iamauth

package
v0.8.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 15, 2023 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Mostly sourced from ~/external-secrets/pkg/provider/aws/auth

Index

Constants

View Source
const (
	STSEndpointEnv                = "AWS_STS_ENDPOINT"
	AWSWebIdentityTokenFileEnvVar = "AWS_WEB_IDENTITY_TOKEN_FILE"
)

Variables

This section is empty.

Functions

func CredsFromControllerServiceAccount

func CredsFromControllerServiceAccount(ctx context.Context, saname, ns, region string, kube kclient.Client, jwtProvider util.JwtProviderFactory) (*credentials.Credentials, error)

func CredsFromSecretRef

func CredsFromSecretRef(ctx context.Context, auth esv1beta1.VaultIamAuth, isClusterKind bool, kube kclient.Client, namespace string) (*credentials.Credentials, error)

CredsFromSecretRef pulls access-key / secret-access-key from a secretRef to construct a aws.Credentials object The namespace of the external secret is used if the ClusterSecretStore does not specify a namespace (referentAuth) If the ClusterSecretStore defines a namespace it will take precedence.

func CredsFromServiceAccount

func CredsFromServiceAccount(ctx context.Context, auth esv1beta1.VaultIamAuth, region string, isClusterKind bool, kube kclient.Client, namespace string, jwtProvider util.JwtProviderFactory) (*credentials.Credentials, error)

CredsFromServiceAccount uses a Kubernetes Service Account to acquire temporary credentials using aws.AssumeRoleWithWebIdentity. It will assume the role defined in the ServiceAccount annotation. If the ClusterSecretStore does not define a namespace it will use the namespace from the ExternalSecret (referentAuth). If the ClusterSecretStore defines the namespace it will take precedence.

func DefaultJWTProvider

func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)

DefaultJWTProvider returns a credentials.Provider that calls the AssumeRoleWithWebidentity controller-runtime/client does not support TokenRequest or other subresource APIs so we need to construct our own client and use it to fetch tokens.

func DefaultSTSProvider

func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI

func GetAWSSession

func GetAWSSession(config *aws.Config) (*session.Session, error)

getAWSSession returns the aws session or an error.

func ResolveEndpoint

func ResolveEndpoint() endpoints.ResolverFunc

ResolveEndpoint returns a ResolverFunc with customizable endpoints.

func ResolveEndpointWithServiceMap

func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc

Types

type STSProvider

type STSProvider func(*session.Session) stsiface.STSAPI

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL