-
Notifications
You must be signed in to change notification settings - Fork 5
/
creds-process.go
116 lines (99 loc) · 3.2 KB
/
creds-process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package cmd
import (
"context"
"encoding/json"
"fmt"
"time"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/chanzuckerberg/aws-oidc/pkg/aws_config_client"
"github.com/chanzuckerberg/aws-oidc/pkg/getter"
"github.com/chanzuckerberg/go-misc/oidc_cli/oidc_impl"
oidc_client "github.com/chanzuckerberg/go-misc/oidc_cli/oidc_impl/client"
"github.com/honeycombio/beeline-go"
"github.com/pkg/errors"
"github.com/spf13/cobra"
)
const credProcessVersion = 1
func init() {
credProcessCmd.Flags().StringVar(&clientID, "client-id", "", "CLIENT_ID generated from the OIDC application")
credProcessCmd.Flags().StringVar(&issuerURL, "issuer-url", "", "The URL that hosts the OIDC identity provider")
credProcessCmd.Flags().StringVar(&roleARN, "aws-role-arn", "", "ARN value of role to assume")
credProcessCmd.MarkFlagRequired("client-id") // nolint:errcheck
credProcessCmd.MarkFlagRequired("issuer-url") // nolint:errcheck
credProcessCmd.MarkFlagRequired("aws-role-arn") // nolint:errcheck
rootCmd.AddCommand(credProcessCmd)
}
type credProcess struct {
Version int `json:"Version"`
AccessKeyID string `json:"AccessKeyId"`
SecretAccessKey string `json:"SecretAccessKey"`
SessionToken string `json:"SessionToken"`
Expiration string `json:"Expiration"`
}
// credProcessCmd represents the cred-process command
var credProcessCmd = &cobra.Command{
Use: "creds-process",
Short: "aws-oidc creds-process",
Long: `creds-process generates a credential_process ready output.
--client-id, --issuerURL, and --aws-role-arn flags are required`,
RunE: credProcessRun,
}
func credProcessRun(cmd *cobra.Command, args []string) error {
ctx := cmd.Context()
assumeRoleOutput, err := assumeRole(
ctx,
&aws_config_client.AWSOIDCConfiguration{
ClientID: clientID,
IssuerURL: issuerURL,
RoleARN: roleARN,
},
time.Hour, // default to 1 hour
)
if err != nil {
return err
}
creds := credProcess{
Version: credProcessVersion,
AccessKeyID: string(*assumeRoleOutput.Credentials.AccessKeyId),
SecretAccessKey: string(*assumeRoleOutput.Credentials.SecretAccessKey),
SessionToken: string(*assumeRoleOutput.Credentials.SessionToken),
Expiration: assumeRoleOutput.Credentials.Expiration.Format(time.RFC3339),
}
output, err := json.MarshalIndent(creds, "", " ")
if err != nil {
return errors.Wrap(err, "Unable to convert current credentials to json output")
}
fmt.Println(string(output))
return nil
}
func assumeRole(
ctx context.Context,
awsOIDCConfig *aws_config_client.AWSOIDCConfiguration,
sessionDuration time.Duration,
) (*sts.AssumeRoleWithWebIdentityOutput, error) {
ctx, span := beeline.StartSpan(ctx, "assumeAWSRole")
defer span.Send()
token, err := getOIDCToken(ctx, awsOIDCConfig)
if err != nil {
return nil, err
}
return getter.GetAWSAssumeIdentity(
ctx,
token,
awsOIDCConfig.RoleARN,
sessionDuration,
)
}
func getOIDCToken(
ctx context.Context,
awsOIDCConfig *aws_config_client.AWSOIDCConfiguration,
) (*oidc_client.Token, error) {
ctx, span := beeline.StartSpan(ctx, "get_oidc_token")
defer span.Send()
return oidc_impl.GetToken(
ctx,
awsOIDCConfig.ClientID,
awsOIDCConfig.IssuerURL,
oidc_client.SetSuccessMessage(successMessage),
)
}