Documentation ¶
Overview ¶
Mostly sourced from ~/external-secrets/pkg/provider/aws/auth
Index ¶
- Constants
- func CredsFromControllerServiceAccount(ctx context.Context, saname, ns, region string, kube kclient.Client, ...) (*credentials.Credentials, error)
- func CredsFromSecretRef(ctx context.Context, auth esv1beta1.VaultIamAuth, isClusterKind bool, ...) (*credentials.Credentials, error)
- func CredsFromServiceAccount(ctx context.Context, auth esv1beta1.VaultIamAuth, region string, ...) (*credentials.Credentials, error)
- func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)
- func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI
- func GetAWSSession(config *aws.Config) (*session.Session, error)
- func ResolveEndpoint() endpoints.ResolverFunc
- func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc
- type STSProvider
Constants ¶
const ( STSEndpointEnv = "AWS_STS_ENDPOINT" AWSWebIdentityTokenFileEnvVar = "AWS_WEB_IDENTITY_TOKEN_FILE" )
Variables ¶
This section is empty.
Functions ¶
func CredsFromControllerServiceAccount ¶
func CredsFromControllerServiceAccount(ctx context.Context, saname, ns, region string, kube kclient.Client, jwtProvider util.JwtProviderFactory) (*credentials.Credentials, error)
func CredsFromSecretRef ¶
func CredsFromSecretRef(ctx context.Context, auth esv1beta1.VaultIamAuth, isClusterKind bool, kube kclient.Client, namespace string) (*credentials.Credentials, error)
CredsFromSecretRef pulls access-key / secret-access-key from a secretRef to construct a aws.Credentials object The namespace of the external secret is used if the ClusterSecretStore does not specify a namespace (referentAuth) If the ClusterSecretStore defines a namespace it will take precedence.
func CredsFromServiceAccount ¶
func CredsFromServiceAccount(ctx context.Context, auth esv1beta1.VaultIamAuth, region string, isClusterKind bool, kube kclient.Client, namespace string, jwtProvider util.JwtProviderFactory) (*credentials.Credentials, error)
CredsFromServiceAccount uses a Kubernetes Service Account to acquire temporary credentials using aws.AssumeRoleWithWebIdentity. It will assume the role defined in the ServiceAccount annotation. If the ClusterSecretStore does not define a namespace it will use the namespace from the ExternalSecret (referentAuth). If the ClusterSecretStore defines the namespace it will take precedence.
func DefaultJWTProvider ¶
func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)
DefaultJWTProvider returns a credentials.Provider that calls the AssumeRoleWithWebidentity controller-runtime/client does not support TokenRequest or other subresource APIs so we need to construct our own client and use it to fetch tokens.
func GetAWSSession ¶
getAWSSession returns the aws session or an error.
func ResolveEndpoint ¶
func ResolveEndpoint() endpoints.ResolverFunc
ResolveEndpoint returns a ResolverFunc with customizable endpoints.
func ResolveEndpointWithServiceMap ¶
func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc