provider

README

vault-aws-provider

vault-aws-provider is an implementation for AWS Credentials Provider using Vault to fetch credentials.

Features

• Custom auth methods via vault.AuthMethod
• Callback on retrieve
• Token authentication
• Renew token when retrieving credentials

Usage

import (
	...
	awscfg "github.com/aws/aws-sdk-go-v2/config"
	vaultp "github.com/nicolascb/vault-aws-provider"
)

...
endpoint := "aws/sts/my-secret"
token := "my_vault_auth_token"
provider, err := vaultp.NewProvider(context.TODO(), endpoint, vaultp.WithVaultToken(token))
...

// can now use when initializing config
c, err := awscfg.LoadDefaultConfig(context.TODO(), awscfg.WithCredentialsProvider(provider))
...

Custom auth methods

You can use any authentication method that implements vault.AuthMethod , such as the methods provided by the vault sdk.

Authentication example with Kubernetes:

import (
	...
	awscfg "github.com/aws/aws-sdk-go-v2/config"
	vaultp "github.com/nicolascb/vault-aws-provider"
	auth "github.com/hashicorp/vault/api/auth/kubernetes"
)

func main() {
	endpoint := "aws/sts/my-secret"
	kubeAuth, err := auth.NewKubernetesAuth(
		role,
		auth.WithServiceAccountTokenPath(tokenPath),
	)

	// initialize provider
	provider, err := vaultp.NewProvider(
		context.TODO(),
		endpoint,
		vaultp.WithAuthMethod(kubeAuth),
		// for renew on retrieve
		vaultp.WithAuthBeforeRetrieve())

	// can now use when initializing config
	c, err := awscfg.LoadDefaultConfig(context.TODO(), awscfg.WithCredentialsProvider(provider))

License

Released under the Apache License 2.0.

Documentation

Index

• type Auth
• type CredentialsParser
• type Logicaler
• type Option
  • func WithAuthBeforeRetrieve() Option
  • func WithAuthMethod(auth vault.AuthMethod) Option
  • func WithCredentialsParser(parser CredentialsParser) Option
  • func WithCustomVaultConfig(c *vault.Config) Option
  • func WithVaultToken(token string) Option
• type Provider
  • func NewProvider(ctx context.Context, secretPath string, opts ...Option) (*Provider, error)
  • func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error)

Types

type Auth

type Auth interface {
	Login(context.Context, vault.AuthMethod) (*vault.Secret, error)
}

Auth interface represents the vault.Auth().Login method

type CredentialsParser

type CredentialsParser func(*vault.Secret) (aws.Credentials, error)

CredentialsParser represent a parser for aws credentials

type Logicaler

type Logicaler interface {
	Read(path string) (*vault.Secret, error)
}

Logicaler interface represents the vault.Logical().Read method

type Option

type Option func(*Provider) error

Option represents the options to initialize provider

func WithAuthBeforeRetrieve

func WithAuthBeforeRetrieve() Option

WithAuthBeforeRetrieve enable authentication before retrieving secrets Should be used in cases where it is necessary to renew authentication to the vault

func WithAuthMethod

func WithAuthMethod(auth vault.AuthMethod) Option

WithAuthMethod use vault.AuthMethod to authenticate If you need to renew authentication, you should use WithAuthBeforeRetrieve

func WithCredentialsParser

func WithCredentialsParser(parser CredentialsParser) Option

WithCredentialsParser parser for vault.Secret to aws.Credentials It is used as a callback after fetching secrets from vault

func WithCustomVaultConfig

func WithCustomVaultConfig(c *vault.Config) Option

WithCustomVaultConfig use a custom config for vault

func WithVaultToken

func WithVaultToken(token string) Option

WithVaultToken add a vault token

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

Provider implements aws.CredentialsProvider

func NewProvider

func NewProvider(ctx context.Context, secretPath string, opts ...Option) (*Provider, error)

NewProvider initialize vault provider

func (*Provider) Retrieve

func (p *Provider) Retrieve(ctx context.Context) (aws.Credentials, error)

Retrieve aws credentials