GO-2024-3126: External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets

auth

package

v0.9.13 Latest Latest Go to latest Published: Feb 17, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/external-secrets/external-secrets

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)
func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI
func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, ...) (*session.Session, error)
func NewGeneratorSession(ctx context.Context, auth esv1beta1.AWSAuth, role, region string, ...) (*session.Session, error)
func ResolveEndpoint() endpoints.ResolverFunc
func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc
type Config
type STSProvider

Constants ¶

View Source

const (
	SecretsManagerEndpointEnv = "AWS_SECRETSMANAGER_ENDPOINT"
	STSEndpointEnv            = "AWS_STS_ENDPOINT"
	SSMEndpointEnv            = "AWS_SSM_ENDPOINT"
)

Variables ¶

This section is empty.

Functions ¶

func DefaultJWTProvider ¶

func DefaultJWTProvider(name, namespace, roleArn string, aud []string, region string) (credentials.Provider, error)

DefaultJWTProvider returns a credentials.Provider that calls the AssumeRoleWithWebidentity controller-runtime/client does not support TokenRequest or other subresource APIs so we need to construct our own client and use it to fetch tokens.

func DefaultSTSProvider ¶

func DefaultSTSProvider(sess *session.Session) stsiface.STSAPI

func New ¶

func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error)

New creates a new aws session based on the provided store it uses the following authentication mechanisms in order: * service-account token authentication via AssumeRoleWithWebIdentity * static credentials from a Kind=Secret, optionally with doing a AssumeRole. * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default

func NewGeneratorSession ¶ added in v0.7.0

func NewGeneratorSession(ctx context.Context, auth esv1beta1.AWSAuth, role, region string, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error)

NewSession creates a new aws session based on the provided store it uses the following authentication mechanisms in order: * service-account token authentication via AssumeRoleWithWebIdentity * static credentials from a Kind=Secret, optionally with doing a AssumeRole. * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default

func ResolveEndpoint ¶

func ResolveEndpoint() endpoints.ResolverFunc

ResolveEndpoint returns a ResolverFunc with customizable endpoints.

func ResolveEndpointWithServiceMap ¶

func ResolveEndpointWithServiceMap(customEndpoints map[string]string) endpoints.ResolverFunc

Types ¶

type Config ¶

type Config struct {
	AssumeRole string
	Region     string
	APIRetries int
}

Config contains configuration to create a new AWS provider.

type STSProvider ¶

type STSProvider func(*session.Session) stsiface.STSAPI

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fake

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL