/
iam_aws.go
142 lines (114 loc) · 4.02 KB
/
iam_aws.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
package policy
import (
"context"
"fmt"
"net/url"
localconfig "github.com/perkbox/cloud-access-bot/internal/settings"
"github.com/sirupsen/logrus"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/aws-sdk-go-v2/service/iam"
)
type IAMProvider struct {
Client IAMClientInterface
Settings localconfig.Settings
STSProvider *sts.Client
}
type IAMClientInterface interface {
iam.ListRolePoliciesAPIClient
iam.GetRoleAPIClient
PutRolePolicy(ctx context.Context, params *iam.PutRolePolicyInput, optFns ...func(*iam.Options)) (*iam.PutRolePolicyOutput, error)
DeleteRolePolicy(ctx context.Context, params *iam.DeleteRolePolicyInput, optFns ...func(*iam.Options)) (*iam.DeleteRolePolicyOutput, error)
GetRolePolicy(ctx context.Context, params *iam.GetRolePolicyInput, optFns ...func(*iam.Options)) (*iam.GetRolePolicyOutput, error)
}
func NewIAMClient(cfg aws.Config) *IAMProvider {
return &IAMProvider{
Client: iam.NewFromConfig(cfg),
}
}
func (awsiam *IAMProvider) PutPolicy(accountName, roleName, policyName, policy string) error {
i, err := awsiam.assumeRoleWithAccountName(accountName)
if err != nil {
return err
}
_, err = i.PutRolePolicy(context.TODO(), &iam.PutRolePolicyInput{
PolicyDocument: aws.String(policy),
PolicyName: aws.String(policyName),
RoleName: aws.String(roleName),
}, func(o *iam.Options) {
o.Region = "eu-west-1"
})
if err != nil {
return err
}
return nil
}
func (awsiam *IAMProvider) DeletePolicys(accountName, roleName string, InlinePolicysNames []string) error {
i, err := awsiam.assumeRoleWithAccountName(accountName)
if err != nil {
return err
}
for _, policyName := range InlinePolicysNames {
_, err := i.DeleteRolePolicy(context.TODO(), &iam.DeleteRolePolicyInput{RoleName: aws.String(roleName), PolicyName: aws.String(policyName)}, func(o *iam.Options) {
o.Region = "eu-west-1"
})
if err != nil {
return err
}
logrus.Infof("Delted Expired Inline Policy (%s) from Role %s", policyName, roleName)
}
return nil
}
func (awsiam *IAMProvider) GetCloudUserId(accountName string, roleName string) (string, error) {
i, err := awsiam.assumeRoleWithAccountName(accountName)
if err != nil {
return "", err
}
roleOutput, err := i.GetRole(context.TODO(), &iam.GetRoleInput{RoleName: aws.String(roleName)}, func(o *iam.Options) {
o.Region = "eu-west-1"
})
if err != nil {
return "", err
}
return aws.ToString(roleOutput.Role.RoleId), nil
}
func (awsiam *IAMProvider) FindPolicysForRole(accountName, roleName string) (map[string]string, error) {
inlinePolicys := make(map[string]string)
i, err := awsiam.assumeRoleWithAccountName(accountName)
if err != nil {
return nil, err
}
//GET all inline Policy's on the role
listPolResp, err := i.ListRolePolicies(context.TODO(), &iam.ListRolePoliciesInput{RoleName: aws.String(roleName)}, func(o *iam.Options) {
o.Region = "eu-west-1"
})
if err != nil {
return nil, fmt.Errorf("func:FindPolicysForRole: error listing role polices: %s", err)
}
for _, policyName := range listPolResp.PolicyNames {
policyResp, err := i.GetRolePolicy(context.TODO(), &iam.GetRolePolicyInput{RoleName: aws.String(roleName), PolicyName: aws.String(policyName)}, func(o *iam.Options) {
o.Region = "eu-west-1"
})
if err != nil {
return nil, fmt.Errorf("func:FindPolicysForRole: error getting inline policy from role: %s ", err)
}
policyDoc, _ := url.QueryUnescape(aws.ToString(policyResp.PolicyDocument))
inlinePolicys[policyName] = policyDoc
}
return inlinePolicys, err
}
func (awsiam *IAMProvider) assumeRoleWithAccountName(accountName string) (IAMClientInterface, error) {
i := awsiam.Client
accountRoleArn, err := awsiam.Settings.GetRoleArn(accountName)
if err != nil {
return nil, err
}
if accountRoleArn != "" {
cfg, err := assumeRole(accountRoleArn, *awsiam.STSProvider)
if err != nil {
return nil, fmt.Errorf("func:assumeRoleWithAccountName: Error assuming role %s. AWS Error: %s", accountRoleArn, err.Error())
}
i = NewIAMClient(cfg).Client
}
return i, nil
}