-
Notifications
You must be signed in to change notification settings - Fork 94
/
assumer_aws_credential_process.go
104 lines (94 loc) · 3.27 KB
/
assumer_aws_credential_process.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package cfaws
import (
"context"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials/processcreds"
"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
"gopkg.in/ini.v1"
)
// Implements Assumer using the aws credential_process standard
type CredentialProcessAssumer struct {
}
func loadCredProcessCreds(ctx context.Context, c *Profile) (aws.Credentials, error) {
var credProcessCommand string
for _, item := range c.RawConfig.Keys() {
if item.Name() == "credential_process" {
credProcessCommand = item.Value()
break
}
}
p := processcreds.NewProvider(credProcessCommand)
return p.Retrieve(ctx)
}
func (cpa *CredentialProcessAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error) {
// if the profile has parents, then we need to first use credential process to assume the root profile.
// then assume each of the chained profiles
if len(c.Parents) != 0 {
p := c.Parents[0]
creds, err := loadCredProcessCreds(ctx, p)
if err != nil {
return creds, err
}
for _, p := range c.Parents[1:] {
region, err := p.Region(ctx)
if err != nil {
return aws.Credentials{}, err
}
stsp := stscreds.NewAssumeRoleProvider(sts.New(sts.Options{Credentials: aws.NewCredentialsCache(&CredProv{creds}), Region: region}), p.AWSConfig.RoleARN, func(aro *stscreds.AssumeRoleOptions) {
if p.AWSConfig.RoleSessionName != "" {
aro.RoleSessionName = p.AWSConfig.RoleSessionName
} else {
aro.RoleSessionName = sessionName()
}
if p.AWSConfig.MFASerial != "" {
aro.SerialNumber = &p.AWSConfig.MFASerial
aro.TokenProvider = MfaTokenProvider
} else if c.AWSConfig.MFASerial != "" {
aro.SerialNumber = &c.AWSConfig.MFASerial
aro.TokenProvider = MfaTokenProvider
}
aro.Duration = configOpts.Duration
})
creds, err = stsp.Retrieve(ctx)
if err != nil {
return creds, err
}
}
region, err := c.Region(ctx)
if err != nil {
return aws.Credentials{}, err
}
stsp := stscreds.NewAssumeRoleProvider(sts.New(sts.Options{Credentials: aws.NewCredentialsCache(&CredProv{creds}), Region: region}), c.AWSConfig.RoleARN, func(aro *stscreds.AssumeRoleOptions) {
if c.AWSConfig.RoleSessionName != "" {
aro.RoleSessionName = c.AWSConfig.RoleSessionName
} else {
aro.RoleSessionName = sessionName()
}
if c.AWSConfig.MFASerial != "" {
aro.SerialNumber = &c.AWSConfig.MFASerial
aro.TokenProvider = MfaTokenProvider
}
aro.Duration = configOpts.Duration
})
return stsp.Retrieve(ctx)
}
return loadCredProcessCreds(ctx, c)
}
func (cpa *CredentialProcessAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error) {
return cpa.AssumeTerminal(ctx, c, configOpts)
}
// A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH
func (cpa *CredentialProcessAssumer) Type() string {
return "AWS_CREDENTIAL_PROCESS"
}
// inspect for any credential processes with the saml2aws tool
func (cpa *CredentialProcessAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool {
for _, k := range rawProfile.KeyStrings() {
if k == "credential_process" {
return true
}
}
return false
}