README
¶
gcreds4aws
Google Cloud Credentials utility for AWS Environment
Usage
package main
import (
"context"
"log"
"github.com/mashiike/gcreds4aws"
"google.golang.org/api/option"
"google.golang.org/api/sheets/v4"
)
func main() {
defer gcreds4aws.Close()
srv, err := sheets.NewService(context.Background(), gcreds4aws.WithCredentials(ctx), option.WithScopes(sheets.SpreadsheetsReadonlyScope))
if err != nil {
log.Fatalf("Unable to retrieve Sheets client: %v", err)
}
// Google Sheets API Sample
spreadsheetId := "<your spreadsheet id>"
readRange := "A1:D5"
resp, err := srv.Spreadsheets.Values.Get(spreadsheetId, readRange).Do()
if err != nil {
log.Fatalf("Unable to retrieve data from sheet: %v", err)
}
log.Fatal(resp.Values)
}
Use with AWS SSM Parameter Store
set environment variable GOOGLE_APPLICATION_CREDENTIALS to SSM Parameter Store ARN.
export GOOGLE_APPLICATION_CREDENTIALS="arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"
Google Cloud Credentials will be fetched from the SSM Parameter Store and cache to in-memory.
With workload identity pool, (not EC2 instance)
The credentials for using the default workload identity pool are as follows:
{
"type": "external_account",
"audiance": "//iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-email>:generateAccessToken",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
However, this is designed to work on EC2 instances and will not function on Lambda or ECS. To work around this, a proxy server can be started locally to simulate the EC2 instance metadata endpoint and provide credential information.
If you want to output the access logs of the internally started HTTP server, set the logger as follows:
gcred4aws.SetLogger(slog.Default())
Documentation
¶
Index ¶
- Constants
- Variables
- func Close() error
- func NewCredentials(ctx context.Context) (option.ClientOption, error)
- func SetLogger(logger *slog.Logger)
- func SetSSMClient(client GetParameterAPIClient)
- func WithCredentials(ctx context.Context) option.ClientOption
- type CredentialsManager
- func (mgr *CredentialsManager) Close() error
- func (mgr *CredentialsManager) NewCredentialsOption(ctx context.Context) (option.ClientOption, error)
- func (mgr *CredentialsManager) SetLogger(logger *slog.Logger)
- func (mgr *CredentialsManager) SetSSMClient(client GetParameterAPIClient)
- func (mgr *CredentialsManager) WithCredentials(ctx context.Context) option.ClientOption
- type GetParameterAPIClient
Constants ¶
View Source
const ( CacheLifetimeSeconds = 4 * 60 ServiceAccountImpersonationLifetimeSeconds = 5 * 60 SubjectTokenTypeForAWS = "urn:ietf:params:aws:token-type:aws4_request" )
Variables ¶
View Source
var DefaultCredentialsManager = &CredentialsManager{}
Functions ¶
func NewCredentials ¶
func NewCredentials(ctx context.Context) (option.ClientOption, error)
func SetSSMClient ¶
func SetSSMClient(client GetParameterAPIClient)
func WithCredentials ¶
func WithCredentials(ctx context.Context) option.ClientOption
Types ¶
type CredentialsManager ¶
type CredentialsManager struct {
// contains filtered or unexported fields
}
func (*CredentialsManager) Close ¶
func (mgr *CredentialsManager) Close() error
func (*CredentialsManager) NewCredentialsOption ¶
func (mgr *CredentialsManager) NewCredentialsOption(ctx context.Context) (option.ClientOption, error)
func (*CredentialsManager) SetLogger ¶
func (mgr *CredentialsManager) SetLogger(logger *slog.Logger)
func (*CredentialsManager) SetSSMClient ¶
func (mgr *CredentialsManager) SetSSMClient(client GetParameterAPIClient)
func (*CredentialsManager) WithCredentials ¶
func (mgr *CredentialsManager) WithCredentials(ctx context.Context) option.ClientOption
type GetParameterAPIClient ¶
type GetParameterAPIClient interface {
GetParameter(ctx context.Context, input *ssm.GetParameterInput, optFns ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
}
Source Files
Click to show internal directories.
Click to hide internal directories.