cfaws

package
v0.29.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2024 License: MIT Imports: 44 Imported by: 0

Documentation

Index

Constants

View Source
const DefaultRegion = "us-east-1"
View Source
const (
	// permission for user to read/write/execute.
	USER_READ_WRITE_PERM = 0700
)

Variables

View Source
var ErrProfileNotFound error = errors.New("profile not found")
View Source
var ErrProfileNotInitialised error = errors.New("profile not initialised")

Functions

func ExpandRegion added in v0.2.3

func ExpandRegion(region string) (string, error)

ExpandRegion takes a string and attemps to expand it into a fully formed region e.g ue1 -> us-east-1

If region is an empty string, the DefaultRegion is returned

ExpandRegion does not attempt to fully validate regions and may produce regions which do not exist, for example as2 -> ap-south-2 which is not a valid region

func ExportAccessTokenToCache added in v0.20.4

func ExportAccessTokenToCache(ctx context.Context, profile *Profile) error

ExportAccessTokenToCache will export access tokens to ~/.aws/sso/cache

func ExportCredsToProfile added in v0.1.17

func ExportCredsToProfile(profileName string, creds aws.Credentials) error

ExportCredsToProfile will write assumed credentials to ~/.aws/credentials with a specified profile name header

func GetAWSConfigPath added in v0.15.0

func GetAWSConfigPath() string

GetAWSConfigPath will return default AWS config file path unless $AWS_CONFIG_FILE environment variable is set

func GetAWSCredentials added in v0.27.0

func GetAWSCredentials(ctx context.Context) (*aws.Credentials, error)

will attempt to get credentials from the environment first and if not found then try getting credentials from a credential process

func GetAWSCredentialsPath added in v0.15.0

func GetAWSCredentialsPath() string

GetAWSCredentialsPath will return default AWS shared credential file path unless $AWS_SHARED_CREDENTIALS_FILE environment variable is set

func GetCredentialsCreds added in v0.1.8

func GetCredentialsCreds(ctx context.Context, c *Profile) (aws.Credentials, error)

func GetDefaultCacheLocation added in v0.29.0

func GetDefaultCacheLocation() (string, error)

Find the ~/.aws/sso/cache absolute path based on OS.

func GetEnvCredentials added in v0.1.6

func GetEnvCredentials(ctx context.Context) aws.Credentials

loads the environment variables and hydrates an aws.config if they are present

func GetValidSSOTokenFromPlaintextCache added in v0.9.1

func GetValidSSOTokenFromPlaintextCache(startUrl string) *securestorage.SSOToken

func IsLegalProfileName added in v0.5.0

func IsLegalProfileName(name string) bool

Helper function which returns true if provided profile name string does not contain illegal characters

func IsValidGrantedProfile added in v0.3.0

func IsValidGrantedProfile(profile *Profile) error

For `granted login` cmd, we have to make sure 'granted' prefix is added to the aws config file.

func MfaTokenProvider added in v0.1.12

func MfaTokenProvider() (string, error)

func ParseGrantedSSOProfile added in v0.5.0

func ParseGrantedSSOProfile(ctx context.Context, profile *Profile) (*config.SharedConfig, error)

func RegisterAssumer added in v0.1.6

func RegisterAssumer(a Assumer, position int)

RegisterAssumer allows assumers to be registered when using this library as a package in other projects position = -1 will append the assumer position to insert assumer

func SsoCredsAreInConfigCache added in v0.9.1

func SsoCredsAreInConfigCache() bool

check if a valid ~/.aws/sso/cache file exists

func TypeCredsToAwsCreds

func TypeCredsToAwsCreds(c types.Credentials) aws.Credentials

func TypeRoleCredsToAwsCreds

func TypeRoleCredsToAwsCreds(c ssotypes.RoleCredentials) aws.Credentials

func UpdateFrecencyCache

func UpdateFrecencyCache(selectedProfile string)

use this to update frecency cache when the profile is supplied by the commandline

func WriteCredentialsToDotenv added in v0.1.16

func WriteCredentialsToDotenv(region string, creds aws.Credentials) error

WriteCredentialsToDotenv will check if a .env file exists and prompt to create one if it does not. After the file exists, it will be opened, credentaisl added and then written to disc

Types

type Assumer added in v0.1.6

type Assumer interface {
	// AssumeTerminal should follow the required process for it implemetation and return aws credentials ready to be exported to the terminal environment
	AssumeTerminal(context.Context, *Profile, ConfigOpts) (aws.Credentials, error)
	// AssumeConsole should follow any console specific credentials processes, this may be the same as AssumeTerminal under the hood
	AssumeConsole(context.Context, *Profile, ConfigOpts) (aws.Credentials, error)
	// A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH
	Type() string
	// ProfileMatchesType takes a list of strings which are the lines in an aws config profile and returns true if this profile is the assumers type
	ProfileMatchesType(*ini.Section, config.SharedConfig) bool
}

Added support for optional pass through args on proxy sso provider When using a sso provider adding pass through flags can be achieved by adding the -pass-through or -pt flag EG. assume role-a -pt --mode -pt gui (Run the proxy login with a gui rather than in cli. Example taken from aws-azure-login)

func AssumerFromType added in v0.1.6

func AssumerFromType(t string) Assumer

type AwsAzureLoginAssumer added in v0.1.6

type AwsAzureLoginAssumer struct {
}

Implements Assumer

func (*AwsAzureLoginAssumer) AssumeConsole added in v0.1.6

func (aal *AwsAzureLoginAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsAzureLoginAssumer) AssumeTerminal added in v0.1.6

func (aal *AwsAzureLoginAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

then fetch them from the environment for use

func (*AwsAzureLoginAssumer) ProfileMatchesType added in v0.1.6

func (aal *AwsAzureLoginAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any items on the profile prefixed with "AZURE_"

func (*AwsAzureLoginAssumer) Type added in v0.1.6

func (aal *AwsAzureLoginAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsGoogleAuthAssumer added in v0.1.6

type AwsGoogleAuthAssumer struct {
}

Implements Assumer

func (*AwsGoogleAuthAssumer) AssumeConsole added in v0.1.6

func (aia *AwsGoogleAuthAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsGoogleAuthAssumer) AssumeTerminal added in v0.1.6

func (aia *AwsGoogleAuthAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

launch the aws-google-auth utility to generate the credentials then fetch them from the environment for use

func (*AwsGoogleAuthAssumer) ProfileMatchesType added in v0.1.6

func (aia *AwsGoogleAuthAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any items on the profile prefixed with "google_config."

func (*AwsGoogleAuthAssumer) Type added in v0.1.6

func (aia *AwsGoogleAuthAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsIamAssumer added in v0.1.6

type AwsIamAssumer struct {
}

Implements Assumer

func (*AwsIamAssumer) AssumeConsole added in v0.1.6

func (aia *AwsIamAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

if required will get a FederationToken to be used to launch the console This is required if the iam profile does not assume a role using sts.AssumeRole

func (*AwsIamAssumer) AssumeTerminal added in v0.1.6

func (aia *AwsIamAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

Default behaviour is to use the sdk to retrieve the credentials from the file For launching the console there is an extra step GetFederationToken that happens after this to get a session token

func (*AwsIamAssumer) ProfileMatchesType added in v0.1.6

func (aia *AwsIamAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

Matches the profile type on whether it is not an sso profile. this will also match other types that are not sso profiles so it should be the last option checked when determining the profile type

func (*AwsIamAssumer) Type added in v0.1.6

func (aia *AwsIamAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type AwsSsoAssumer added in v0.1.6

type AwsSsoAssumer struct {
}

Implements Assumer

func (*AwsSsoAssumer) AssumeConsole added in v0.1.6

func (asa *AwsSsoAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsSsoAssumer) AssumeTerminal added in v0.1.6

func (asa *AwsSsoAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*AwsSsoAssumer) ProfileMatchesType added in v0.1.6

func (asa *AwsSsoAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

Matches the profile type on whether it is an sso profile by checking for ssoaccountid.

func (*AwsSsoAssumer) Type added in v0.1.6

func (asa *AwsSsoAssumer) Type() string

type ConfigFileLoader added in v0.5.2

type ConfigFileLoader interface {
	Load() (*ini.File, error)
	Path() string
}

type ConfigOpts added in v0.1.14

type ConfigOpts struct {
	UsingCredentialProcess     bool
	CredentialProcessAutoLogin bool
	Duration                   time.Duration
	Args                       []string
	ShouldRetryAssuming        *bool
	MFATokenCode               string
}

type CredProv

type CredProv struct{ aws.Credentials }

CredProv implements the aws.CredentialProvider interface

func (*CredProv) Retrieve

func (c *CredProv) Retrieve(ctx context.Context) (aws.Credentials, error)

type CredentialProcessAssumer added in v0.1.6

type CredentialProcessAssumer struct {
}

Implements Assumer using the aws credential_process standard

func (*CredentialProcessAssumer) AssumeConsole added in v0.1.6

func (cpa *CredentialProcessAssumer) AssumeConsole(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*CredentialProcessAssumer) AssumeTerminal added in v0.1.6

func (cpa *CredentialProcessAssumer) AssumeTerminal(ctx context.Context, c *Profile, configOpts ConfigOpts) (aws.Credentials, error)

func (*CredentialProcessAssumer) ProfileMatchesType added in v0.1.6

func (cpa *CredentialProcessAssumer) ProfileMatchesType(rawProfile *ini.Section, parsedProfile config.SharedConfig) bool

inspect for any credential processes with the saml2aws tool

func (*CredentialProcessAssumer) Type added in v0.1.6

func (cpa *CredentialProcessAssumer) Type() string

A unique key which identifies this assumer e.g AWS-SSO or GOOGLE-AWS-AUTH

type FileLoader added in v0.5.2

type FileLoader struct {
	FilePath string
}

func (FileLoader) Load added in v0.5.2

func (f FileLoader) Load() (*ini.File, error)

func (FileLoader) Path added in v0.5.2

func (f FileLoader) Path() string

type FrecentProfiles

type FrecentProfiles struct {
	// contains filtered or unexported fields
}

func (*FrecentProfiles) Update

func (f *FrecentProfiles) Update(selectedProfile string)

should be called after selecting a profile to update frecency cache wrap this method in a go routine to avoid blocking the user

type NoAccessError added in v0.23.0

type NoAccessError struct {
	// Err is the underlying error from AWS
	Err error
}

NoAccessError is returned if the user does not have access to the role they are trying to assume.

func (NoAccessError) Error added in v0.23.0

func (e NoAccessError) Error() string

func (NoAccessError) Unwrap added in v0.23.0

func (e NoAccessError) Unwrap() error

Unwrap the underlying error so that errors.Is and errors.As works

type Profile added in v0.2.3

type Profile struct {
	// allows access to the raw values from the file
	RawConfig *ini.Section
	Name      string
	// the file that this profile is from
	File        string
	ProfileType string

	// ordered from root to direct parent profile
	Parents []*Profile
	// the original config, some values may be empty strings depending on the type or profile
	AWSConfig                      config.SharedConfig
	Initialised                    bool
	LoadingError                   error
	HasSecureStorageIAMCredentials bool
}

func LoadProfileByAccountIdAndRole added in v0.13.1

func LoadProfileByAccountIdAndRole(accountId string, role string) (*Profile, error)

Note, this function doesn't handle the condition when there are same accountId & role in different regions.

func (*Profile) AssumeConsole added in v0.2.3

func (c *Profile) AssumeConsole(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) AssumeTerminal added in v0.2.3

func (c *Profile) AssumeTerminal(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) CustomGrantedProperty added in v0.5.2

func (p *Profile) CustomGrantedProperty(name string) string

if the profile has a "granted_${name}" key, the value is returned. else an empty string

func (*Profile) InitWithPlainTextSSOToken added in v0.3.0

func (p *Profile) InitWithPlainTextSSOToken(ctx context.Context, awsCred aws.Credentials) error

Initialize profile's AWS config by fetching credentials from plain-text-SSO-token located at default cache directory.

func (*Profile) LoadPlainTextSSOToken added in v0.3.0

func (p *Profile) LoadPlainTextSSOToken(ctx context.Context, profile string) (aws.Credentials, error)

Make sure credentials are available and valid.

func (*Profile) Region added in v0.2.3

func (p *Profile) Region(ctx context.Context) (string, error)

Region will attempt to load the region on this profile, if it is not set, attempt to load the parent if it exists else attempts to use the sso-region else attempts to load the default config returns a region, and bool = true if the default region was used

func (*Profile) SSOLogin added in v0.2.3

func (c *Profile) SSOLogin(ctx context.Context, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) SSOLoginWithToken added in v0.19.0

func (c *Profile) SSOLoginWithToken(ctx context.Context, cfg *aws.Config, accessToken *string, secureSSOTokenStorage securestorage.SSOTokensSecureStorage, configOpts ConfigOpts) (aws.Credentials, error)

func (*Profile) SSORegion added in v0.20.1

func (p *Profile) SSORegion() string

Returns the SSORegion from either the session or the profile in that order

func (*Profile) SSOScopes added in v0.21.0

func (p *Profile) SSOScopes() []string

[sso-session commonfate] sso_start_url = https://example.awsapps.com/start sso_region = ap-southeast-2 sso_registration_scopes = sso:account:access

However, the AWS v2 Go SDK does not support reading 'sso_registration_scopes', so in order to support this we'll need to parse and lookup the `sso-session` entries in the config file separately.

func (*Profile) SSOStartURL added in v0.20.1

func (p *Profile) SSOStartURL() string

Returns the SSOStartURL from either the session or the profile in that order

type Profiles added in v0.2.3

type Profiles struct {
	// alphabetically sorted after first load
	ProfileNames []string
	// contains filtered or unexported fields
}

func LoadProfiles added in v0.2.3

func LoadProfiles() (*Profiles, error)

LoadProfiles will load aws config files from $AWS_CONFIG_FILE, $AWS_SHARED_CREDENTIALS_FILE environment variables or defaults to ~/.aws/config and ~/.aws/credentials

func (*Profiles) GetFrecentProfiles added in v0.2.3

func (p *Profiles) GetFrecentProfiles() (*FrecentProfiles, []string)

loads the frecency cache and generates a list of profiles with frecently used profiles first, followed by alphabetically sorted profiles that have not been used with assume this method returns a FrecentProfiles pointer which should be used after selecting a profile to update the cache, it will also remove any entries which no longer exist in the aws config

func (*Profiles) HasProfile added in v0.2.3

func (p *Profiles) HasProfile(profile string) bool

func (*Profiles) InitialiseProfilesTree added in v0.2.3

func (p *Profiles) InitialiseProfilesTree(ctx context.Context)

InitialiseProfilesTree will initialise all profiles this means that the profile parent relations are walked and the profile type is determined use this if you need to know the type of every profile in the config for large configuations, this may be expensive

func (*Profiles) LoadInitialisedProfile added in v0.2.3

func (p *Profiles) LoadInitialisedProfile(ctx context.Context, profile string) (*Profile, error)

LoadInitialisedProfile returns an initialised profile by name this means that all the parents have been loaded and the profile type is defined

func (*Profiles) Profile added in v0.2.3

func (p *Profiles) Profile(profile string) (*Profile, error)

type SSOPlainTextOut added in v0.3.0

type SSOPlainTextOut struct {
	AccessToken    string `json:"accessToken"`
	ExpiresAt      string `json:"expiresAt"`
	SSOSessionName string `json:"ssoSessionName"`
	StartUrl       string `json:"startUrl"`
	Region         string `json:"region"`
}

func CreatePlainTextSSO added in v0.3.0

func CreatePlainTextSSO(awsConfig config.SharedConfig, token *securestorage.SSOToken) *SSOPlainTextOut

CreatePlainTextSSO is currently unused. In a future version of the Granted CLI, we'll allow users to export a plaintext token from their keychain for compatibility purposes with other AWS tools.

func ReadPlaintextSsoCreds added in v0.9.1

func ReadPlaintextSsoCreds(startUrl string) (SSOPlainTextOut, error)

func (*SSOPlainTextOut) DumpToCacheDirectory added in v0.3.0

func (s *SSOPlainTextOut) DumpToCacheDirectory() error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL