/
aws.go
159 lines (123 loc) · 3.83 KB
/
aws.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
package ofa
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/go-ini/ini"
log "github.com/sirupsen/logrus"
"path/filepath"
)
func init() {
var err error
awsConfig := aws.NewConfig().WithCredentialsChainVerboseErrors(true)
awsOptions := session.Options{
Config: *awsConfig,
SharedConfigState: session.SharedConfigDisable,
}
awsSession, err = session.NewSessionWithOptions(awsOptions)
if err != nil {
log.Panicf("Could not create AWS Session: %v", err)
}
stsClient = sts.New(awsSession)
}
const (
awsAccessKeyId = "aws_access_key_id"
awsSecretAccessKey = "aws_secret_access_key"
awsSessionToken = "aws_session_token"
)
var (
awsSession *session.Session
stsClient *sts.STS
)
// AssumeAwsRole takes the SAML credentials and assumes an AWS role
func AssumeAwsRole(samlResponse *string, samlAwsRole *samlAwsRole, sessionTime *int64) (*credentials.Credentials, error) {
Information("**** Assuming AWS role '%s'", samlAwsRole.RoleArn)
input := &sts.AssumeRoleWithSAMLInput{}
if sessionTime != nil {
input.SetDurationSeconds(*sessionTime)
}
err := input.
SetPrincipalArn(samlAwsRole.PrincipalArn.String()).
SetRoleArn(samlAwsRole.RoleArn.String()).
SetSAMLAssertion(*samlResponse).
Validate()
if err != nil {
return nil, err
}
req, res := stsClient.AssumeRoleWithSAMLRequest(input)
err = req.Send()
if err != nil {
return nil, err
}
creds := credentials.NewStaticCredentials(*res.Credentials.AccessKeyId, *res.Credentials.SecretAccessKey, *res.Credentials.SessionToken)
return creds, nil
}
func accountAliasFromSaml(role *samlAwsRole, samlResponse *string) (*string, error) {
roleCredentials, err := AssumeAwsRole(samlResponse, role, nil)
if err != nil {
return nil, err
}
awsRoleConfig := aws.NewConfig().
WithCredentialsChainVerboseErrors(true).
WithCredentials(roleCredentials)
awsRoleOptions := session.Options{
Config: *awsRoleConfig,
SharedConfigState: session.SharedConfigDisable,
}
awsRoleSession, err := session.NewSessionWithOptions(awsRoleOptions)
if err != nil {
return nil, err
}
iamClient := iam.New(awsRoleSession)
iamInput := &iam.ListAccountAliasesInput{}
iamOutput, err := iamClient.ListAccountAliases(iamInput)
if err != nil {
return nil, err
}
if len(iamOutput.AccountAliases) > 0 {
return iamOutput.AccountAliases[0], nil
}
return nil, nil
}
// WriteAwsCredentials writes the credentials for the AWS profile selected into the AWS config files.
func WriteAwsCredentials(session *LoginSession, cred *credentials.Credentials) error {
Information("**** Writing AWS credentials file")
fileName := awsCredentialsFilename(homeDir)
cfg, err := ini.LooseLoad(fileName)
if err != nil {
return err
}
// remove all keys from the section. If this is an existing section, it keeps
// it in order. Otherwise, this could just be cfg.DeleteSection() ; cfg.NewSection()
section := cfg.Section(session.ProfileName)
for _, key := range section.KeyStrings() {
section.DeleteKey(key)
}
v, err := cred.Get()
if err != nil {
return err
}
_, err = section.NewKey(awsAccessKeyId, v.AccessKeyID)
if err != nil {
return err
}
_, err = section.NewKey(awsSecretAccessKey, v.SecretAccessKey)
if err != nil {
return err
}
_, err = section.NewKey(awsSessionToken, v.SessionToken)
if err != nil {
return err
}
// the okta-aws-cli-assume-role tool also wrote a aws_security_token entry for some really ancient versions of boto.
err = storeFile(fileName, func(filename string) error {
return cfg.SaveTo(filename)
})
Information("**** AWS credentials file written")
return err
}
func awsCredentialsFilename(homeDir *string) string {
return filepath.Join(*homeDir, ".aws", "credentials")
}