token

Documentation

Index

• func StdinStderrTokenProvider() (string, error)
• type FormatError
  • func (e FormatError) Error() string
• type Generator
  • func NewGenerator() (Generator, error)
• type Identity
• type JSONStruct
  • func NewJSONStruct() *JSONStruct
  • func (jst *JSONStruct) Load(filename string, v interface{})
• type STSError
  • func NewSTSError(m string) STSError
  • func (e STSError) Error() string
• type Token
• type Verifier
  • func NewVerifier(clusterID string) Verifier

Functions

func StdinStderrTokenProvider

func StdinStderrTokenProvider() (string, error)

StdinStderrTokenProvider func

Types

type FormatError

type FormatError struct {
	// contains filtered or unexported fields
}

FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.

func (FormatError) Error

func (e FormatError) Error() string

type Generator

type Generator interface {
	// Get a token using credentials in the default credentials chain.
	Get(string) (Token, error)
	// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
	GetWithRole(clusterID, roleARN string) (Token, error)
	// FormatJSON returns the client auth formatted json for the ExecCredential auth
	FormatJSON(Token) string
}

Generator provides new tokens for the authenticator.

func NewGenerator

func NewGenerator() (Generator, error)

NewGenerator creates a Generator and returns it.

type Identity

type Identity struct {
	// ARN is the raw RAM Resource Name returned by sts:GetCallerIdentity
	ARN string

	// CanonicalARN is the RAM Resource Name converted to a more canonical
	// representation. In particular, STS assumed role ARNs like
	// "acs:ram::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted
	// to their RAM ARN equivalent "acs:ram::ACCOUNTID:role/NAME"
	CanonicalARN string

	// AccountID is the 16 digit RAM account number.
	AccountID string

	// UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA").
	UserID string

	// SessionName is the STS session name (or "" if this is not a
	// session-based identity). For ECS instance roles, this will be the ECS
	// instance ID (e.g., "iZj6c792gcdoonnp1rd5y8Z"). You should only rely on it
	// if you trust that _only_ ECS is allowed to assume the RAM Role. If RAM
	// users or other roles are allowed to assume the role, they can provide
	// (nearly) arbitrary strings here.
	SessionName string
}

Identity is returned on successful Verify() results. It contains a parsed version of the ACK identity used to create the token.

type JSONStruct

type JSONStruct struct {
}

JSONStruct struct

func NewJSONStruct

func NewJSONStruct() *JSONStruct

NewJSONStruct new a json struct

func (*JSONStruct) Load

func (jst *JSONStruct) Load(filename string, v interface{})

Load file

type STSError

type STSError struct {
	// contains filtered or unexported fields
}

STSError is returned when there was either an error calling STS or a problem processing the data returned from STS.

func NewSTSError

func NewSTSError(m string) STSError

NewSTSError creates a error of type STS.

func (STSError) Error

func (e STSError) Error() string

type Token

type Token struct {
	Token      string
	Expiration time.Time
}

Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.

type Verifier

type Verifier interface {
	Verify(token string) (*Identity, error)
}

Verifier validates tokens by calling STS and returning the associated identity.

func NewVerifier

func NewVerifier(clusterID string) Verifier

NewVerifier creates a Verifier that is bound to the clusterID and uses the default http client.