/
aws.go
123 lines (113 loc) · 3.55 KB
/
aws.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package awsx
import (
"flag"
"github.com/invisibl-cloud/identity-manager/pkg/util"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
)
const (
// RegionName - aws region name
RegionName = "region"
// AccessKeyIDName - aws access key id name
AccessKeyIDName = "aws_access_key_id"
// SecretAccessKeyName - aws secret access key name
// #nosec
SecretAccessKeyName = "aws_secret_access_key"
// RoleArnName - role arn name
RoleArnName = "role_arn"
// ExternalIDName - external id name
ExternalIDName = "external_id"
)
// NewConfig expects the map of config data and returns
// the Config object
func NewConfig(m map[string][]byte) Config {
cfg := Config{}
if val, ok := m[RegionName]; ok {
cfg.Region = string(val)
}
if val, ok := m[AccessKeyIDName]; ok {
cfg.AccessKeyID = string(val)
}
if val, ok := m[SecretAccessKeyName]; ok {
cfg.SecretAccessKey = string(val)
}
if val, ok := m[RoleArnName]; ok {
cfg.RoleArn = string(val)
}
if val, ok := m[ExternalIDName]; ok {
cfg.ExternalID = string(val)
}
return cfg
}
// NewSession expects Config and returns the *session.Session object
func NewSession(conf Config) (*session.Session, error) {
// convert to aws config
cfg := aws.NewConfig()
cfgs := []*aws.Config{cfg}
if conf.Region != "" {
cfg.Region = aws.String(conf.Region)
} else {
cfg.Region = aws.String(util.GetEnvString(conf.Region, "AWS_REGION", "AWS_DEFAULT_REGION"))
}
// assume role.
if conf.RoleArn != "" {
cfgs1 := []*aws.Config{cfg}
if conf.AccessKeyID != "" && conf.SecretAccessKey != "" {
credsCfg := aws.NewConfig().WithCredentials(credentials.NewStaticCredentials(conf.AccessKeyID, conf.SecretAccessKey, conf.SessionToken))
cfgs1 = append(cfgs1, credsCfg)
}
sess1, err := session.NewSession(cfgs1...)
if err != nil {
return nil, err
}
creds := stscreds.NewCredentials(sess1, conf.RoleArn, func(arp *stscreds.AssumeRoleProvider) {
arp.RoleSessionName = conf.Name
//arp.Duration = 60 * time.Minute
//arp.ExpiryWindow = 30 * time.Second
})
cfgs = append(cfgs, aws.NewConfig().WithCredentials(creds))
} else {
// static creds if any
if conf.AccessKeyID != "" && conf.SecretAccessKey != "" {
cfg.Credentials = credentials.NewStaticCredentials(conf.AccessKeyID, conf.SecretAccessKey, conf.SessionToken)
}
}
sess, err := session.NewSession(cfgs...)
if err != nil {
return nil, err
}
return sess, nil
}
// Config - simple aws session config
type Config struct {
Name string `json:"-" ini:"-"`
Region string `json:"region" ini:"-"`
AccessKeyID string `json:"aws_access_key_id" ini:"aws_access_key_id"`
SecretAccessKey string `json:"aws_secret_access_key" ini:"aws_secret_access_key"`
SessionToken string `json:"aws_session_token" ini:"aws_session_token"`
RoleArn string `json:"role_arn" ini:"-"`
ExternalID string `json:"external_id" ini:"-"`
}
// CheckError - check aws error code.
func CheckError(err error, codes ...string) (bool, bool) {
if aerr, ok := err.(awserr.Error); ok {
for _, code := range codes {
if aerr.Code() == code {
return true, true
}
}
return true, false
}
return false, false
}
// Options of AWS
type Options struct {
PermissionsBoundaryARN string
}
// BindFlags will parse the given flagset for aws arg flags.
func (o *Options) BindFlags(fs *flag.FlagSet) {
flag.StringVar(&o.PermissionsBoundaryARN, "aws-permissions-boundary-arn", "", "The permissions boundary arn.")
}