README
¶
Getting Started
To create a storage bucket (using default scope created by boundary dev):
boundary storage-buckets create \
-scope-id p_1234567890 \
-name "Example Plugin-Based Storage Bucket" \
-description "Description for plugin-based storage bucket" \
-plugin-name aws \
-bucket-name="session_recording_storage" \
-bucket-prefix="foo/bar/zoo" \
-worker-filter ‘“aws-access” in “/tags/type”’ \
-attr region=REGION \
-attr endpoint_url=0.0.0.0 \
-secret access_key_id='KEY' \
-secret secret_access_key='SECRET'
Required IAM Privileges
The following IAM privileges, at the very least, are required to be attached to a configured IAM user for this provider:
Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectAttributes"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::session_recording_storage/foo/bar/zoo/*"
}
]
}
iam:GetUser,iam:CreateAccessKey, andiam:DeleteAccessKey, configured to the IAM user to allow static credential rotation. Example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:CreateAccessKey"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::123456789012:user/JohnDoe"
}
]
}
Attributes
The following attributes are valid on an AWS storage bucket resource:
disable_credential_rotation(bool): Iftrue, credential rotation will not be performed.region(string): The region to configure the storage bucket for.endpoint_url(string): The endpoint to configure the storage.role_arn(string): The role arn configured for the assume role provider.role_external_id(string): The external id configured for the assume role provider.role_session_name(string): The session name configured for the assume role provider.role_tags(object): The key-value pair tags configured for the assume role provider.
An example of how to utilize the endpoint attribute See the Credential Rotation readme for more information.
Secrets
The following secrets are optional on an AWS storage bucket resource:
access_key_id(string): The access key ID for the IAM user to use with this storage bucket.secret_access_key(string): The secret access key for the IAM user to use with this storage bucket.
See the Credential Rotation readme for more information.
Documentation
¶
Index ¶
- Constants
- func TestAwsS3Error(code, op, msg string) error
- func WithCacheRefresh(refresh bool) s3Option
- func WithDualStack(with bool) s3Option
- func WithEndpoint(with string) s3Option
- type S3API
- type StorageAttributes
- type StoragePlugin
- func (p *StoragePlugin) DeleteObjects(ctx context.Context, req *pb.DeleteObjectsRequest) (*pb.DeleteObjectsResponse, error)
- func (p *StoragePlugin) GetObject(req *pb.GetObjectRequest, stream pb.StoragePluginService_GetObjectServer) error
- func (p *StoragePlugin) HeadObject(ctx context.Context, req *pb.HeadObjectRequest) (*pb.HeadObjectResponse, error)
- func (p *StoragePlugin) OnCreateStorageBucket(ctx context.Context, req *pb.OnCreateStorageBucketRequest) (*pb.OnCreateStorageBucketResponse, error)
- func (p *StoragePlugin) OnDeleteStorageBucket(ctx context.Context, req *pb.OnDeleteStorageBucketRequest) (*pb.OnDeleteStorageBucketResponse, error)
- func (p *StoragePlugin) OnUpdateStorageBucket(ctx context.Context, req *pb.OnUpdateStorageBucketRequest) (*pb.OnUpdateStorageBucketResponse, error)
- func (p *StoragePlugin) PutObject(ctx context.Context, req *pb.PutObjectRequest) (*pb.PutObjectResponse, error)
- func (p *StoragePlugin) ValidatePermissions(ctx context.Context, req *pb.ValidatePermissionsRequest) (*pb.ValidatePermissionsResponse, error)
Constants ¶
View Source
const ( // ConstAwsEndpointUrl is the key for the endpoint url in the aws s3 client. ConstAwsEndpointUrl = "endpoint_url" // ConstAwsDualStack is the key for the dualstack flag in the aws s3 client. ConstAwsDualStack = "dual_stack" )
Variables ¶
This section is empty.
Functions ¶
func TestAwsS3Error ¶ added in v0.4.0
TestAwsS3Error returns an s3 api error
func WithCacheRefresh ¶ added in v0.4.1
func WithCacheRefresh(refresh bool) s3Option
WithCacheRefresh controls if the cache should be forced to refresh
func WithDualStack ¶ added in v0.4.1
func WithDualStack(with bool) s3Option
WithDualStack sets the dual stack resolver
func WithEndpoint ¶
func WithEndpoint(with string) s3Option
WithEndpoint contains the endpoint to use
Types ¶
type S3API ¶
type S3API interface {
DeleteObject(ctx context.Context, params *s3.DeleteObjectInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectOutput, error)
GetObject(ctx context.Context, params *s3.GetObjectInput, optFns ...func(*s3.Options)) (*s3.GetObjectOutput, error)
HeadObject(ctx context.Context, params *s3.HeadObjectInput, optFns ...func(*s3.Options)) (*s3.HeadObjectOutput, error)
PutObject(ctx context.Context, params *s3.PutObjectInput, optFns ...func(*s3.Options)) (*s3.PutObjectOutput, error)
DeleteObjects(ctx context.Context, params *s3.DeleteObjectsInput, optFns ...func(*s3.Options)) (*s3.DeleteObjectsOutput, error)
ListObjectsV2(ctx context.Context, params *s3.ListObjectsV2Input, optFns ...func(*s3.Options)) (*s3.ListObjectsV2Output, error)
Credentials() aws.Credentials
}
type StorageAttributes ¶
type StorageAttributes struct {
*cred.CredentialAttributes
// EndpointUrl is used for configuring how the aws client will resolve requests.
EndpointUrl string
// DualStack is used for configuring how the aws client will resolve requests.
DualStack bool
}
StorageAttributes is a Go-native representation of the Attributes map.
type StoragePlugin ¶
type StoragePlugin struct {
pb.UnimplementedStoragePluginServiceServer
// contains filtered or unexported fields
}
StoragePlugin implements the StoragePluginServiceServer interface for the AWS storage service plugin.
func (*StoragePlugin) DeleteObjects ¶ added in v0.3.0
func (p *StoragePlugin) DeleteObjects(ctx context.Context, req *pb.DeleteObjectsRequest) (*pb.DeleteObjectsResponse, error)
DeleteObjects is used to delete one or many objects from an s3 bucket.
func (*StoragePlugin) GetObject ¶
func (p *StoragePlugin) GetObject(req *pb.GetObjectRequest, stream pb.StoragePluginService_GetObjectServer) error
GetObject is called when retrieving objects from an s3 bucket. GetObject is a blocking call until the stream has been recieved in full.
func (*StoragePlugin) HeadObject ¶
func (p *StoragePlugin) HeadObject(ctx context.Context, req *pb.HeadObjectRequest) (*pb.HeadObjectResponse, error)
HeadObject is called to get the metadata of an object.
func (*StoragePlugin) OnCreateStorageBucket ¶
func (p *StoragePlugin) OnCreateStorageBucket(ctx context.Context, req *pb.OnCreateStorageBucketRequest) (*pb.OnCreateStorageBucketResponse, error)
OnCreateStorageBucket is called when a storage bucket is created.
func (*StoragePlugin) OnDeleteStorageBucket ¶
func (p *StoragePlugin) OnDeleteStorageBucket(ctx context.Context, req *pb.OnDeleteStorageBucketRequest) (*pb.OnDeleteStorageBucketResponse, error)
OnDeleteStorageBucket is called when a storage bucket is deleted.
func (*StoragePlugin) OnUpdateStorageBucket ¶
func (p *StoragePlugin) OnUpdateStorageBucket(ctx context.Context, req *pb.OnUpdateStorageBucketRequest) (*pb.OnUpdateStorageBucketResponse, error)
OnUpdateStorageBucket is called when a storage bucket is updated.
func (*StoragePlugin) PutObject ¶
func (p *StoragePlugin) PutObject(ctx context.Context, req *pb.PutObjectRequest) (*pb.PutObjectResponse, error)
PutObject is called when putting objects into an s3 bucket.
func (*StoragePlugin) ValidatePermissions ¶
func (p *StoragePlugin) ValidatePermissions(ctx context.Context, req *pb.ValidatePermissionsRequest) (*pb.ValidatePermissionsResponse, error)
ValidatePermissions is called to validate the secrets associated with the storage bucket.
Source Files
Click to show internal directories.
Click to hide internal directories.