-
Notifications
You must be signed in to change notification settings - Fork 23
/
assume_role_provider.go
59 lines (50 loc) · 1.55 KB
/
assume_role_provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
package aws
import (
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
)
// AssumeRoleProvider is an AWS SDK credentials provider which retrieve
// credentials by assuming the defined role.
type AssumeRoleProvider struct {
role string
sessionName string
creds *sts.Credentials
sts *sts.STS
}
// NewAssumeRoleProvider initializes a new AssumeRoleProvider.
func NewAssumeRoleProvider(role, sessionName string, sess *session.Session) *AssumeRoleProvider {
return &AssumeRoleProvider{
role: role,
sessionName: sessionName,
sts: sts.New(sess),
}
}
// Retrieve retrieves new credentials by assuming the defined role.
func (a *AssumeRoleProvider) Retrieve() (credentials.Value, error) {
params := &sts.AssumeRoleInput{
RoleArn: aws.String(a.role),
RoleSessionName: aws.String(a.sessionName),
}
resp, err := a.sts.AssumeRole(params)
if err != nil {
return credentials.Value{}, err
}
a.creds = resp.Credentials
return credentials.Value{
AccessKeyID: *resp.Credentials.AccessKeyId,
SecretAccessKey: *resp.Credentials.SecretAccessKey,
SessionToken: *resp.Credentials.SessionToken,
ProviderName: "assumeRoleProvider",
}, nil
}
// IsExpired is true when the credentials has expired and must be retrieved
// again.
func (a *AssumeRoleProvider) IsExpired() bool {
if a.creds != nil && a.creds.Expiration != nil {
return time.Now().UTC().After(*a.creds.Expiration)
}
return true
}