Skip to content
Permalink
Browse files

refactor STS into util

CC @DavidBlooman

hopefully this still works haha
  • Loading branch information...
tj committed Dec 23, 2016
1 parent 09ce0c4 commit 097d56d0d687f6bf2cb395a9164fe5b834e1cdcd
Showing with 30 additions and 30 deletions.
  1. +4 −18 cmd/apex/root/root.go
  2. +3 −8 docs/aws-credentials.md
  3. +23 −4 utils/utils.go
@@ -7,7 +7,7 @@ import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/lambda"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/pkg/errors"
"github.com/tj/cobra"

"github.com/apex/apex/dryrun"
@@ -141,25 +141,11 @@ func Prepare(c *cobra.Command, args []string) error {
}

if iamrole != "" {
stscreds := sts.New(session.New(Config))

stsparams := &sts.AssumeRoleInput{
RoleArn: aws.String(iamrole),
RoleSessionName: aws.String("apex"),
DurationSeconds: aws.Int64(1800),
}

stsresp, err := stscreds.AssumeRole(stsparams)

config, err := utils.AssumeRole(iamrole, Config)
if err != nil {
return err
return errors.Wrap(err, "assuming role")
}

Config = utils.UseTempCredentials(
region,
*stsresp.Credentials.AccessKeyId,
*stsresp.Credentials.SecretAccessKey,
*stsresp.Credentials.SessionToken)
Config = config
}

Session = session.New(Config)
@@ -52,14 +52,7 @@ You may store the profile name in the project.json file itself as shown in the f

## Via IAM Role

Using an IAM role can be achieved in two ways, via an environment variable or via a command line flag. As with other Apex credential loading, the command line flag will supersede the environment variable.

The ARN format for both command line and environment variable is arn:aws:iam::000000000:role/role_name

Using environment variable only, specify the following:

AWS_ROLE AWS ARN
Use an IAM role via the command line with the -i or --iamrole flag.
Using an IAM role can be achieved in two ways, via the __AWS_ROLE__ environment variable or via a command line flag `--iamrole`. As with other Apex credential loading, the command line flag will supersede the environment variable.

## Precedence

@@ -71,6 +64,7 @@ Precedence for loading the AWS credentials is:
- profile named "default"

## Minimum IAM Policy

Below is a policy for AWS [Identity and Access Management](http://aws.amazon.com/iam/) which provides the minimum privileges needed to use Apex to manage your Lambda functions.

```json
@@ -105,6 +99,7 @@ Below is a policy for AWS [Identity and Access Management](http://aws.amazon.com
```

### Additional minimum IAM Policy to set VPC for Lambda

The following additional policies are needed to set VPC for your Lambda functions.

```json
@@ -14,6 +14,8 @@ import (
"github.com/Unknwon/goconfig"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/mitchellh/go-homedir"
"github.com/rliebling/gitignorer"
)
@@ -156,10 +158,27 @@ func ProfileFromConfig(environment string) (string, error) {
return v.Profile, nil
}

// UseTempCredentials creates a credentials object
func UseTempCredentials(region, id, secret, token string) *aws.Config {
// AssumeRole uses STS to assume the given `role`.
func AssumeRole(role string, config *aws.Config) (*aws.Config, error) {
stscreds := sts.New(session.New(config))

params := &sts.AssumeRoleInput{
RoleArn: &role,
RoleSessionName: aws.String("apex"),
DurationSeconds: aws.Int64(1800),
}

res, err := stscreds.AssumeRole(params)
if err != nil {
return nil, err
}

id := *res.Credentials.AccessKeyId
secret := *res.Credentials.SecretAccessKey
token := *res.Credentials.SessionToken

return &aws.Config{
Region: aws.String(region),
Region: config.Region,
Credentials: credentials.NewStaticCredentials(id, secret, token),
}
}, nil
}

1 comment on commit 097d56d

@dblooman

This comment has been minimized.

Copy link
Contributor

commented on 097d56d Dec 31, 2016

Still works @tj 😄

One more release in 2016 with this in?

Please sign in to comment.
You can’t perform that action at this time.