awsauth

package
v1.13.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 26, 2023 License: MPL-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source
const (
	IAMServerIDHeaderName  string = "X-Consul-IAM-ServerID"
	GetEntityMethodHeader  string = "X-Consul-IAM-GetEntity-Method"
	GetEntityURLHeader     string = "X-Consul-IAM-GetEntity-URL"
	GetEntityHeadersHeader string = "X-Consul-IAM-GetEntity-Headers"
	GetEntityBodyHeader    string = "X-Consul-IAM-GetEntity-Body"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	// BoundIAMPrincipalARNs are the trusted AWS IAM principal ARNs that are permitted
	// to login to the auth method. These can be the exact ARNs or wildcards. Wildcards
	// are only supported if EnableIAMEntityDetails is true.
	BoundIAMPrincipalARNs []string `json:",omitempty"`

	// EnableIAMEntityDetails will fetch the IAM User or IAM Role details to include
	// in binding rules. Required if wildcard principal ARNs are used.
	EnableIAMEntityDetails bool `json:",omitempty"`

	// IAMEntityTags are the specific IAM User or IAM Role tags to include as selectable
	// fields in the binding rule attributes. Requires EnableIAMEntityDetails = true.
	IAMEntityTags []string `json:",omitempty"`

	// ServerIDHeaderValue adds a X-Consul-IAM-ServerID header to each AWS API request.
	// This helps protect against replay attacks.
	ServerIDHeaderValue string `json:",omitempty"`

	// MaxRetries is the maximum number of retries on AWS API requests for recoverable errors.
	MaxRetries int `json:",omitempty"`
	// IAMEndpoint is the AWS IAM endpoint where iam:GetRole or iam:GetUser requests will be sent.
	// Note that the Host header in a signed request cannot be changed.
	IAMEndpoint string `json:",omitempty"`
	// STSEndpoint is the AWS STS endpoint where sts:GetCallerIdentity requests will be sent.
	// Note that the Host header in a signed request cannot be changed.
	STSEndpoint string `json:",omitempty"`

	// AllowedSTSHeaderValues is a list of additional allowed headers on the sts:GetCallerIdentity
	// request in the bearer token. A default list of necessary headers is allowed in any case.
	AllowedSTSHeaderValues []string `json:",omitempty"`
}

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

func NewValidator

func NewValidator(logger hclog.Logger, method *structs.ACLAuthMethod) (*Validator, error)

func (*Validator) Name

func (v *Validator) Name() string

Name implements authmethod.Validator.

func (*Validator) NewIdentity

func (v *Validator) NewIdentity() *authmethod.Identity

func (*Validator) Stop

func (v *Validator) Stop()

Stop implements authmethod.Validator.

func (*Validator) ValidateLogin

func (v *Validator) ValidateLogin(ctx context.Context, loginToken string) (*authmethod.Identity, error)

ValidateLogin implements authmethod.Validator.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL