Documentation ¶
Index ¶
- Constants
- func GetAccountId(metaEndPoint string, useRegionalSTS bool, region string) (string, error)
- func GetRunsAsUidGid(opts *Options) (int, int)
- func GetSvcNames(svcs []Service) string
- func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)
- func InitEnvConfig(config *Config) (*Config, *ConfigAccount, error)
- func InitFileConfig(fileName, metaEndPoint string, useRegionalSTS bool, region, account string) (*Config, *ConfigAccount, error)
- func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)
- type AccessProfileConfig
- type Config
- type ConfigAccount
- type ConfigRole
- type ConfigService
- type Options
- type Role
- type Service
Constants ¶
const (
DEFAULT_TOKEN_EXPIRY = 28800 // 8 hrs
)
Variables ¶
This section is empty.
Functions ¶
func GetAccountId ¶
func GetRunsAsUidGid ¶ added in v1.10.52
GetRunsAsUidGid returns the uid/gid that the tool should continue to run as based on the configured setup. For example, if all services have been configured to have the same uid/gid for keys and certs, then the tool can drop its access from root to the specified user. If they're multiple users defined then the return values would be -1/-1
func GetSvcNames ¶
GetSvcNames returns comma separated list of service names
func InitCredsConfig ¶
func InitCredsConfig(roleSuffix, accessProfileSeparator string, useRegionalSTS bool, region string) (*ConfigAccount, *AccessProfileConfig, error)
func InitEnvConfig ¶
func InitEnvConfig(config *Config) (*Config, *ConfigAccount, error)
func InitFileConfig ¶
func InitProfileConfig ¶
func InitProfileConfig(metaEndPoint, roleSuffix, accessProfileSeparator string) (*ConfigAccount, *AccessProfileConfig, error)
Types ¶
type AccessProfileConfig ¶ added in v1.11.9
type AccessProfileConfig struct {
Profile string `json:"profile,omitempty"` // map of role name to token attributes
}
func InitAccessProfileEnvConfig ¶ added in v1.11.9
func InitAccessProfileEnvConfig() (*AccessProfileConfig, error)
func InitAccessProfileFileConfig ¶ added in v1.11.9
func InitAccessProfileFileConfig(fileName string) (*AccessProfileConfig, error)
type Config ¶
type Config struct { Version string `json:"version,omitempty"` //name of the provider Service string `json:"service,omitempty"` //name of the service for the identity Services map[string]ConfigService `json:"services,omitempty"` //names of the multiple services for the identity Ssh *bool `json:"ssh,omitempty"` //ssh certificate support SanDnsWildcard bool `json:"sandns_wildcard,omitempty"` //san dns wildcard support UseRegionalSTS bool `json:"regionalsts,omitempty"` //whether to use a regional STS endpoint (default is false) Accounts []ConfigAccount `json:"accounts,omitempty"` //array of configured accounts GenerateRoleKey bool `json:"generate_role_key,omitempty"` //private key to be generated for role certificate RotateKey bool `json:"rotate_key,omitempty"` //rotate private key support User string `json:"user,omitempty"` //the user name to chown the cert/key dirs to. If absent, then root Group string `json:"group,omitempty"` //the group name to chown the cert/key dirs to. If absent, then athenz SDSUdsPath string `json:"sds_uds_path,omitempty"` //uds path if the agent should support uds connections SDSUdsUid int `json:"sds_uds_uid,omitempty"` //uds connections must be from the given user uid ExpiryTime int `json:"expiry_time,omitempty"` //service and role certificate expiry in minutes RefreshInterval int `json:"refresh_interval,omitempty"` //specifies refresh interval in minutes ZTSRegion string `json:"zts_region,omitempty"` //specifies zts region for the requests KeepPrivileges bool `json:"keep_privileges,omitempty"` //keep privileges as root instead of dropping to configured user AccessTokens map[string]ac.Role `json:"access_tokens,omitempty"` // map of role name to token attributes }
Config represents entire sia_config file
type ConfigAccount ¶
type ConfigAccount struct { Name string `json:"name,omitempty"` //name of the service identity User string `json:"user,omitempty"` //the username to chown the cert/key dirs to. If absent, then root. Group string `json:"group,omitempty"` //the group name to chown the cert/key dirs to. If absent, then athenz. Domain string `json:"domain,omitempty"` //name of the domain for the identity Account string `json:"account,omitempty"` //name of the account Service string `json:"service,omitempty"` //name of the service for the identity Zts string `json:"zts,omitempty"` //the ZTS to contact Filename string `json:"filename,omitempty"` //filename to put the service certificate Roles map[string]ConfigRole `json:"roles,omitempty"` //map of roles to retrieve certificates for Version string `json:"version,omitempty"` //sia version number }
ConfigAccount represents each of the accounts that can be specified in the config file
type ConfigRole ¶
type ConfigRole struct { Filename string `json:"filename,omitempty"` ExpiryTime int `json:"expiry_time,omitempty"` }
ConfigRole represents a role to be specified by user, and specify attributes for the role
type ConfigService ¶
type ConfigService struct { Filename string `json:"filename,omitempty"` User string `json:"user,omitempty"` Group string `json:"group,omitempty"` ExpiryTime int `json:"expiry_time,omitempty"` SDSUdsUid int `json:"sds_uds_uid,omitempty"` SDSNodeId string `json:"sds_node_id,omitempty"` SDSNodeCluster string `json:"sds_node_cluster,omitempty"` }
ConfigService represents a service to be specified by user, and specify User/Group attributes for the service
type Options ¶
type Options struct { Provider string //name of the provider Name string //name of the service identity User string //the user name to chown the cert/key dirs to. If absent, then root Group string //the group name to chown the cert/key dirs to. If absent, then athenz Domain string //name of the domain for the identity Account string //name of the account Service string //name of the service for the identity Zts string //the ZTS to contact Filename string //filename to put the service certificate InstanceId string //instance id if ec2, task id if running within eks/ecs Roles map[string]ConfigRole //map of roles to retrieve certificates for Region string //region name SanDnsWildcard bool //san dns wildcard support Version string //sia version number ZTSDomains []string //zts domain prefixes Services []Service //array of configured services Ssh bool //ssh certificate support UseRegionalSTS bool //use regional sts endpoint KeyDir string //private key directory path CertDir string //x.509 certificate directory path AthenzCACertFile string //filename to store Athenz CA certs ZTSCACertFile string //filename for CA certs when communicating with ZTS ZTSServerName string //ZTS server name, if necessary for tls ZTSAWSDomains []string //list of domain prefixes for sanDNS entries GenerateRoleKey bool //option to generate a separate key for role certificates RotateKey bool //rotate the private key when refreshing certificates BackUpDir string //backup directory for key/cert rotation CertCountryName string //generated x.509 certificate country name CertOrgName string //generated x.509 certificate organization name SshPubKeyFile string //ssh host public key file path SshCertFile string //ssh host certificate file path SshConfigFile string //sshd config file path PrivateIp string //instance private ip EC2Document string //EC2 instance identity document EC2Signature string //EC2 instance identity document pkcs7 signature EC2StartTime *time.Time //EC2 instance start time InstanceIdSanDNS bool //include instance id in a san dns entry (backward compatible option) RolePrincipalEmail bool //include role principal in a san email field (backward compatible option) SDSUdsPath string //UDS path if the agent should support uds connections SDSUdsUid int //UDS connections must be from the given user uid RefreshInterval int //refresh interval for certificates - default 24 hours ZTSRegion string //ZTS region in case the client needs this information KeepPrivileges bool //Keep privileges as root instead of dropping to configured user TokenDir string //Access tokens directory AccessTokens []ac.AccessToken //Access tokens object Profile string //Access profile name }
Options represents settings that are derived from config file and application defaults
func NewOptions ¶
func NewOptions(config *Config, configAccount *ConfigAccount, profileConfig *AccessProfileConfig, siaDir, siaVersion string, useRegionalSTS bool, region string) (*Options, error)