goawsvault

package module
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2021 License: MIT Imports: 11 Imported by: 0

README

Go + AWS(ECS) + Vault = goawsvault

Usage

go get github.com/driftprogramming/goawsvault@v1.0.0

Examples example/usage.go Three different cases to login vault client and renew the vault client token automatically.

package example

import (
	"context"
	"os"

	"github.com/driftprogramming/goawsvault"
	"github.com/hashicorp/vault/api"
)

func vaultLoginExample() *api.Client {
	vaultClient := goawsvault.Login("https://vault.mycompany.net", "auth/mycompany-dev/login", map[string]interface{}{"role_id": "developer"})
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

func vaultLoginWithinAwsEcsContainerAutomaticallyExample() *api.Client {
	vaultClient := goawsvault.LoginWithinAwsEcsContainerAutomatically("https://vault.mycompany.net", "eu-west-1")
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

func vaultLoginByAwsRoleArn() *api.Client {
	_ = os.Setenv("AWS_ACCESS_KEY_ID", "AKKKAFYN9K3AUY74SNY39") // the parent aws credentials to call aws api to assume the specific role
	_ = os.Setenv("AWS_SECRET_ACCESS_KEY", "ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8")
	vaultClient := goawsvault.LoginByAwsRoleArn("https://vault.mycompany.net", "arn:aws:iam::468785217309:role/my-application-service-dev", "eu-west-1")
	tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
	tm.MonitoringForToken() // renew vault token automatically
	return vaultClient
}

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Login

func Login(vaultHost string, loginPath string, data map[string]interface{}) *api.Client

Login In general, this method just call the vault login path you specified here. We usually use this to login in local env for developers. e.g: loginPath: auth/mycompany-dev/login data: map[string]interface{}{"role_id": "developer"}

func LoginByAwsRoleArn

func LoginByAwsRoleArn(vaultHost string, awsRoleArn string, awsRegion string) *api.Client

LoginByAwsRoleArn A classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) is required for this function to execute AWS API to query the specific role. In general, you need to setup the AWS credential in env vars like this: _=os.Setenv("AWS_ACCESS_KEY_ID","AKKKAFYN9K3AUY74SNY39") _=os.Setenv("AWS_SECRET_ACCESS_KEY","ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8") Please note that you need to setup the trust configuration in AWS role console to make sure this credential have permission to query the awsRoleArn.

func LoginWithinAwsEcsContainerAutomatically

func LoginWithinAwsEcsContainerAutomatically(vaultHost string, awsRegion string) *api.Client

LoginWithinAwsEcsContainerAutomatically If the aws ecs container is running under a specific aws assume role, and this role is configured on Vault server side, then this method will query the aws assume role's credential in ECS container automatically and return a Vault client with valid token. NO need any other classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)

Types

type TokenManager

type TokenManager struct {
	// contains filtered or unexported fields
}

func NewTokenManager

func NewTokenManager(ctx context.Context, client *vault.Client) *TokenManager

func (*TokenManager) MonitoringForToken

func (tm *TokenManager) MonitoringForToken()

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL