README
¶
Go + AWS(ECS) + Vault = goawsvault
Usage
go get github.com/driftprogramming/goawsvault@v1.0.0
Examples example/usage.go
Three different cases to login vault client and renew the vault client token automatically.
package example
import (
"context"
"os"
"github.com/driftprogramming/goawsvault"
"github.com/hashicorp/vault/api"
)
func vaultLoginExample() *api.Client {
vaultClient := goawsvault.Login("https://vault.mycompany.net", "auth/mycompany-dev/login", map[string]interface{}{"role_id": "developer"})
tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
tm.MonitoringForToken() // renew vault token automatically
return vaultClient
}
func vaultLoginWithinAwsEcsContainerAutomaticallyExample() *api.Client {
vaultClient := goawsvault.LoginWithinAwsEcsContainerAutomatically("https://vault.mycompany.net", "eu-west-1")
tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
tm.MonitoringForToken() // renew vault token automatically
return vaultClient
}
func vaultLoginByAwsRoleArn() *api.Client {
_ = os.Setenv("AWS_ACCESS_KEY_ID", "AKKKAFYN9K3AUY74SNY39") // the parent aws credentials to call aws api to assume the specific role
_ = os.Setenv("AWS_SECRET_ACCESS_KEY", "ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8")
vaultClient := goawsvault.LoginByAwsRoleArn("https://vault.mycompany.net", "arn:aws:iam::468785217309:role/my-application-service-dev", "eu-west-1")
tm := goawsvault.NewTokenManager(context.Background(), vaultClient)
tm.MonitoringForToken() // renew vault token automatically
return vaultClient
}
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Login ¶
Login In general, this method just call the vault login path you specified here. We usually use this to login in local env for developers. e.g: loginPath: auth/mycompany-dev/login data: map[string]interface{}{"role_id": "developer"}
func LoginByAwsRoleArn ¶
LoginByAwsRoleArn A classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY) is required for this function to execute AWS API to query the specific role. In general, you need to setup the AWS credential in env vars like this: _=os.Setenv("AWS_ACCESS_KEY_ID","AKKKAFYN9K3AUY74SNY39") _=os.Setenv("AWS_SECRET_ACCESS_KEY","ZTL9288NXdymfhxcISMOCU+AsYy9O3RsiDptABm8") Please note that you need to setup the trust configuration in AWS role console to make sure this credential have permission to query the awsRoleArn.
func LoginWithinAwsEcsContainerAutomatically ¶
LoginWithinAwsEcsContainerAutomatically If the aws ecs container is running under a specific aws assume role, and this role is configured on Vault server side, then this method will query the aws assume role's credential in ECS container automatically and return a Vault client with valid token. NO need any other classic AWS credentials(AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)
Types ¶
type TokenManager ¶
type TokenManager struct {
// contains filtered or unexported fields
}
func NewTokenManager ¶
func NewTokenManager(ctx context.Context, client *vault.Client) *TokenManager
func (*TokenManager) MonitoringForToken ¶
func (tm *TokenManager) MonitoringForToken()
Source Files
Directories