aws

Documentation

Overview

Package aws abstracts interacting with certain aspects of AWS, such as creating IAM roles and user, account keys, and access tokens.

Index

• Constants
• type APIClient
  • func NewAPIClient() (APIClient, error)
• type AccountWarehouse
  • func NewWarehouse(_ context.Context, awsClient APIClient) (*AccountWarehouse, error)
  • func (wh *AccountWarehouse) GetAwsAccount() string
  • func (wh *AccountWarehouse) MintTokenWithTTL(ctx context.Context, params *ResourceParams) (*ResourceTokenResult, error)
• type ResourceParams
• type ResourceTokenResult

Constants

const (
	// TemporaryCredMaxTTL is the maximum TTL for an AWS access token.
	TemporaryCredMaxTTL = 12 * time.Hour
	// S3ItemFormat is the canonical item format identifier for S3 buckets.
	S3ItemFormat = "s3bucket"
	// RedshiftItemFormat is the canonical item format identifier for Redshift clusters.
	RedshiftItemFormat = "redshift"
)

Types

type APIClient

type APIClient interface {
	ListUsers(input *iam.ListUsersInput) (*iam.ListUsersOutput, error)
	ListAccessKeys(input *iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
	DeleteAccessKey(input *iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
	GetCallerIdentity(input *sts.GetCallerIdentityInput) (*sts.GetCallerIdentityOutput, error)
	AssumeRole(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
	CreateAccessKey(input *iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
	PutRolePolicy(input *iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
	PutUserPolicy(input *iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
	GetUser(input *iam.GetUserInput) (*iam.GetUserOutput, error)
	CreateUser(input *iam.CreateUserInput) (*iam.CreateUserOutput, error)
	GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
	CreateRole(input *iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
}

APIClient is a wrapper around the AWS SDK that can be mocked for unit testing.

func NewAPIClient

func NewAPIClient() (APIClient, error)

NewAPIClient creates a new APIClient that delegates to the AWS SDK using the default AWS credentials provider.

type AccountWarehouse

type AccountWarehouse struct {
	// contains filtered or unexported fields
}

AccountWarehouse is used to create AWS IAM Users and temporary credentials

func NewWarehouse

func NewWarehouse(_ context.Context, awsClient APIClient) (*AccountWarehouse, error)

NewWarehouse creates a new AccountWarehouse using the provided client and options.

func (*AccountWarehouse) GetAwsAccount

func (wh *AccountWarehouse) GetAwsAccount() string

GetAwsAccount returns the AWS account used by this AccountWarehouse for creating IAM users, roles, and policies.

func (*AccountWarehouse) MintTokenWithTTL

func (wh *AccountWarehouse) MintTokenWithTTL(ctx context.Context, params *ResourceParams) (*ResourceTokenResult, error)

MintTokenWithTTL returns an AccountKey or an AccessToken depending on the TTL requested.

type ResourceParams

type ResourceParams struct {
	UserID                string
	TTL                   time.Duration
	MaxKeyTTL             time.Duration
	ManagedKeysPerAccount int
	Vars                  map[string]string
	TargetRoles           []string
	TargetScopes          []string
	DamResourceID         string
	DamViewID             string
	DamRoleID             string
	ServiceTemplate       *pb.ServiceTemplate
}

ResourceParams contains all the arguments necessary to call MintTokenWithTTL on an AWS AccountWarehouse.

type ResourceTokenResult

type ResourceTokenResult struct {
	Account         string
	Format          string
	AccessKeyID     string
	SecretAccessKey string
	SessionToken    string
}

ResourceTokenResult is returned from MintTokenWithTTL for aws adapter.