityCredsPath,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("no EC2 IMDS role found, %w", err)
|
||||
}
|
||||
defer resp.Content.Close()
|
||||
|
||||
credsList := []string{}
|
||||
s := bufio.NewScanner(resp.Content)
|
||||
for s.Scan() {
|
||||
credsList = append(credsList, s.Text())
|
||||
}
|
||||
|
||||
if err := s.Err(); err != nil {
|
||||
return nil, fmt.Errorf("failed to read EC2 IMDS role, %w", err)
|
||||
}
|
||||
|
||||
return credsList, nil
|
||||
}
|
||||
|
||||
// requestCred requests the credentials for a specific credentials from the EC2 service.
|
||||
//
|
||||
// If the credentials cannot be found, or there is an error reading the response
|
||||
// and error will be returned.
|
||||
func requestCred(ctx context.Context, client GetMetadataAPIClient, credsName string) (ec2RoleCredRespBody, error) {
|
||||
resp, err := client.GetMetadata(ctx, &imds.GetMetadataInput{
|
||||
Path: path.Join(iamSecurityCredsPath, credsName),
|
||||
})
|
||||
if err != nil {
|
||||
return ec2RoleCredRespBody{},
|
||||
fmt.Errorf("failed to get %s EC2 IMDS role credentials, %w",
|
||||
credsName, err)
|
||||
}
|
||||
defer resp.Content.Close()
|
||||
|
||||
var respCreds ec2RoleCredRespBody
|
||||
if err := json.NewDecoder(resp.Content).Decode(&respCreds); err != nil {
|
||||
return ec2RoleCredRespBody{},
|
||||
fmt.Errorf("failed to decode %s EC2 IMDS role credentials, %w",
|
||||
credsName, err)
|
||||
}
|
||||
|
||||
if !strings.EqualFold(respCreds.Code, "Success") {
|
||||
// If an error code was returned something failed requesting the role.
|
||||
return ec2RoleCredRespBody{},
|
||||
fmt.Errorf("failed to get %s EC2 IMDS role credentials, %w",
|
||||
credsName,
|
||||
&smithy.GenericAPIError{Code: respCreds.Code, Message: respCreds.Message})
|
||||
}
|
||||
|
||||
return respCreds, nil
|
||||
}
|
148
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go
generated
vendored
Normal file
148
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/client.go
generated
vendored
Normal file
@ -0,0 +1,148 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/aws/middleware"
|
||||
"github.com/aws/aws-sdk-go-v2/aws/retry"
|
||||
awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
|
||||
"github.com/aws/smithy-go"
|
||||
smithymiddleware "github.com/aws/smithy-go/middleware"
|
||||
smithyhttp "github.com/aws/smithy-go/transport/http"
|
||||
)
|
||||
|
||||
// ServiceID is the client identifer
|
||||
const ServiceID = "endpoint-credentials"
|
||||
|
||||
// HTTPClient is a client for sending HTTP requests
|
||||
type HTTPClient interface {
|
||||
Do(*http.Request) (*http.Response, error)
|
||||
}
|
||||
|
||||
// Options is the endpoint client configurable options
|
||||
type Options struct {
|
||||
// The endpoint to retrieve credentials from
|
||||
Endpoint string
|
||||
|
||||
// The HTTP client to invoke API calls with. Defaults to client's default HTTP
|
||||
// implementation if nil.
|
||||
HTTPClient HTTPClient
|
||||
|
||||
// Retryer guides how HTTP requests should be retried in case of recoverable
|
||||
// failures. When nil the API client will use a default retryer.
|
||||
Retryer aws.Retryer
|
||||
|
||||
// Set of options to modify how the credentials operation is invoked.
|
||||
APIOptions []func(*smithymiddleware.Stack) error
|
||||
}
|
||||
|
||||
// Copy creates a copy of the API options.
|
||||
func (o Options) Copy() Options {
|
||||
to := o
|
||||
to.APIOptions = make([]func(*smithymiddleware.Stack) error, len(o.APIOptions))
|
||||
copy(to.APIOptions, o.APIOptions)
|
||||
return to
|
||||
}
|
||||
|
||||
// Client is an client for retrieving AWS credentials from an endpoint
|
||||
type Client struct {
|
||||
options Options
|
||||
}
|
||||
|
||||
// New constructs a new Client from the given options
|
||||
func New(options Options, optFns ...func(*Options)) *Client {
|
||||
options = options.Copy()
|
||||
|
||||
if options.HTTPClient == nil {
|
||||
options.HTTPClient = awshttp.NewBuildableClient()
|
||||
}
|
||||
|
||||
if options.Retryer == nil {
|
||||
options.Retryer = retry.NewStandard()
|
||||
}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&options)
|
||||
}
|
||||
|
||||
client := &Client{
|
||||
options: options,
|
||||
}
|
||||
|
||||
return client
|
||||
}
|
||||
|
||||
// GetCredentialsInput is the input to send with the endpoint service to receive credentials.
|
||||
type GetCredentialsInput struct {
|
||||
AuthorizationToken string
|
||||
}
|
||||
|
||||
// GetCredentials retrieves credentials from credential endpoint
|
||||
func (c *Client) GetCredentials(ctx context.Context, params *GetCredentialsInput, optFns ...func(*Options)) (*GetCredentialsOutput, error) {
|
||||
stack := smithymiddleware.NewStack("GetCredentials", smithyhttp.NewStackRequest)
|
||||
options := c.options.Copy()
|
||||
for _, fn := range optFns {
|
||||
fn(&options)
|
||||
}
|
||||
|
||||
stack.Serialize.Add(&serializeOpGetCredential{}, smithymiddleware.After)
|
||||
stack.Build.Add(&buildEndpoint{Endpoint: options.Endpoint}, smithymiddleware.After)
|
||||
stack.Deserialize.Add(&deserializeOpGetCredential{}, smithymiddleware.After)
|
||||
retry.AddRetryMiddlewares(stack, retry.AddRetryMiddlewaresOptions{Retryer: options.Retryer})
|
||||
middleware.AddSDKAgentKey(middleware.FeatureMetadata, ServiceID)
|
||||
smithyhttp.AddErrorCloseResponseBodyMiddleware(stack)
|
||||
smithyhttp.AddCloseResponseBodyMiddleware(stack)
|
||||
|
||||
for _, fn := range options.APIOptions {
|
||||
if err := fn(stack); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
handler := smithymiddleware.DecorateHandler(smithyhttp.NewClientHandler(options.HTTPClient), stack)
|
||||
result, _, err := handler.Handle(ctx, params)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return result.(*GetCredentialsOutput), err
|
||||
}
|
||||
|
||||
// GetCredentialsOutput is the response from the credential endpoint
|
||||
type GetCredentialsOutput struct {
|
||||
Expiration *time.Time
|
||||
AccessKeyID string
|
||||
SecretAccessKey string
|
||||
Token string
|
||||
}
|
||||
|
||||
// EndpointError is an error returned from the endpoint service
|
||||
type EndpointError struct {
|
||||
Code string `json:"code"`
|
||||
Message string `json:"message"`
|
||||
Fault smithy.ErrorFault `json:"-"`
|
||||
}
|
||||
|
||||
// Error is the error mesage string
|
||||
func (e *EndpointError) Error() string {
|
||||
return fmt.Sprintf("%s: %s", e.Code, e.Message)
|
||||
}
|
||||
|
||||
// ErrorCode is the error code returned by the endpoint
|
||||
func (e *EndpointError) ErrorCode() string {
|
||||
return e.Code
|
||||
}
|
||||
|
||||
// ErrorMessage is the error message returned by the endpoint
|
||||
func (e *EndpointError) ErrorMessage() string {
|
||||
return e.Message
|
||||
}
|
||||
|
||||
// ErrorFault indicates error fault classification
|
||||
func (e *EndpointError) ErrorFault() smithy.ErrorFault {
|
||||
return e.Fault
|
||||
}
|
120
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/middleware.go
generated
vendored
Normal file
120
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client/middleware.go
generated
vendored
Normal file
@ -0,0 +1,120 @@
|
||||
package client
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/url"
|
||||
|
||||
"github.com/aws/smithy-go"
|
||||
smithymiddleware "github.com/aws/smithy-go/middleware"
|
||||
smithyhttp "github.com/aws/smithy-go/transport/http"
|
||||
)
|
||||
|
||||
type buildEndpoint struct {
|
||||
Endpoint string
|
||||
}
|
||||
|
||||
func (b *buildEndpoint) ID() string {
|
||||
return "BuildEndpoint"
|
||||
}
|
||||
|
||||
func (b *buildEndpoint) HandleBuild(ctx context.Context, in smithymiddleware.BuildInput, next smithymiddleware.BuildHandler) (
|
||||
out smithymiddleware.BuildOutput, metadata smithymiddleware.Metadata, err error,
|
||||
) {
|
||||
request, ok := in.Request.(*smithyhttp.Request)
|
||||
if !ok {
|
||||
return out, metadata, fmt.Errorf("unknown transport, %T", in.Request)
|
||||
}
|
||||
|
||||
if len(b.Endpoint) == 0 {
|
||||
return out, metadata, fmt.Errorf("endpoint not provided")
|
||||
}
|
||||
|
||||
parsed, err := url.Parse(b.Endpoint)
|
||||
if err != nil {
|
||||
return out, metadata, fmt.Errorf("failed to parse endpoint, %w", err)
|
||||
}
|
||||
|
||||
request.URL = parsed
|
||||
|
||||
return next.HandleBuild(ctx, in)
|
||||
}
|
||||
|
||||
type serializeOpGetCredential struct{}
|
||||
|
||||
func (s *serializeOpGetCredential) ID() string {
|
||||
return "OperationSerializer"
|
||||
}
|
||||
|
||||
func (s *serializeOpGetCredential) HandleSerialize(ctx context.Context, in smithymiddleware.SerializeInput, next smithymiddleware.SerializeHandler) (
|
||||
out smithymiddleware.SerializeOutput, metadata smithymiddleware.Metadata, err error,
|
||||
) {
|
||||
request, ok := in.Request.(*smithyhttp.Request)
|
||||
if !ok {
|
||||
return out, metadata, fmt.Errorf("unknown transport type, %T", in.Request)
|
||||
}
|
||||
|
||||
params, ok := in.Parameters.(*GetCredentialsInput)
|
||||
if !ok {
|
||||
return out, metadata, fmt.Errorf("unknown input parameters, %T", in.Parameters)
|
||||
}
|
||||
|
||||
const acceptHeader = "Accept"
|
||||
request.Header[acceptHeader] = append(request.Header[acceptHeader][:0], "application/json")
|
||||
|
||||
if len(params.AuthorizationToken) > 0 {
|
||||
const authHeader = "Authorization"
|
||||
request.Header[authHeader] = append(request.Header[authHeader][:0], params.AuthorizationToken)
|
||||
}
|
||||
|
||||
return next.HandleSerialize(ctx, in)
|
||||
}
|
||||
|
||||
type deserializeOpGetCredential struct{}
|
||||
|
||||
func (d *deserializeOpGetCredential) ID() string {
|
||||
return "OperationDeserializer"
|
||||
}
|
||||
|
||||
func (d *deserializeOpGetCredential) HandleDeserialize(ctx context.Context, in smithymiddleware.DeserializeInput, next smithymiddleware.DeserializeHandler) (
|
||||
out smithymiddleware.DeserializeOutput, metadata smithymiddleware.Metadata, err error,
|
||||
) {
|
||||
out, metadata, err = next.HandleDeserialize(ctx, in)
|
||||
if err != nil {
|
||||
return out, metadata, err
|
||||
}
|
||||
|
||||
response, ok := out.RawResponse.(*smithyhttp.Response)
|
||||
if !ok {
|
||||
return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("unknown transport type %T", out.RawResponse)}
|
||||
}
|
||||
|
||||
if response.StatusCode < 200 || response.StatusCode >= 300 {
|
||||
return out, metadata, deserializeError(response)
|
||||
}
|
||||
|
||||
var shape *GetCredentialsOutput
|
||||
if err = json.NewDecoder(response.Body).Decode(&shape); err != nil {
|
||||
return out, metadata, &smithy.DeserializationError{Err: fmt.Errorf("failed to deserialize json response, %w", err)}
|
||||
}
|
||||
|
||||
out.Result = shape
|
||||
return out, metadata, err
|
||||
}
|
||||
|
||||
func deserializeError(response *smithyhttp.Response) error {
|
||||
var errShape *EndpointError
|
||||
err := json.NewDecoder(response.Body).Decode(&errShape)
|
||||
if err != nil {
|
||||
return &smithy.DeserializationError{Err: fmt.Errorf("failed to decode error message, %w", err)}
|
||||
}
|
||||
|
||||
if response.StatusCode >= 500 {
|
||||
errShape.Fault = smithy.FaultServer
|
||||
} else {
|
||||
errShape.Fault = smithy.FaultClient
|
||||
}
|
||||
|
||||
return errShape
|
||||
}
|
133
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go
generated
vendored
Normal file
133
vendor/github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/provider.go
generated
vendored
Normal file
@ -0,0 +1,133 @@
|
||||
// Package endpointcreds provides support for retrieving credentials from an
|
||||
// arbitrary HTTP endpoint.
|
||||
//
|
||||
// The credentials endpoint Provider can receive both static and refreshable
|
||||
// credentials that will expire. Credentials are static when an "Expiration"
|
||||
// value is not provided in the endpoint's response.
|
||||
//
|
||||
// Static credentials will never expire once they have been retrieved. The format
|
||||
// of the static credentials response:
|
||||
// {
|
||||
// "AccessKeyId" : "MUA...",
|
||||
// "SecretAccessKey" : "/7PC5om....",
|
||||
// }
|
||||
//
|
||||
// Refreshable credentials will expire within the "ExpiryWindow" of the Expiration
|
||||
// value in the response. The format of the refreshable credentials response:
|
||||
// {
|
||||
// "AccessKeyId" : "MUA...",
|
||||
// "SecretAccessKey" : "/7PC5om....",
|
||||
// "Token" : "AQoDY....=",
|
||||
// "Expiration" : "2016-02-25T06:03:31Z"
|
||||
// }
|
||||
//
|
||||
// Errors should be returned in the following format and only returned with 400
|
||||
// or 500 HTTP status codes.
|
||||
// {
|
||||
// "code": "ErrorCode",
|
||||
// "message": "Helpful error message."
|
||||
// }
|
||||
package endpointcreds
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/credentials/endpointcreds/internal/client"
|
||||
"github.com/aws/smithy-go/middleware"
|
||||
)
|
||||
|
||||
// ProviderName is the name of the credentials provider.
|
||||
const ProviderName = `CredentialsEndpointProvider`
|
||||
|
||||
type getCredentialsAPIClient interface {
|
||||
GetCredentials(context.Context, *client.GetCredentialsInput, ...func(*client.Options)) (*client.GetCredentialsOutput, error)
|
||||
}
|
||||
|
||||
// Provider satisfies the aws.CredentialsProvider interface, and is a client to
|
||||
// retrieve credentials from an arbitrary endpoint.
|
||||
type Provider struct {
|
||||
// The AWS Client to make HTTP requests to the endpoint with. The endpoint
|
||||
// the request will be made to is provided by the aws.Config's
|
||||
// EndpointResolver.
|
||||
client getCredentialsAPIClient
|
||||
|
||||
options Options
|
||||
}
|
||||
|
||||
// HTTPClient is a client for sending HTTP requests
|
||||
type HTTPClient interface {
|
||||
Do(*http.Request) (*http.Response, error)
|
||||
}
|
||||
|
||||
// Options is structure of configurable options for Provider
|
||||
type Options struct {
|
||||
// Endpoint to retrieve credentials from. Required
|
||||
Endpoint string
|
||||
|
||||
// HTTPClient to handle sending HTTP requests to the target endpoint.
|
||||
HTTPClient HTTPClient
|
||||
|
||||
// Set of options to modify how the credentials operation is invoked.
|
||||
APIOptions []func(*middleware.Stack) error
|
||||
|
||||
// The Retryer to be used for determining whether a failed requested should be retried
|
||||
Retryer aws.Retryer
|
||||
|
||||
// Optional authorization token value if set will be used as the value of
|
||||
// the Authorization header of the endpoint credential request.
|
||||
AuthorizationToken string
|
||||
}
|
||||
|
||||
// New returns a credentials Provider for retrieving AWS credentials
|
||||
// from arbitrary endpoint.
|
||||
func New(endpoint string, optFns ...func(*Options)) *Provider {
|
||||
o := Options{
|
||||
Endpoint: endpoint,
|
||||
}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&o)
|
||||
}
|
||||
|
||||
p := &Provider{
|
||||
client: client.New(client.Options{
|
||||
HTTPClient: o.HTTPClient,
|
||||
Endpoint: o.Endpoint,
|
||||
APIOptions: o.APIOptions,
|
||||
Retryer: o.Retryer,
|
||||
}),
|
||||
options: o,
|
||||
}
|
||||
|
||||
return p
|
||||
}
|
||||
|
||||
// Retrieve will attempt to request the credentials from the endpoint the Provider
|
||||
// was configured for. And error will be returned if the retrieval fails.
|
||||
func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
resp, err := p.getCredentials(ctx)
|
||||
if err != nil {
|
||||
return aws.Credentials{}, fmt.Errorf("failed to load credentials, %w", err)
|
||||
}
|
||||
|
||||
creds := aws.Credentials{
|
||||
AccessKeyID: resp.AccessKeyID,
|
||||
SecretAccessKey: resp.SecretAccessKey,
|
||||
SessionToken: resp.Token,
|
||||
Source: ProviderName,
|
||||
}
|
||||
|
||||
if resp.Expiration != nil {
|
||||
creds.CanExpire = true
|
||||
creds.Expires = *resp.Expiration
|
||||
}
|
||||
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
func (p *Provider) getCredentials(ctx context.Context) (*client.GetCredentialsOutput, error) {
|
||||
return p.client.GetCredentials(ctx, &client.GetCredentialsInput{AuthorizationToken: p.options.AuthorizationToken})
|
||||
}
|
6
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
generated
vendored
Normal file
6
vendor/github.com/aws/aws-sdk-go-v2/credentials/go_module_metadata.go
generated
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
// Code generated by internal/repotools/cmd/updatemodulemeta DO NOT EDIT.
|
||||
|
||||
package credentials
|
||||
|
||||
// goModuleVersion is the tagged release for this module
|
||||
const goModuleVersion = "1.4.2"
|
92
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/doc.go
generated
vendored
Normal file
92
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/doc.go
generated
vendored
Normal file
@ -0,0 +1,92 @@
|
||||
// Package processcreds is a credentials provider to retrieve credentials from a
|
||||
// external CLI invoked process.
|
||||
//
|
||||
// WARNING: The following describes a method of sourcing credentials from an external
|
||||
// process. This can potentially be dangerous, so proceed with caution. Other
|
||||
// credential providers should be preferred if at all possible. If using this
|
||||
// option, you should make sure that the config file is as locked down as possible
|
||||
// using security best practices for your operating system.
|
||||
//
|
||||
// Concurrency and caching
|
||||
//
|
||||
// The Provider is not safe to be used concurrently, and does not provide any
|
||||
// caching of credentials retrieved. You should wrap the Provider with a
|
||||
// `aws.CredentialsCache` to provide concurrency safety, and caching of
|
||||
// credentials.
|
||||
//
|
||||
// Loading credentials with the SDKs AWS Config
|
||||
//
|
||||
// You can use credentials from a AWS shared config `credential_process` in a
|
||||
// variety of ways.
|
||||
//
|
||||
// One way is to setup your shared config file, located in the default
|
||||
// location, with the `credential_process` key and the command you want to be
|
||||
// called. You also need to set the AWS_SDK_LOAD_CONFIG environment variable
|
||||
// (e.g., `export AWS_SDK_LOAD_CONFIG=1`) to use the shared config file.
|
||||
//
|
||||
// [default]
|
||||
// credential_process = /command/to/call
|
||||
//
|
||||
// Loading configuration using external will use the credential process to
|
||||
// retrieve credentials. NOTE: If there are credentials in the profile you are
|
||||
// using, the credential process will not be used.
|
||||
//
|
||||
// // Initialize a session to load credentials.
|
||||
// cfg, _ := config.LoadDefaultConfig(context.TODO())
|
||||
//
|
||||
// // Create S3 service client to use the credentials.
|
||||
// svc := s3.NewFromConfig(cfg)
|
||||
//
|
||||
// Loading credentials with the Provider directly
|
||||
//
|
||||
// Another way to use the credentials process provider is by using the
|
||||
// `NewProvider` constructor to create the provider and providing a it with a
|
||||
// command to be executed to retrieve credentials.
|
||||
//
|
||||
// The following example creates a credentials provider for a command, and wraps
|
||||
// it with the CredentialsCache before assigning the provider to the Amazon S3 API
|
||||
// client's Credentials option.
|
||||
//
|
||||
// // Create credentials using the Provider.
|
||||
// provider := processcreds.NewProvider("/path/to/command")
|
||||
//
|
||||
// // Create the service client value configured for credentials.
|
||||
// svc := s3.New(s3.Options{
|
||||
// Credentials: aws.NewCredentialsCache(provider),
|
||||
// })
|
||||
//
|
||||
// If you need more control, you can set any configurable options in the
|
||||
// credentials using one or more option functions.
|
||||
//
|
||||
// provider := processcreds.NewProvider("/path/to/command",
|
||||
// func(o *processcreds.Options) {
|
||||
// // Override the provider's default timeout
|
||||
// o.Timeout = 2 * time.Minute
|
||||
// })
|
||||
//
|
||||
// You can also use your own `exec.Cmd` value by satisfying a value that satisfies
|
||||
// the `NewCommandBuilder` interface and use the `NewProviderCommand` constructor.
|
||||
//
|
||||
// // Create an exec.Cmd
|
||||
// cmdBuilder := processcreds.NewCommandBuilderFunc(
|
||||
// func(ctx context.Context) (*exec.Cmd, error) {
|
||||
// cmd := exec.CommandContext(ctx,
|
||||
// "customCLICommand",
|
||||
// "-a", "argument",
|
||||
// )
|
||||
// cmd.Env = []string{
|
||||
// "ENV_VAR_FOO=value",
|
||||
// "ENV_VAR_BAR=other_value",
|
||||
// }
|
||||
//
|
||||
// return cmd, nil
|
||||
// },
|
||||
// )
|
||||
//
|
||||
// // Create credentials using your exec.Cmd and custom timeout
|
||||
// provider := processcreds.NewProviderCommand(cmdBuilder,
|
||||
// func(opt *processcreds.Provider) {
|
||||
// // optionally override the provider's default timeout
|
||||
// opt.Timeout = 1 * time.Second
|
||||
// })
|
||||
package processcreds
|
269
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go
generated
vendored
Normal file
269
vendor/github.com/aws/aws-sdk-go-v2/credentials/processcreds/provider.go
generated
vendored
Normal file
@ -0,0 +1,269 @@
|
||||
package processcreds
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
"os/exec"
|
||||
"runtime"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/internal/sdkio"
|
||||
)
|
||||
|
||||
const (
|
||||
// ProviderName is the name this credentials provider will label any
|
||||
// returned credentials Value with.
|
||||
ProviderName = `ProcessProvider`
|
||||
|
||||
// DefaultTimeout default limit on time a process can run.
|
||||
DefaultTimeout = time.Duration(1) * time.Minute
|
||||
)
|
||||
|
||||
// ProviderError is an error indicating failure initializing or executing the
|
||||
// process credentials provider
|
||||
type ProviderError struct {
|
||||
Err error
|
||||
}
|
||||
|
||||
// Error returns the error message.
|
||||
func (e *ProviderError) Error() string {
|
||||
return fmt.Sprintf("process provider error: %v", e.Err)
|
||||
}
|
||||
|
||||
// Unwrap returns the underlying error the provider error wraps.
|
||||
func (e *ProviderError) Unwrap() error {
|
||||
return e.Err
|
||||
}
|
||||
|
||||
// Provider satisfies the credentials.Provider interface, and is a
|
||||
// client to retrieve credentials from a process.
|
||||
type Provider struct {
|
||||
// Provides a constructor for exec.Cmd that are invoked by the provider for
|
||||
// retrieving credentials. Use this to provide custom creation of exec.Cmd
|
||||
// with things like environment variables, or other configuration.
|
||||
//
|
||||
// The provider defaults to the DefaultNewCommand function.
|
||||
commandBuilder NewCommandBuilder
|
||||
|
||||
options Options
|
||||
}
|
||||
|
||||
// Options is the configuration options for configuring the Provider.
|
||||
type Options struct {
|
||||
// Timeout limits the time a process can run.
|
||||
Timeout time.Duration
|
||||
}
|
||||
|
||||
// NewCommandBuilder provides the interface for specifying how command will be
|
||||
// created that the Provider will use to retrieve credentials with.
|
||||
type NewCommandBuilder interface {
|
||||
NewCommand(context.Context) (*exec.Cmd, error)
|
||||
}
|
||||
|
||||
// NewCommandBuilderFunc provides a wrapper type around a function pointer to
|
||||
// satisfy the NewCommandBuilder interface.
|
||||
type NewCommandBuilderFunc func(context.Context) (*exec.Cmd, error)
|
||||
|
||||
// NewCommand calls the underlying function pointer the builder was initialized with.
|
||||
func (fn NewCommandBuilderFunc) NewCommand(ctx context.Context) (*exec.Cmd, error) {
|
||||
return fn(ctx)
|
||||
}
|
||||
|
||||
// DefaultNewCommandBuilder provides the default NewCommandBuilder
|
||||
// implementation used by the provider. It takes a command and arguments to
|
||||
// invoke. The command will also be initialized with the current process
|
||||
// environment variables, stderr, and stdin pipes.
|
||||
type DefaultNewCommandBuilder struct {
|
||||
Args []string
|
||||
}
|
||||
|
||||
// NewCommand returns an initialized exec.Cmd with the builder's initialized
|
||||
// Args. The command is also initialized current process environment variables,
|
||||
// stderr, and stdin pipes.
|
||||
func (b DefaultNewCommandBuilder) NewCommand(ctx context.Context) (*exec.Cmd, error) {
|
||||
var cmdArgs []string
|
||||
if runtime.GOOS == "windows" {
|
||||
cmdArgs = []string{"cmd.exe", "/C"}
|
||||
} else {
|
||||
cmdArgs = []string{"sh", "-c"}
|
||||
}
|
||||
|
||||
if len(b.Args) == 0 {
|
||||
return nil, &ProviderError{
|
||||
Err: fmt.Errorf("failed to prepare command: command must not be empty"),
|
||||
}
|
||||
}
|
||||
|
||||
cmdArgs = append(cmdArgs, b.Args...)
|
||||
cmd := exec.CommandContext(ctx, cmdArgs[0], cmdArgs[1:]...)
|
||||
cmd.Env = os.Environ()
|
||||
|
||||
cmd.Stderr = os.Stderr // display stderr on console for MFA
|
||||
cmd.Stdin = os.Stdin // enable stdin for MFA
|
||||
|
||||
return cmd, nil
|
||||
}
|
||||
|
||||
// NewProvider returns a pointer to a new Credentials object wrapping the
|
||||
// Provider.
|
||||
//
|
||||
// The provider defaults to the DefaultNewCommandBuilder for creating command
|
||||
// the Provider will use to retrieve credentials with.
|
||||
func NewProvider(command string, options ...func(*Options)) *Provider {
|
||||
var args []string
|
||||
|
||||
// Ensure that the command arguments are not set if the provided command is
|
||||
// empty. This will error out when the command is executed since no
|
||||
// arguments are specified.
|
||||
if len(command) > 0 {
|
||||
args = []string{command}
|
||||
}
|
||||
|
||||
commanBuilder := DefaultNewCommandBuilder{
|
||||
Args: args,
|
||||
}
|
||||
return NewProviderCommand(commanBuilder, options...)
|
||||
}
|
||||
|
||||
// NewProviderCommand returns a pointer to a new Credentials object with the
|
||||
// specified command, and default timeout duration. Use this to provide custom
|
||||
// creation of exec.Cmd for options like environment variables, or other
|
||||
// configuration.
|
||||
func NewProviderCommand(builder NewCommandBuilder, options ...func(*Options)) *Provider {
|
||||
p := &Provider{
|
||||
commandBuilder: builder,
|
||||
options: Options{
|
||||
Timeout: DefaultTimeout,
|
||||
},
|
||||
}
|
||||
|
||||
for _, option := range options {
|
||||
option(&p.options)
|
||||
}
|
||||
|
||||
return p
|
||||
}
|
||||
|
||||
type credentialProcessResponse struct {
|
||||
Version int
|
||||
AccessKeyID string `json:"AccessKeyId"`
|
||||
SecretAccessKey string
|
||||
SessionToken string
|
||||
Expiration *time.Time
|
||||
}
|
||||
|
||||
// Retrieve executes the credential process command and returns the
|
||||
// credentials, or error if the command fails.
|
||||
func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
out, err := p.executeCredentialProcess(ctx)
|
||||
if err != nil {
|
||||
return aws.Credentials{Source: ProviderName}, err
|
||||
}
|
||||
|
||||
// Serialize and validate response
|
||||
resp := &credentialProcessResponse{}
|
||||
if err = json.Unmarshal(out, resp); err != nil {
|
||||
return aws.Credentials{Source: ProviderName}, &ProviderError{
|
||||
Err: fmt.Errorf("parse failed of process output: %s, error: %w", out, err),
|
||||
}
|
||||
}
|
||||
|
||||
if resp.Version != 1 {
|
||||
return aws.Credentials{Source: ProviderName}, &ProviderError{
|
||||
Err: fmt.Errorf("wrong version in process output (not 1)"),
|
||||
}
|
||||
}
|
||||
|
||||
if len(resp.AccessKeyID) == 0 {
|
||||
return aws.Credentials{Source: ProviderName}, &ProviderError{
|
||||
Err: fmt.Errorf("missing AccessKeyId in process output"),
|
||||
}
|
||||
}
|
||||
|
||||
if len(resp.SecretAccessKey) == 0 {
|
||||
return aws.Credentials{Source: ProviderName}, &ProviderError{
|
||||
Err: fmt.Errorf("missing SecretAccessKey in process output"),
|
||||
}
|
||||
}
|
||||
|
||||
creds := aws.Credentials{
|
||||
Source: ProviderName,
|
||||
AccessKeyID: resp.AccessKeyID,
|
||||
SecretAccessKey: resp.SecretAccessKey,
|
||||
SessionToken: resp.SessionToken,
|
||||
}
|
||||
|
||||
// Handle expiration
|
||||
if resp.Expiration != nil {
|
||||
creds.CanExpire = true
|
||||
creds.Expires = *resp.Expiration
|
||||
}
|
||||
|
||||
return creds, nil
|
||||
}
|
||||
|
||||
// executeCredentialProcess starts the credential process on the OS and
|
||||
// returns the results or an error.
|
||||
func (p *Provider) executeCredentialProcess(ctx context.Context) ([]byte, error) {
|
||||
if p.options.Timeout >= 0 {
|
||||
var cancelFunc func()
|
||||
ctx, cancelFunc = context.WithTimeout(ctx, p.options.Timeout)
|
||||
defer cancelFunc()
|
||||
}
|
||||
|
||||
cmd, err := p.commandBuilder.NewCommand(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// get creds json on process's stdout
|
||||
output := bytes.NewBuffer(make([]byte, 0, int(8*sdkio.KibiByte)))
|
||||
if cmd.Stdout != nil {
|
||||
cmd.Stdout = io.MultiWriter(cmd.Stdout, output)
|
||||
} else {
|
||||
cmd.Stdout = output
|
||||
}
|
||||
|
||||
execCh := make(chan error, 1)
|
||||
go executeCommand(cmd, execCh)
|
||||
|
||||
select {
|
||||
case execError := <-execCh:
|
||||
if execError == nil {
|
||||
break
|
||||
}
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return output.Bytes(), &ProviderError{
|
||||
Err: fmt.Errorf("credential process timed out: %w", execError),
|
||||
}
|
||||
default:
|
||||
return output.Bytes(), &ProviderError{
|
||||
Err: fmt.Errorf("error in credential_process: %w", execError),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
out := output.Bytes()
|
||||
if runtime.GOOS == "windows" {
|
||||
// windows adds slashes to quotes
|
||||
out = bytes.ReplaceAll(out, []byte(`\"`), []byte(`"`))
|
||||
}
|
||||
|
||||
return out, nil
|
||||
}
|
||||
|
||||
func executeCommand(cmd *exec.Cmd, exec chan error) {
|
||||
// Start the command
|
||||
err := cmd.Start()
|
||||
if err == nil {
|
||||
err = cmd.Wait()
|
||||
}
|
||||
|
||||
exec <- err
|
||||
}
|
63
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/doc.go
generated
vendored
Normal file
63
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/doc.go
generated
vendored
Normal file
@ -0,0 +1,63 @@
|
||||
// Package ssocreds provides a credential provider for retrieving temporary AWS credentials using an SSO access token.
|
||||
//
|
||||
// IMPORTANT: The provider in this package does not initiate or perform the AWS SSO login flow. The SDK provider
|
||||
// expects that you have already performed the SSO login flow using AWS CLI using the "aws sso login" command, or by
|
||||
// some other mechanism. The provider must find a valid non-expired access token for the AWS SSO user portal URL in
|
||||
// ~/.aws/sso/cache. If a cached token is not found, it is expired, or the file is malformed an error will be returned.
|
||||
//
|
||||
// Loading AWS SSO credentials with the AWS shared configuration file
|
||||
//
|
||||
// You can use configure AWS SSO credentials from the AWS shared configuration file by
|
||||
// providing the specifying the required keys in the profile:
|
||||
//
|
||||
// sso_account_id
|
||||
// sso_region
|
||||
// sso_role_name
|
||||
// sso_start_url
|
||||
//
|
||||
// For example, the following defines a profile "devsso" and specifies the AWS SSO parameters that defines the target
|
||||
// account, role, sign-on portal, and the region where the user portal is located. Note: all SSO arguments must be
|
||||
// provided, or an error will be returned.
|
||||
//
|
||||
// [profile devsso]
|
||||
// sso_start_url = https://my-sso-portal.awsapps.com/start
|
||||
// sso_role_name = SSOReadOnlyRole
|
||||
// sso_region = us-east-1
|
||||
// sso_account_id = 123456789012
|
||||
//
|
||||
// Using the config module, you can load the AWS SDK shared configuration, and specify that this profile be used to
|
||||
// retrieve credentials. For example:
|
||||
//
|
||||
// config, err := config.LoadDefaultConfig(context.TODO(), config.WithSharedConfigProfile("devsso"))
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
//
|
||||
// Programmatically loading AWS SSO credentials directly
|
||||
//
|
||||
// You can programmatically construct the AWS SSO Provider in your application, and provide the necessary information
|
||||
// to load and retrieve temporary credentials using an access token from ~/.aws/sso/cache.
|
||||
//
|
||||
// client := sso.NewFromConfig(cfg)
|
||||
//
|
||||
// var provider aws.CredentialsProvider
|
||||
// provider = ssocreds.New(client, "123456789012", "SSOReadOnlyRole", "us-east-1", "https://my-sso-portal.awsapps.com/start")
|
||||
//
|
||||
// // Wrap the provider with aws.CredentialsCache to cache the credentials until their expire time
|
||||
// provider = aws.NewCredentialsCache(provider)
|
||||
//
|
||||
// credentials, err := provider.Retrieve(context.TODO())
|
||||
// if err != nil {
|
||||
// return err
|
||||
// }
|
||||
//
|
||||
// It is important that you wrap the Provider with aws.CredentialsCache if you are programmatically constructing the
|
||||
// provider directly. This prevents your application from accessing the cached access token and requesting new
|
||||
// credentials each time the credentials are used.
|
||||
//
|
||||
// Additional Resources
|
||||
//
|
||||
// Configuring the AWS CLI to use AWS Single Sign-On: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
|
||||
//
|
||||
// AWS Single Sign-On User Guide: https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
|
||||
package ssocreds
|
10
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/os.go
generated
vendored
Normal file
10
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/os.go
generated
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
//go:build !windows
|
||||
// +build !windows
|
||||
|
||||
package ssocreds
|
||||
|
||||
import "os"
|
||||
|
||||
func getHomeDirectory() string {
|
||||
return os.Getenv("HOME")
|
||||
}
|
7
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/os_windows.go
generated
vendored
Normal file
7
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/os_windows.go
generated
vendored
Normal file
@ -0,0 +1,7 @@
|
||||
package ssocreds
|
||||
|
||||
import "os"
|
||||
|
||||
func getHomeDirectory() string {
|
||||
return os.Getenv("USERPROFILE")
|
||||
}
|
184
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/provider.go
generated
vendored
Normal file
184
vendor/github.com/aws/aws-sdk-go-v2/credentials/ssocreds/provider.go
generated
vendored
Normal file
@ -0,0 +1,184 @@
|
||||
package ssocreds
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/sha1"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/internal/sdk"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sso"
|
||||
)
|
||||
|
||||
// ProviderName is the name of the provider used to specify the source of credentials.
|
||||
const ProviderName = "SSOProvider"
|
||||
|
||||
var defaultCacheLocation func() string
|
||||
|
||||
func defaultCacheLocationImpl() string {
|
||||
return filepath.Join(getHomeDirectory(), ".aws", "sso", "cache")
|
||||
}
|
||||
|
||||
func init() {
|
||||
defaultCacheLocation = defaultCacheLocationImpl
|
||||
}
|
||||
|
||||
// GetRoleCredentialsAPIClient is a API client that implements the GetRoleCredentials operation.
|
||||
type GetRoleCredentialsAPIClient interface {
|
||||
GetRoleCredentials(ctx context.Context, params *sso.GetRoleCredentialsInput, optFns ...func(*sso.Options)) (*sso.GetRoleCredentialsOutput, error)
|
||||
}
|
||||
|
||||
// Options is the Provider options structure.
|
||||
type Options struct {
|
||||
// The Client which is configured for the AWS Region where the AWS SSO user portal is located.
|
||||
Client GetRoleCredentialsAPIClient
|
||||
|
||||
// The AWS account that is assigned to the user.
|
||||
AccountID string
|
||||
|
||||
// The role name that is assigned to the user.
|
||||
RoleName string
|
||||
|
||||
// The URL that points to the organization's AWS Single Sign-On (AWS SSO) user portal.
|
||||
StartURL string
|
||||
}
|
||||
|
||||
// Provider is an AWS credential provider that retrieves temporary AWS credentials by exchanging an SSO login token.
|
||||
type Provider struct {
|
||||
options Options
|
||||
}
|
||||
|
||||
// New returns a new AWS Single Sign-On (AWS SSO) credential provider. The provided client is expected to be configured
|
||||
// for the AWS Region where the AWS SSO user portal is located.
|
||||
func New(client GetRoleCredentialsAPIClient, accountID, roleName, startURL string, optFns ...func(options *Options)) *Provider {
|
||||
options := Options{
|
||||
Client: client,
|
||||
AccountID: accountID,
|
||||
RoleName: roleName,
|
||||
StartURL: startURL,
|
||||
}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&options)
|
||||
}
|
||||
|
||||
return &Provider{
|
||||
options: options,
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve retrieves temporary AWS credentials from the configured Amazon Single Sign-On (AWS SSO) user portal
|
||||
// by exchanging the accessToken present in ~/.aws/sso/cache.
|
||||
func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
tokenFile, err := loadTokenFile(p.options.StartURL)
|
||||
if err != nil {
|
||||
return aws.Credentials{}, err
|
||||
}
|
||||
|
||||
output, err := p.options.Client.GetRoleCredentials(ctx, &sso.GetRoleCredentialsInput{
|
||||
AccessToken: &tokenFile.AccessToken,
|
||||
AccountId: &p.options.AccountID,
|
||||
RoleName: &p.options.RoleName,
|
||||
})
|
||||
if err != nil {
|
||||
return aws.Credentials{}, err
|
||||
}
|
||||
|
||||
return aws.Credentials{
|
||||
AccessKeyID: aws.ToString(output.RoleCredentials.AccessKeyId),
|
||||
SecretAccessKey: aws.ToString(output.RoleCredentials.SecretAccessKey),
|
||||
SessionToken: aws.ToString(output.RoleCredentials.SessionToken),
|
||||
Expires: time.Unix(0, output.RoleCredentials.Expiration*int64(time.Millisecond)).UTC(),
|
||||
CanExpire: true,
|
||||
Source: ProviderName,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func getCacheFileName(url string) (string, error) {
|
||||
hash := sha1.New()
|
||||
_, err := hash.Write([]byte(url))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json", nil
|
||||
}
|
||||
|
||||
type rfc3339 time.Time
|
||||
|
||||
func (r *rfc3339) UnmarshalJSON(bytes []byte) error {
|
||||
var value string
|
||||
|
||||
if err := json.Unmarshal(bytes, &value); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
parse, err := time.Parse(time.RFC3339, value)
|
||||
if err != nil {
|
||||
return fmt.Errorf("expected RFC3339 timestamp: %w", err)
|
||||
}
|
||||
|
||||
*r = rfc3339(parse)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
type token struct {
|
||||
AccessToken string `json:"accessToken"`
|
||||
ExpiresAt rfc3339 `json:"expiresAt"`
|
||||
Region string `json:"region,omitempty"`
|
||||
StartURL string `json:"startUrl,omitempty"`
|
||||
}
|
||||
|
||||
func (t token) Expired() bool {
|
||||
return sdk.NowTime().Round(0).After(time.Time(t.ExpiresAt))
|
||||
}
|
||||
|
||||
// InvalidTokenError is the error type that is returned if loaded token has expired or is otherwise invalid.
|
||||
// To refresh the SSO session run aws sso login with the corresponding profile.
|
||||
type InvalidTokenError struct {
|
||||
Err error
|
||||
}
|
||||
|
||||
func (i *InvalidTokenError) Unwrap() error {
|
||||
return i.Err
|
||||
}
|
||||
|
||||
func (i *InvalidTokenError) Error() string {
|
||||
const msg = "the SSO session has expired or is invalid"
|
||||
if i.Err == nil {
|
||||
return msg
|
||||
}
|
||||
return msg + ": " + i.Err.Error()
|
||||
}
|
||||
|
||||
func loadTokenFile(startURL string) (t token, err error) {
|
||||
key, err := getCacheFileName(startURL)
|
||||
if err != nil {
|
||||
return token{}, &InvalidTokenError{Err: err}
|
||||
}
|
||||
|
||||
fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key))
|
||||
if err != nil {
|
||||
return token{}, &InvalidTokenError{Err: err}
|
||||
}
|
||||
|
||||
if err := json.Unmarshal(fileBytes, &t); err != nil {
|
||||
return token{}, &InvalidTokenError{Err: err}
|
||||
}
|
||||
|
||||
if len(t.AccessToken) == 0 {
|
||||
return token{}, &InvalidTokenError{}
|
||||
}
|
||||
|
||||
if t.Expired() {
|
||||
return token{}, &InvalidTokenError{Err: fmt.Errorf("access token is expired")}
|
||||
}
|
||||
|
||||
return t, nil
|
||||
}
|
53
vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go
generated
vendored
Normal file
53
vendor/github.com/aws/aws-sdk-go-v2/credentials/static_provider.go
generated
vendored
Normal file
@ -0,0 +1,53 @@
|
||||
package credentials
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
)
|
||||
|
||||
const (
|
||||
// StaticCredentialsName provides a name of Static provider
|
||||
StaticCredentialsName = "StaticCredentials"
|
||||
)
|
||||
|
||||
// StaticCredentialsEmptyError is emitted when static credentials are empty.
|
||||
type StaticCredentialsEmptyError struct{}
|
||||
|
||||
func (*StaticCredentialsEmptyError) Error() string {
|
||||
return "static credentials are empty"
|
||||
}
|
||||
|
||||
// A StaticCredentialsProvider is a set of credentials which are set, and will
|
||||
// never expire.
|
||||
type StaticCredentialsProvider struct {
|
||||
Value aws.Credentials
|
||||
}
|
||||
|
||||
// NewStaticCredentialsProvider return a StaticCredentialsProvider initialized with the AWS
|
||||
// credentials passed in.
|
||||
func NewStaticCredentialsProvider(key, secret, session string) StaticCredentialsProvider {
|
||||
return StaticCredentialsProvider{
|
||||
Value: aws.Credentials{
|
||||
AccessKeyID: key,
|
||||
SecretAccessKey: secret,
|
||||
SessionToken: session,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve returns the credentials or error if the credentials are invalid.
|
||||
func (s StaticCredentialsProvider) Retrieve(_ context.Context) (aws.Credentials, error) {
|
||||
v := s.Value
|
||||
if v.AccessKeyID == "" || v.SecretAccessKey == "" {
|
||||
return aws.Credentials{
|
||||
Source: StaticCredentialsName,
|
||||
}, &StaticCredentialsEmptyError{}
|
||||
}
|
||||
|
||||
if len(v.Source) == 0 {
|
||||
v.Source = StaticCredentialsName
|
||||
}
|
||||
|
||||
return v, nil
|
||||
}
|
302
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go
generated
vendored
Normal file
302
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/assume_role_provider.go
generated
vendored
Normal file
@ -0,0 +1,302 @@
|
||||
// Package stscreds are credential Providers to retrieve STS AWS credentials.
|
||||
//
|
||||
// STS provides multiple ways to retrieve credentials which can be used when making
|
||||
// future AWS service API operation calls.
|
||||
//
|
||||
// The SDK will ensure that per instance of credentials.Credentials all requests
|
||||
// to refresh the credentials will be synchronized. But, the SDK is unable to
|
||||
// ensure synchronous usage of the AssumeRoleProvider if the value is shared
|
||||
// between multiple Credentials or service clients.
|
||||
//
|
||||
// Assume Role
|
||||
//
|
||||
// To assume an IAM role using STS with the SDK you can create a new Credentials
|
||||
// with the SDKs's stscreds package.
|
||||
//
|
||||
// // Initial credentials loaded from SDK's default credential chain. Such as
|
||||
// // the environment, shared credentials (~/.aws/credentials), or EC2 Instance
|
||||
// // Role. These credentials will be used to to make the STS Assume Role API.
|
||||
// cfg, err := config.LoadDefaultConfig(context.TODO())
|
||||
// if err != nil {
|
||||
// panic(err)
|
||||
// }
|
||||
//
|
||||
// // Create the credentials from AssumeRoleProvider to assume the role
|
||||
// // referenced by the "myRoleARN" ARN.
|
||||
// stsSvc := sts.NewFromConfig(cfg)
|
||||
// creds := stscreds.NewAssumeRoleProvider(stsSvc, "myRoleArn")
|
||||
//
|
||||
// cfg.Credentials = aws.NewCredentialsCache(creds)
|
||||
//
|
||||
// // Create service client value configured for credentials
|
||||
// // from assumed role.
|
||||
// svc := s3.NewFromConfig(cfg)
|
||||
//
|
||||
// Assume Role with custom MFA Token provider
|
||||
//
|
||||
// To assume an IAM role with a MFA token you can either specify a custom MFA
|
||||
// token provider or use the SDK's built in StdinTokenProvider that will prompt
|
||||
// the user for a token code each time the credentials need to to be refreshed.
|
||||
// Specifying a custom token provider allows you to control where the token
|
||||
// code is retrieved from, and how it is refreshed.
|
||||
//
|
||||
// With a custom token provider, the provider is responsible for refreshing the
|
||||
// token code when called.
|
||||
//
|
||||
// cfg, err := config.LoadDefaultConfig(context.TODO())
|
||||
// if err != nil {
|
||||
// panic(err)
|
||||
// }
|
||||
//
|
||||
// staticTokenProvider := func() (string, error) {
|
||||
// return someTokenCode, nil
|
||||
// }
|
||||
//
|
||||
// // Create the credentials from AssumeRoleProvider to assume the role
|
||||
// // referenced by the "myRoleARN" ARN using the MFA token code provided.
|
||||
// creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
|
||||
// o.SerialNumber = aws.String("myTokenSerialNumber")
|
||||
// o.TokenProvider = staticTokenProvider
|
||||
// })
|
||||
//
|
||||
// cfg.Credentials = aws.NewCredentialsCache(creds)
|
||||
//
|
||||
// // Create service client value configured for credentials
|
||||
// // from assumed role.
|
||||
// svc := s3.NewFromConfig(cfg)
|
||||
//
|
||||
// Assume Role with MFA Token Provider
|
||||
//
|
||||
// To assume an IAM role with MFA for longer running tasks where the credentials
|
||||
// may need to be refreshed setting the TokenProvider field of AssumeRoleProvider
|
||||
// will allow the credential provider to prompt for new MFA token code when the
|
||||
// role's credentials need to be refreshed.
|
||||
//
|
||||
// The StdinTokenProvider function is available to prompt on stdin to retrieve
|
||||
// the MFA token code from the user. You can also implement custom prompts by
|
||||
// satisfying the TokenProvider function signature.
|
||||
//
|
||||
// Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will
|
||||
// have undesirable results as the StdinTokenProvider will not be synchronized. A
|
||||
// single Credentials with an AssumeRoleProvider can be shared safely.
|
||||
//
|
||||
// cfg, err := config.LoadDefaultConfig(context.TODO())
|
||||
// if err != nil {
|
||||
// panic(err)
|
||||
// }
|
||||
//
|
||||
// // Create the credentials from AssumeRoleProvider to assume the role
|
||||
// // referenced by the "myRoleARN" ARN using the MFA token code provided.
|
||||
// creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), "myRoleArn", func(o *stscreds.AssumeRoleOptions) {
|
||||
// o.SerialNumber = aws.String("myTokenSerialNumber")
|
||||
// o.TokenProvider = stscreds.StdinTokenProvider
|
||||
// })
|
||||
//
|
||||
// cfg.Credentials = aws.NewCredentialsCache(creds)
|
||||
//
|
||||
// // Create service client value configured for credentials
|
||||
// // from assumed role.
|
||||
// svc := s3.NewFromConfig(cfg)
|
||||
package stscreds
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts/types"
|
||||
)
|
||||
|
||||
// StdinTokenProvider will prompt on stdout and read from stdin for a string value.
|
||||
// An error is returned if reading from stdin fails.
|
||||
//
|
||||
// Use this function go read MFA tokens from stdin. The function makes no attempt
|
||||
// to make atomic prompts from stdin across multiple gorouties.
|
||||
//
|
||||
// Using StdinTokenProvider with multiple AssumeRoleProviders, or Credentials will
|
||||
// have undesirable results as the StdinTokenProvider will not be synchronized. A
|
||||
// single Credentials with an AssumeRoleProvider can be shared safely
|
||||
//
|
||||
// Will wait forever until something is provided on the stdin.
|
||||
func StdinTokenProvider() (string, error) {
|
||||
var v string
|
||||
fmt.Printf("Assume Role MFA token code: ")
|
||||
_, err := fmt.Scanln(&v)
|
||||
|
||||
return v, err
|
||||
}
|
||||
|
||||
// ProviderName provides a name of AssumeRole provider
|
||||
const ProviderName = "AssumeRoleProvider"
|
||||
|
||||
// AssumeRoleAPIClient is a client capable of the STS AssumeRole operation.
|
||||
type AssumeRoleAPIClient interface {
|
||||
AssumeRole(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error)
|
||||
}
|
||||
|
||||
// DefaultDuration is the default amount of time in minutes that the credentials
|
||||
// will be valid for.
|
||||
var DefaultDuration = time.Duration(15) * time.Minute
|
||||
|
||||
// AssumeRoleProvider retrieves temporary credentials from the STS service, and
|
||||
// keeps track of their expiration time.
|
||||
//
|
||||
// This credential provider will be used by the SDKs default credential change
|
||||
// when shared configuration is enabled, and the shared config or shared credentials
|
||||
// file configure assume role. See Session docs for how to do this.
|
||||
//
|
||||
// AssumeRoleProvider does not provide any synchronization and it is not safe
|
||||
// to share this value across multiple Credentials, Sessions, or service clients
|
||||
// without also sharing the same Credentials instance.
|
||||
type AssumeRoleProvider struct {
|
||||
options AssumeRoleOptions
|
||||
}
|
||||
|
||||
// AssumeRoleOptions is the configurable options for AssumeRoleProvider
|
||||
type AssumeRoleOptions struct {
|
||||
// Client implementation of the AssumeRole operation. Required
|
||||
Client AssumeRoleAPIClient
|
||||
|
||||
// IAM Role ARN to be assumed. Required
|
||||
RoleARN string
|
||||
|
||||
// Session name, if you wish to uniquely identify this session.
|
||||
RoleSessionName string
|
||||
|
||||
// Expiry duration of the STS credentials. Defaults to 15 minutes if not set.
|
||||
Duration time.Duration
|
||||
|
||||
// Optional ExternalID to pass along, defaults to nil if not set.
|
||||
ExternalID *string
|
||||
|
||||
// The policy plain text must be 2048 bytes or shorter. However, an internal
|
||||
// conversion compresses it into a packed binary format with a separate limit.
|
||||
// The PackedPolicySize response element indicates by percentage how close to
|
||||
// the upper size limit the policy is, with 100% equaling the maximum allowed
|
||||
// size.
|
||||
Policy *string
|
||||
|
||||
// The ARNs of IAM managed policies you want to use as managed session policies.
|
||||
// The policies must exist in the same account as the role.
|
||||
//
|
||||
// This parameter is optional. You can provide up to 10 managed policy ARNs.
|
||||
// However, the plain text that you use for both inline and managed session
|
||||
// policies can't exceed 2,048 characters.
|
||||
//
|
||||
// An AWS conversion compresses the passed session policies and session tags
|
||||
// into a packed binary format that has a separate limit. Your request can fail
|
||||
// for this limit even if your plain text meets the other requirements. The
|
||||
// PackedPolicySize response element indicates by percentage how close the policies
|
||||
// and tags for your request are to the upper size limit.
|
||||
//
|
||||
// Passing policies to this operation returns new temporary credentials. The
|
||||
// resulting session's permissions are the intersection of the role's identity-based
|
||||
// policy and the session policies. You can use the role's temporary credentials
|
||||
// in subsequent AWS API calls to access resources in the account that owns
|
||||
// the role. You cannot use session policies to grant more permissions than
|
||||
// those allowed by the identity-based policy of the role that is being assumed.
|
||||
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
|
||||
// in the IAM User Guide.
|
||||
PolicyARNs []types.PolicyDescriptorType
|
||||
|
||||
// The identification number of the MFA device that is associated with the user
|
||||
// who is making the AssumeRole call. Specify this value if the trust policy
|
||||
// of the role being assumed includes a condition that requires MFA authentication.
|
||||
// The value is either the serial number for a hardware device (such as GAHT12345678)
|
||||
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
|
||||
SerialNumber *string
|
||||
|
||||
// Async method of providing MFA token code for assuming an IAM role with MFA.
|
||||
// The value returned by the function will be used as the TokenCode in the Retrieve
|
||||
// call. See StdinTokenProvider for a provider that prompts and reads from stdin.
|
||||
//
|
||||
// This token provider will be called when ever the assumed role's
|
||||
// credentials need to be refreshed when SerialNumber is set.
|
||||
TokenProvider func() (string, error)
|
||||
|
||||
// A list of session tags that you want to pass. Each session tag consists of a key
|
||||
// name and an associated value. For more information about session tags, see
|
||||
// Tagging STS Sessions
|
||||
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
|
||||
// IAM User Guide. This parameter is optional. You can pass up to 50 session tags.
|
||||
Tags []types.Tag
|
||||
|
||||
// A list of keys for session tags that you want to set as transitive. If you set a
|
||||
// tag key as transitive, the corresponding key and value passes to subsequent
|
||||
// sessions in a role chain. For more information, see Chaining Roles with Session
|
||||
// Tags
|
||||
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
|
||||
// in the IAM User Guide. This parameter is optional.
|
||||
TransitiveTagKeys []string
|
||||
}
|
||||
|
||||
// NewAssumeRoleProvider constructs and returns a credentials provider that
|
||||
// will retrieve credentials by assuming a IAM role using STS.
|
||||
func NewAssumeRoleProvider(client AssumeRoleAPIClient, roleARN string, optFns ...func(*AssumeRoleOptions)) *AssumeRoleProvider {
|
||||
o := AssumeRoleOptions{
|
||||
Client: client,
|
||||
RoleARN: roleARN,
|
||||
}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&o)
|
||||
}
|
||||
|
||||
return &AssumeRoleProvider{
|
||||
options: o,
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieve generates a new set of temporary credentials using STS.
|
||||
func (p *AssumeRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
// Apply defaults where parameters are not set.
|
||||
if len(p.options.RoleSessionName) == 0 {
|
||||
// Try to work out a role name that will hopefully end up unique.
|
||||
p.options.RoleSessionName = fmt.Sprintf("aws-go-sdk-%d", time.Now().UTC().UnixNano())
|
||||
}
|
||||
if p.options.Duration == 0 {
|
||||
// Expire as often as AWS permits.
|
||||
p.options.Duration = DefaultDuration
|
||||
}
|
||||
input := &sts.AssumeRoleInput{
|
||||
DurationSeconds: aws.Int32(int32(p.options.Duration / time.Second)),
|
||||
PolicyArns: p.options.PolicyARNs,
|
||||
RoleArn: aws.String(p.options.RoleARN),
|
||||
RoleSessionName: aws.String(p.options.RoleSessionName),
|
||||
ExternalId: p.options.ExternalID,
|
||||
Tags: p.options.Tags,
|
||||
TransitiveTagKeys: p.options.TransitiveTagKeys,
|
||||
}
|
||||
if p.options.Policy != nil {
|
||||
input.Policy = p.options.Policy
|
||||
}
|
||||
if p.options.SerialNumber != nil {
|
||||
if p.options.TokenProvider != nil {
|
||||
input.SerialNumber = p.options.SerialNumber
|
||||
code, err := p.options.TokenProvider()
|
||||
if err != nil {
|
||||
return aws.Credentials{}, err
|
||||
}
|
||||
input.TokenCode = aws.String(code)
|
||||
} else {
|
||||
return aws.Credentials{}, fmt.Errorf("assume role with MFA enabled, but TokenProvider is not set")
|
||||
}
|
||||
}
|
||||
|
||||
resp, err := p.options.Client.AssumeRole(ctx, input)
|
||||
if err != nil {
|
||||
return aws.Credentials{Source: ProviderName}, err
|
||||
}
|
||||
|
||||
return aws.Credentials{
|
||||
AccessKeyID: *resp.Credentials.AccessKeyId,
|
||||
SecretAccessKey: *resp.Credentials.SecretAccessKey,
|
||||
SessionToken: *resp.Credentials.SessionToken,
|
||||
Source: ProviderName,
|
||||
|
||||
CanExpire: true,
|
||||
Expires: *resp.Credentials.Expiration,
|
||||
}, nil
|
||||
}
|
127
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
generated
vendored
Normal file
127
vendor/github.com/aws/aws-sdk-go-v2/credentials/stscreds/web_identity_provider.go
generated
vendored
Normal file
@ -0,0 +1,127 @@
|
||||
package stscreds
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"strconv"
|
||||
|
||||
"github.com/aws/aws-sdk-go-v2/aws"
|
||||
"github.com/aws/aws-sdk-go-v2/aws/retry"
|
||||
"github.com/aws/aws-sdk-go-v2/internal/sdk"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts"
|
||||
"github.com/aws/aws-sdk-go-v2/service/sts/types"
|
||||
)
|
||||
|
||||
var invalidIdentityTokenExceptionCode = (&types.InvalidIdentityTokenException{}).ErrorCode()
|
||||
|
||||
const (
|
||||
// WebIdentityProviderName is the web identity provider name
|
||||
WebIdentityProviderName = "WebIdentityCredentials"
|
||||
)
|
||||
|
||||
// AssumeRoleWithWebIdentityAPIClient is a client capable of the STS AssumeRoleWithWebIdentity operation.
|
||||
type AssumeRoleWithWebIdentityAPIClient interface {
|
||||
AssumeRoleWithWebIdentity(ctx context.Context, params *sts.AssumeRoleWithWebIdentityInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleWithWebIdentityOutput, error)
|
||||
}
|
||||
|
||||
// WebIdentityRoleProvider is used to retrieve credentials using
|
||||
// an OIDC token.
|
||||
type WebIdentityRoleProvider struct {
|
||||
options WebIdentityRoleOptions
|
||||
}
|
||||
|
||||
// WebIdentityRoleOptions is a structure of configurable options for WebIdentityRoleProvider
|
||||
type WebIdentityRoleOptions struct {
|
||||
// Client implementation of the AssumeRoleWithWebIdentity operation. Required
|
||||
Client AssumeRoleWithWebIdentityAPIClient
|
||||
|
||||
// JWT Token Provider. Required
|
||||
TokenRetriever IdentityTokenRetriever
|
||||
|
||||
// IAM Role ARN to assume. Required
|
||||
RoleARN string
|
||||
|
||||
// Session name, if you wish to uniquely identify this session.
|
||||
RoleSessionName string
|
||||
|
||||
// The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
||||
// want to use as managed session policies. The policies must exist in the
|
||||
// same account as the role.
|
||||
PolicyARNs []types.PolicyDescriptorType
|
||||
}
|
||||
|
||||
// IdentityTokenRetriever is an interface for retrieving a JWT
|
||||
type IdentityTokenRetriever interface {
|
||||
GetIdentityToken() ([]byte, error)
|
||||
}
|
||||
|
||||
// IdentityTokenFile is for retrieving an identity token from the given file name
|
||||
type IdentityTokenFile string
|
||||
|
||||
// GetIdentityToken retrieves the JWT token from the file and returns the contents as a []byte
|
||||
func (j IdentityTokenFile) GetIdentityToken() ([]byte, error) {
|
||||
b, err := ioutil.ReadFile(string(j))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to read file at %s: %v", string(j), err)
|
||||
}
|
||||
|
||||
return b, nil
|
||||
}
|
||||
|
||||
// NewWebIdentityRoleProvider will return a new WebIdentityRoleProvider with the
|
||||
// provided stsiface.ClientAPI
|
||||
func NewWebIdentityRoleProvider(client AssumeRoleWithWebIdentityAPIClient, roleARN string, tokenRetriever IdentityTokenRetriever, optFns ...func(*WebIdentityRoleOptions)) *WebIdentityRoleProvider {
|
||||
o := WebIdentityRoleOptions{
|
||||
Client: client,
|
||||
RoleARN: roleARN,
|
||||
TokenRetriever: tokenRetriever,
|
||||
}
|
||||
|
||||
for _, fn := range optFns {
|
||||
fn(&o)
|
||||
}
|
||||
|
||||
return &WebIdentityRoleProvider{options: o}
|
||||
}
|
||||
|
||||
// Retrieve will attempt to assume a role from a token which is located at
|
||||
// 'WebIdentityTokenFilePath' specified destination and if that is empty an
|
||||
// error will be returned.
|
||||
func (p *WebIdentityRoleProvider) Retrieve(ctx context.Context) (aws.Credentials, error) {
|
||||
b, err := p.options.TokenRetriever.GetIdentityToken()
|
||||
if err != nil {
|
||||
return aws.Credentials{}, fmt.Errorf("failed to retrieve jwt from provide source, %w", err)
|
||||
}
|
||||
|
||||
sessionName := p.options.RoleSessionName
|
||||
if len(sessionName) == 0 {
|
||||
// session name is used to uniquely identify a session. This simply
|
||||
// uses unix time in nanoseconds to uniquely identify sessions.
|
||||
sessionName = strconv.FormatInt(sdk.NowTime().UnixNano(), 10)
|
||||
}
|
||||
resp, err := p.options.Client.AssumeRoleWithWebIdentity(ctx, &sts.AssumeRoleWithWebIdentityInput{
|
||||
PolicyArns: p.options.PolicyARNs,
|
||||
RoleArn: &p.options.RoleARN,
|
||||
RoleSessionName: &sessionName,
|
||||
WebIdentityToken: aws.String(string(b)),
|
||||
}, func(options *sts.Options) {
|
||||
options.Retryer = retry.AddWithErrorCodes(options.Retryer, invalidIdentityTokenExceptionCode)
|
||||
})
|
||||
if err != nil {
|
||||
return aws.Credentials{}, fmt.Errorf("failed to retrieve credentials, %w", err)
|
||||
}
|
||||
|
||||
// InvalidIdentityToken error is a temporary error that can occur
|
||||
// when assuming an Role with a JWT web identity token.
|
||||
|
||||
value := aws.Credentials{
|
||||
AccessKeyID: aws.ToString(resp.Credentials.AccessKeyId),
|
||||
SecretAccessKey: aws.ToString(resp.Credentials.SecretAccessKey),
|
||||
SessionToken: aws.ToString(resp.Credentials.SessionToken),
|
||||
Source: WebIdentityProviderName,
|
||||
CanExpire: true,
|
||||
Expires: *resp.Credentials.Expiration,
|
||||
}
|
||||
return value, nil
|
||||
}
|
Reference in New Issue
Block a user