cfaws

package
v0.16.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 13, 2023 License: MIT Imports: 46 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultRegion = "us-east-1"
View Source
const (
	// permission for user to read/write/execute.
	USER_READ_WRITE_PERM = 0700
)

Variables

View Source
var ErrProfileNotFound error = errors.New("profile not found")
View Source
var ErrProfileNotInitialised error = errors.New("profile not initialised")
View Source
var ErrTimeout error = errors.New("polling for device authorization token timed out")

Functions

func ExpandRegion added in v0.2.3

func ExpandRegion(region string) (string, error)

ExpandRegion takes a string and attemps to expand it into a fully formed region e.g ue1 -> us-east-1

If region is an empty string, the DefaultRegion is returned

ExpandRegion does not attempt to fully validate regions and may produce regions which do not exist, for example as2 -> ap-south-2 which is not a valid region

func ExportCredsToProfile added in v0.1.17

func ExportCredsToProfile(profileName string, creds aws.Credentials) error

ExportCredsToProfile will write assumed credentials to ~/.aws/credentials with a specified profile name header

func FormatAWSErrorWithGrantedApprovalsURL added in v0.5.0

func FormatAWSErrorWithGrantedApprovalsURL(awsError error, rawConfig *ini.Section, gConf grantedConfig.Config, SSORoleName string, SSOAccountId string) error

GetGrantedApprovalsURL returns the URL which users can request access to a particular role at.

To return a request URL, a base URL for a Granted Approvals deployment must be set. The base URL can be provided in a couple of ways and is read in the following order of priority:

1. By setting the '--url' flag with the Granted credentials_process command

2. By setting a global request URL with the command 'granted settings request-url set'

If neither of the approaches above returns a URL, this method returns a message indicating that the request URL hasn't been set up.

func GetAWSConfigPath added in v0.15.0

func GetAWSConfigPath() string

GetAWSConfigPath will return default AWS config file path unless $AWS_CONFIG_FILE environment variable is set

func GetAWSCredentialsPath added in v0.15.0

func GetAWSCredentialsPath() string

GetAWSCredentialsPath will return default AWS shared credential file path unless $AWS_SHARED_CREDENTIALS_FILE environment variable is set

func GetCredentialsCreds added in v0.1.8

func GetCredentialsCreds(ctx context.Context, c *Profile) (aws.Credentials, error)

func GetEnvCredentials added in v0.1.6

func GetEnvCredentials(ctx context.Context) aws.Credentials

loads the environment variables and hydrates an aws.config if they are present

func GetValidSSOTokenFromPlaintextCache added in v0.9.1

func GetValidSSOTokenFromPlaintextCache(startUrl string) *securestorage.SSOToken

func IsLegalProfileName added in v0.5.0

func IsLegalProfileName(name string) bool

Helper function which returns true if provided profile name string does not contain illegal characters

func IsValidGrantedProfile added in v0.3.0

func IsValidGrantedProfile(profile *Profile) error

For `granted login` cmd, we have to make sure 'granted' prefix is added to the aws config file.

func LoadSSOSessions added in v0.5.2

func LoadSSOSessions(configFile *ini.File) (map[string]SSOSession, error)

func MfaTokenProvider added in v0.1.12

func MfaTokenProvider() (string, error)

func ParseGrantedSSOProfile added in v0.5.0

func ParseGrantedSSOProfile(ctx context.Context, profile *Profile) (*config.SharedConfig, error)

func PollToken

func PollToken(ctx context.Context, c *ssooidc.Client, clientSecret string, clientID string, deviceCode string, cfg PollingConfig) (*ssooidc.CreateTokenOutput, error)

PollToken will poll for a token and return it once the authentication/authorization flow has been completed in the browser

func RegisterAssumer added in v0.1.6

func RegisterAssumer(a Assumer, position int)

RegisterAssumer allows assumers to be registered when using this library as a package in other projects position = -1 will append the assumer position to insert assumer

func SSODeviceCodeFlowFromStartUrl added in v0.3.0

func SSODeviceCodeFlowFromStartUrl(ctx context.Context, cfg aws.Config, startUrl string) (*securestorage.SSOToken, error)

SSODeviceCodeFlowFromStartUrl contains all the steps to complete a device code flow to retrieve an SSO token

func SsoCredsAreInConfigCache added in v0.9.1

func SsoCredsAreInConfigCache() bool

check if a valid ~/.aws/sso/cache file exists

func TypeCredsToAwsCreds

func TypeCredsToAwsCreds(c types.Credentials) aws.Credentials

func TypeRoleCredsToAwsCreds

func TypeRoleCredsToAwsCreds(c ssotypes.RoleCredentials) aws.Credentials

func UpdateFrecencyCache

func UpdateFrecencyCache(selectedProfile string)

use this to update frecency cache when the profile is supplied by the commandline

func WriteCredentialsToDotenv added in v0.1.16

func WriteCredentialsToDotenv(region string, creds aws.Credentials) error

WriteCredentialsToDotenv will check if a .env file exists and prompt to create one if it does not. After the file exists, it will be opened, credentaisl added and then written to disc

Types

type Assumer added in v0.1.6

type Assumer interface {
	// AssumeTerminal should follow the required process for it implemetation and return aws credentials ready to be exported to the terminal environment
	AssumeTerminal(context.Context, *Profile, ConfigOpts) (aws.Credentials, error)
	// AssumeConsole should follow any console specific credentials processes, this may be the same as AssumeTerminal under the hood
	AssumeConsole(context.Context, *Profile, ConfigOpts) (aws.Credentials, error)
	// A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH
	Type() string
	// ProfileMatchesType takes a list of strings which are the lines in an aws config profile and returns true if this profile is the assumers type
	ProfileMatchesType(*ini.Section, config.SharedConfig) bool
}

Added support for optional pass through args on proxy sso provider When using a sso provider adding pass through flags can be achieved by adding the -pass-through or -pt flag EG. assume role-a -pt --mode -pt gui (Run the proxy login with a gui rather than in cli. Example taken from aws-azure-login)

func AssumerFromType added in v0.1.6

func AssumerFromType(t string) Assumer

type AwsAzureLoginAssumer added in v0.1.6

type AwsAzureLoginAssumer struct {
}

Implements Assumer

func (*AwsAzureLoginAssumer) AssumeConsole added in v0.1.6

func (aal *AwsAzureLoginAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsAzureLoginAssumer) AssumeTerminal added in v0.1.6

func (aal *AwsAzureLoginAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

then fetch them from the environment for use

func (*AwsAzureLoginAssumer) ProfileMatchesType added in v0.1.6

func (aal *AwsAzureLoginAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any items on the profile prefixed with "AZURE_"

func (*AwsAzureLoginAssumer) Type added in v0.1.6

func (aal *AwsAzureLoginAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsGoogleAuthAssumer added in v0.1.6

type AwsGoogleAuthAssumer struct {
}

Implements Assumer

func (*AwsGoogleAuthAssumer) AssumeConsole added in v0.1.6

func (aia *AwsGoogleAuthAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsGoogleAuthAssumer) AssumeTerminal added in v0.1.6

func (aia *AwsGoogleAuthAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

launch the aws-google-auth utility to generate the credentials then fetch them from the environment for use

func (*AwsGoogleAuthAssumer) ProfileMatchesType added in v0.1.6

func (aia *AwsGoogleAuthAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any items on the profile prefixed with "google_config."

func (*AwsGoogleAuthAssumer) Type added in v0.1.6

func (aia *AwsGoogleAuthAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsIamAssumer added in v0.1.6

type AwsIamAssumer struct {
}

Implements Assumer

func (*AwsIamAssumer) AssumeConsole added in v0.1.6

func (aia *AwsIamAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

if required will get a FederationToken to be used to launch the console This is required if the iam profile does not assume a role using sts.AssumeRole

func (*AwsIamAssumer) AssumeTerminal added in v0.1.6

func (aia *AwsIamAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

Default behaviour is to use the sdk to retrieve the credentials from the file For launching the console there is an extra step GetFederationToken that happens after this to get a session token

func (*AwsIamAssumer) ProfileMatchesType added in v0.1.6

func (aia *AwsIamAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

Matches the profile type on whether it is not an sso profile. this will also match other types that are not sso profiles so it should be the last option checked when determining the profile type

func (*AwsIamAssumer) Type added in v0.1.6

func (aia *AwsIamAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsSsoAssumer added in v0.1.6

type AwsSsoAssumer struct {
}

Implements Assumer

func (*AwsSsoAssumer) AssumeConsole added in v0.1.6

func (asa *AwsSsoAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsSsoAssumer) AssumeTerminal added in v0.1.6

func (asa *AwsSsoAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsSsoAssumer) ProfileMatchesType added in v0.1.6

func (asa *AwsSsoAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

Matches the profile type on whether it is an sso profile by checking for ssoaccountid.

func (*AwsSsoAssumer) Type added in v0.1.6

func (asa *AwsSsoAssumer) Type() string

type ConfigFileLoader added in v0.5.2

type ConfigFileLoader interface {
	Load() (*ini.File, error)
	Path() string
}

type ConfigOpts added in v0.1.14

type ConfigOpts struct {
	UsingCredentialProcess     bool
	CredentialProcessAutoLogin bool
	Duration                   time.Duration
	Args                       []string
	ShouldRetryAssuming        *bool
	MFATokenCode               string
}

type CredProv

type CredProv struct{ aws.Credentials }

CredProv implements the aws.CredentialProvider interface

func (*CredProv) Retrieve

func (c *CredProv) Retrieve(ctx context.Context) (aws.Credentials, error)

type CredentialProcessAssumer added in v0.1.6

type CredentialProcessAssumer struct {
}

Implements Assumer using the aws credential_process standard

func (*CredentialProcessAssumer) AssumeConsole added in v0.1.6

func (cpa *CredentialProcessAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*CredentialProcessAssumer) AssumeTerminal added in v0.1.6

func (cpa *CredentialProcessAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*CredentialProcessAssumer) ProfileMatchesType added in v0.1.6

func (cpa *CredentialProcessAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any credential processes with the saml2aws tool

func (*CredentialProcessAssumer) Type added in v0.1.6

func (cpa *CredentialProcessAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type FileLoader added in v0.5.2

type FileLoader struct {
	FilePath string
}

func (FileLoader) Load added in v0.5.2

func (f FileLoader) Load() (*ini.File, error)

func (FileLoader) Path added in v0.5.2

func (f FileLoader) Path() string

type FrecentProfiles

type FrecentProfiles struct {
	// contains filtered or unexported fields
}

func (*FrecentProfiles) Update

func (f *FrecentProfiles) Update(selectedProfile string)

should be called after selecting a profile to update frecency cache wrap this method in a go routine to avoid blocking the user

type PollingConfig

type PollingConfig struct {
	CheckInterval time.Duration
	TimeoutAfter  time.Duration
}

type Profile added in v0.2.3

type Profile struct {
	// allows access to the raw values from the file
	RawConfig *ini.Section
	Name      string
	// the file that this profile is from
	File        string
	ProfileType string

	// ordered from root to direct parent profile
	Parents []*Profile
	// the original config, some values may be empty strings depending on the type or profile
	AWSConfig                      config.SharedConfig
	Initialised                    bool
	LoadingError                   error
	HasSecureStorageIAMCredentials bool

	// AWS SDK doesn't support sso_session yet so we check for it manually
	SSOSession *SSOSession
}

func LoadProfileByAccountIdAndRole added in v0.13.1

func LoadProfileByAccountIdAndRole(accountId string, role string) (*Profile, error)

Note, this function doesn't handle the condition when there are same accountId & role in different regions.

func (*Profile) AssumeConsole added in v0.2.3

func (c *Profile) AssumeConsole(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) AssumeTerminal added in v0.2.3

func (c *Profile) AssumeTerminal(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) CustomGrantedProperty added in v0.5.2

func (p *Profile) CustomGrantedProperty(name string) string

if the profile has a "granted_${name}" key, the value is returned. else an empty string

func (*Profile) InitWithPlainTextSSOToken added in v0.3.0

func (p *Profile) InitWithPlainTextSSOToken(ctx context.Context, awsCred aws.Credentials) error

Initialize profile's AWS config by fetching credentials from plain-text-SSO-token located at default cache directory.

func (*Profile) LoadPlainTextSSOToken added in v0.3.0

func (p *Profile) LoadPlainTextSSOToken(ctx context.Context, profile string) (aws.Credentials, error)

Make sure credentials are available and valid.

func (*Profile) Region added in v0.2.3

func (p *Profile) Region(ctx context.Context) (string, error)

Region will attempt to load the region on this profile, if it is not set, attempt to load the parent if it exists else attempts to use the sso-region else attempts to load the default config returns a region, and bool = true if the default region was used

func (*Profile) SSOLogin added in v0.2.3

func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

type Profiles added in v0.2.3

type Profiles struct {
	// alphabetically sorted after first load
	ProfileNames []string
	// contains filtered or unexported fields
}

func LoadProfiles added in v0.2.3

func LoadProfiles() (*Profiles, error)

LoadProfiles will load aws config files from $AWS_CONFIG_FILE, $AWS_SHARED_CREDENTIALS_FILE environment variables or defaults to ~/.aws/config and ~/.aws/credentials

func (*Profiles) GetFrecentProfiles added in v0.2.3

func (p *Profiles) GetFrecentProfiles() (*FrecentProfiles, []string)

loads the frecency cache and generates a list of profiles with frecently used profiles first, followed by alphabetically sorted profiles that have not been used with assume this method returns a FrecentProfiles pointer which should be used after selecting a profile to update the cache, it will also remove any entries which no longer exist in the aws config

func (*Profiles) HasProfile added in v0.2.3

func (p *Profiles) HasProfile(profile string) bool

func (*Profiles) InitialiseProfilesTree added in v0.2.3

func (p *Profiles) InitialiseProfilesTree(ctx context.Context)

InitialiseProfilesTree will initialise all profiles this means that the profile parent relations are walked and the profile type is determined use this if you need to know the type of every profile in the config for large configuations, this may be expensive

func (*Profiles) LoadInitialisedProfile added in v0.2.3

func (p *Profiles) LoadInitialisedProfile(ctx context.Context, profile string) (*Profile, error)

LoadInitialisedProfile returns an initialised profile by name this means that all the parents have been loaded and the profile type is defined

func (*Profiles) Profile added in v0.2.3

func (p *Profiles) Profile(profile string) (*Profile, error)

type SSOPlainTextOut added in v0.3.0

type SSOPlainTextOut struct {
	AccessToken string `json:"accessToken"`
	ExpiresAt   string `json:"expiresAt"`
	StartUrl    string `json:"startUrl"`
	Region      string `json:"region"`
}

func CreatePlainTextSSO added in v0.3.0

func CreatePlainTextSSO(awsConfig config.SharedConfig, token *securestorage.SSOToken) *SSOPlainTextOut

CreatePlainTextSSO is currently unused. In a future version of the Granted CLI, we'll allow users to export a plaintext token from their keychain for compatibility purposes with other AWS tools.

see: https://github.com/common-fate/granted/issues/155

func ReadPlaintextSsoCreds added in v0.9.1

func ReadPlaintextSsoCreds(startUrl string) (SSOPlainTextOut, error)

func (*SSOPlainTextOut) DumpToCacheDirectory added in v0.3.0

func (s *SSOPlainTextOut) DumpToCacheDirectory() error

type SSOSession added in v0.5.2

type SSOSession struct {
	SSORegion   string
	SSOStartURL string
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL