forked from hashicorp/vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
client.go
103 lines (88 loc) · 3.07 KB
/
client.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package awsec2
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/logical"
)
// getClientConfig creates a aws-sdk-go config, which is used to create client
// that can interact with AWS API. This builds credentials in the following
// order of preference:
//
// * Static credentials from 'config/client'
// * Environment variables
// * Instance metadata role
func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config, error) {
credsConfig := &awsutil.CredentialsConfig{
Region: region,
}
// Read the configured secret key and access key
config, err := b.nonLockedClientConfigEntry(s)
if err != nil {
return nil, err
}
endpoint := aws.String("")
if config != nil {
// Override the default endpoint with the configured endpoint.
if config.Endpoint != "" {
endpoint = aws.String(config.Endpoint)
}
credsConfig.AccessKey = config.AccessKey
credsConfig.SecretKey = config.SecretKey
}
credsConfig.HTTPClient = cleanhttp.DefaultClient()
creds, err := credsConfig.GenerateCredentialChain()
if err != nil {
return nil, err
}
if creds == nil {
return nil, fmt.Errorf("could not compile valid credential providers from static config, environemnt, shared, or instance metadata")
}
// Create a config that can be used to make the API calls.
return &aws.Config{
Credentials: creds,
Region: aws.String(region),
HTTPClient: cleanhttp.DefaultClient(),
Endpoint: endpoint,
}, nil
}
// flushCachedEC2Clients deletes all the cached ec2 client objects from the backend.
// If the client credentials configuration is deleted or updated in the backend, all
// the cached EC2 client objects will be flushed.
//
// Write lock should be acquired using b.configMutex.Lock() before calling this method
// and lock should be released using b.configMutex.Unlock() after the method returns.
func (b *backend) flushCachedEC2Clients() {
// deleting items in map during iteration is safe.
for region, _ := range b.EC2ClientsMap {
delete(b.EC2ClientsMap, region)
}
}
// clientEC2 creates a client to interact with AWS EC2 API.
func (b *backend) clientEC2(s logical.Storage, region string) (*ec2.EC2, error) {
b.configMutex.RLock()
if b.EC2ClientsMap[region] != nil {
defer b.configMutex.RUnlock()
// If the client object was already created, return it.
return b.EC2ClientsMap[region], nil
}
// Release the read lock and acquire the write lock.
b.configMutex.RUnlock()
b.configMutex.Lock()
defer b.configMutex.Unlock()
// If the client gets created while switching the locks, return it.
if b.EC2ClientsMap[region] != nil {
return b.EC2ClientsMap[region], nil
}
// Create a AWS config object using a chain of providers.
awsConfig, err := b.getClientConfig(s, region)
if err != nil {
return nil, err
}
// Create a new EC2 client object, cache it and return the same.
b.EC2ClientsMap[region] = ec2.New(session.New(awsConfig))
return b.EC2ClientsMap[region], nil
}