aws_role

package

v1.10.1 Latest Latest Go to latest Published: Feb 12, 2022 License: Apache-2.0 Imports: 20 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Cloud-Foundations/keymaster

Links

Open Source Insights

Documentation ¶

Overview ¶

Package aws_role may be used by service code to obtain Keymaster-issued identity certificates. The identity certificate will contain the AWS IAM role that the service code is able to assume (i.e. EC2 instance profile, EKS IRSA, Lambda role). The full AWS Role ARN is stored in a certificate URI SAN extension and a simplified form of the ARN is stored in the certificate CN.

The service code does not require any extra permissions. It uses the sts:GetCallerIdentity permission that is available to all AWS identities. Thus, no policy configuration is required.

This code uses the AWS IAM credentials to request a pre-signed URL from the AWS Security Token Service (STS). This pre-signed URL is passed to Keymaster which can make a request using the URL to verify the identity of the caller. No credentials are sent.

Index ¶

func GetRoleCertificate(params Params) ([]byte, error)
func GetRoleCertificateTLS(params Params) (*tls.Certificate, error)
type Manager
- func NewManager(params Params) (*Manager, error)
type Params

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetRoleCertificate ¶

func GetRoleCertificate(params Params) ([]byte, error)

GetRoleCertificate requests an AWS role identify certificate from the Keymaster server specified in params. It returns the certificate PEM.

func GetRoleCertificateTLS ¶

func GetRoleCertificateTLS(params Params) (*tls.Certificate, error)

GetRoleCertificateTLS requests an AWS role identify certificate from the Keymaster server specified in params. It returns the certificate.

Types ¶

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager ¶

func NewManager(params Params) (*Manager, error)

NewManager returns a certificate manager which provides AWS role identity certificates from the Keymaster server specified in params. Certificates are refreshed in the background.

func (*Manager) GetClientCertificate ¶

func (m *Manager) GetClientCertificate(cri *tls.CertificateRequestInfo) (
	*tls.Certificate, error)

GetClientCertificate returns a valid, cached certificate. The method value may be assigned to the crypto/tls.Config.GetClientCertificate field.

func (*Manager) GetRoleCertificate ¶ added in v1.10.0

func (m *Manager) GetRoleCertificate() ([]byte, *tls.Certificate, error)

GetRoleCertificate returns a valid, cached certificate. It returns the certificate PEM, TLS certificate and error.

func (*Manager) WaitForRefresh ¶ added in v1.10.0

func (m *Manager) WaitForRefresh()

WaitForRefresh waits until a successful certificate refresh.

type Params ¶

type Params struct {
	// Required parameters.
	KeymasterServer string
	Logger          log.DebugLogger
	// Optional parameters.
	Context    context.Context
	HttpClient *http.Client
	Signer     crypto.Signer
	// contains filtered or unexported fields
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL