-
Notifications
You must be signed in to change notification settings - Fork 5.6k
/
credentials.go
87 lines (76 loc) · 2.79 KB
/
credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package aws
import (
"context"
awsV2 "github.com/aws/aws-sdk-go-v2/aws"
configV2 "github.com/aws/aws-sdk-go-v2/config"
credentialsV2 "github.com/aws/aws-sdk-go-v2/credentials"
stscredsV2 "github.com/aws/aws-sdk-go-v2/credentials/stscreds"
"github.com/aws/aws-sdk-go-v2/service/sts"
)
type CredentialConfig struct {
Region string `toml:"region"`
AccessKey string `toml:"access_key"`
SecretKey string `toml:"secret_key"`
RoleARN string `toml:"role_arn"`
Profile string `toml:"profile"`
Filename string `toml:"shared_credential_file"`
Token string `toml:"token"`
EndpointURL string `toml:"endpoint_url"`
RoleSessionName string `toml:"role_session_name"`
WebIdentityTokenFile string `toml:"web_identity_token_file"`
}
func (c *CredentialConfig) Credentials() (awsV2.Config, error) {
if c.RoleARN != "" {
return c.assumeCredentials()
}
return c.rootCredentials()
}
func (c *CredentialConfig) rootCredentials() (awsV2.Config, error) {
options := []func(*configV2.LoadOptions) error{
configV2.WithRegion(c.Region),
}
if c.EndpointURL != "" {
resolver := awsV2.EndpointResolverFunc(func(service, region string) (awsV2.Endpoint, error) {
return awsV2.Endpoint{
URL: c.EndpointURL,
HostnameImmutable: true,
Source: awsV2.EndpointSourceCustom,
}, nil
})
options = append(options, configV2.WithEndpointResolver(resolver))
}
if c.Profile != "" {
options = append(options, configV2.WithSharedConfigProfile(c.Profile))
}
if c.Filename != "" {
options = append(options, configV2.WithSharedCredentialsFiles([]string{c.Filename}))
}
if c.AccessKey != "" || c.SecretKey != "" {
provider := credentialsV2.NewStaticCredentialsProvider(c.AccessKey, c.SecretKey, c.Token)
options = append(options, configV2.WithCredentialsProvider(provider))
}
return configV2.LoadDefaultConfig(context.Background(), options...)
}
func (c *CredentialConfig) assumeCredentials() (awsV2.Config, error) {
rootCredentials, err := c.rootCredentials()
if err != nil {
return awsV2.Config{}, err
}
var provider awsV2.CredentialsProvider
stsService := sts.NewFromConfig(rootCredentials)
if c.WebIdentityTokenFile != "" {
provider = stscredsV2.NewWebIdentityRoleProvider(stsService, c.RoleARN, stscredsV2.IdentityTokenFile(c.WebIdentityTokenFile), func(opts *stscredsV2.WebIdentityRoleOptions) {
if c.RoleSessionName != "" {
opts.RoleSessionName = c.RoleSessionName
}
})
} else {
provider = stscredsV2.NewAssumeRoleProvider(stsService, c.RoleARN, func(opts *stscredsV2.AssumeRoleOptions) {
if c.RoleSessionName != "" {
opts.RoleSessionName = c.RoleSessionName
}
})
}
rootCredentials.Credentials = awsV2.NewCredentialsCache(provider)
return rootCredentials, nil
}