gcreds4aws

package module

v0.1.2 Latest Latest Go to latest Published: Jun 28, 2024 License: MIT Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mashiike/gcreds4aws

Links

Open Source Insights

README ¶

gcreds4aws

Google Cloud Credentials utility for AWS Environment

Usage

package main

import (
	"context"
	"log"

	"github.com/mashiike/gcreds4aws"
	"google.golang.org/api/option"
	"google.golang.org/api/sheets/v4"
)

func main() {
	defer gcreds4aws.Close()
	srv, err := sheets.NewService(context.Background(), gcreds4aws.WithCredentials(ctx), option.WithScopes(sheets.SpreadsheetsReadonlyScope))
	if err != nil {
		log.Fatalf("Unable to retrieve Sheets client: %v", err)
	}

	// Google Sheets API Sample
	spreadsheetId := "<your spreadsheet id>"
	readRange := "A1:D5"
	resp, err := srv.Spreadsheets.Values.Get(spreadsheetId, readRange).Do()
	if err != nil {
		log.Fatalf("Unable to retrieve data from sheet: %v", err)
	}
	log.Fatal(resp.Values)
}

Use with AWS SSM Parameter Store

set environment variable GOOGLE_APPLICATION_CREDENTIALS to SSM Parameter Store ARN.

export GOOGLE_APPLICATION_CREDENTIALS="arn:aws:ssm:<region>:<account-id>:parameter/<parameter-name>"

Google Cloud Credentials will be fetched from the SSM Parameter Store and cache to in-memory.

With workload identity pool, (not EC2 instance)

The credentials for using the default workload identity pool are as follows:

{
  "type": "external_account",
  "audiance": "//iam.googleapis.com/projects/<project-number>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>",
  "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
  "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-email>:generateAccessToken",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "environment_id": "aws1",
    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
  }
}

However, this is designed to work on EC2 instances and will not function on Lambda or ECS. To work around this, a proxy server can be started locally to simulate the EC2 instance metadata endpoint and provide credential information.

If you want to output the access logs of the internally started HTTP server, set the logger as follows:

gcred4aws.SetLogger(slog.Default())

Documentation ¶

Index ¶

Constants
Variables
func Close() error
func NewCredentials(ctx context.Context) (option.ClientOption, error)
func SetLogger(logger *slog.Logger)
func SetSSMClient(client GetParameterAPIClient)
func WithCredentials(ctx context.Context) option.ClientOption
type CredentialsManager
type GetParameterAPIClient

Constants ¶

View Source

const (
	CacheLifetimeSeconds                       = 4 * 60
	ServiceAccountImpersonationLifetimeSeconds = 5 * 60
	SubjectTokenTypeForAWS                     = "urn:ietf:params:aws:token-type:aws4_request"
)

Variables ¶

View Source

var DefaultCredentialsManager = &CredentialsManager{}

Functions ¶

func Close ¶

func Close() error

func NewCredentials ¶

func NewCredentials(ctx context.Context) (option.ClientOption, error)

func SetLogger ¶

func SetLogger(logger *slog.Logger)

func SetSSMClient ¶

func SetSSMClient(client GetParameterAPIClient)

func WithCredentials ¶

func WithCredentials(ctx context.Context) option.ClientOption

Types ¶

type CredentialsManager ¶

type CredentialsManager struct {
	// contains filtered or unexported fields
}

func (*CredentialsManager) Close ¶

func (mgr *CredentialsManager) Close() error

func (*CredentialsManager) NewCredentialsOption ¶

func (mgr *CredentialsManager) NewCredentialsOption(ctx context.Context) (option.ClientOption, error)

func (*CredentialsManager) SetLogger ¶

func (mgr *CredentialsManager) SetLogger(logger *slog.Logger)

func (*CredentialsManager) SetSSMClient ¶

func (mgr *CredentialsManager) SetSSMClient(client GetParameterAPIClient)

func (*CredentialsManager) WithCredentials ¶

func (mgr *CredentialsManager) WithCredentials(ctx context.Context) option.ClientOption

type GetParameterAPIClient ¶

type GetParameterAPIClient interface {
	GetParameter(ctx context.Context, input *ssm.GetParameterInput, optFns ...func(*ssm.Options)) (*ssm.GetParameterOutput, error)
}

Source Files ¶

View all Source files

gcred.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL