Documentation
¶
Index ¶
- func CheckCloudCredCreation(awsClient Client, logger log.FieldLogger) (bool, error)
- func CheckCloudCredPassthrough(awsClient Client, params *SimulateParams, logger log.FieldLogger) (bool, error)
- func CheckPermissionsAgainstActions(awsClient Client, actionList []string, params *SimulateParams, ...) (bool, error)
- func CheckPermissionsAgainstStatementList(awsClient Client, statementEntries []minterv1.StatementEntry, ...) (bool, error)
- func CheckPermissionsUsingQueryClient(queryClient, targetClient Client, statementEntries []minterv1.StatementEntry, ...) (bool, error)
- type Client
- type ClientParams
- type SimulateParams
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CheckCloudCredCreation ¶
func CheckCloudCredCreation(awsClient Client, logger log.FieldLogger) (bool, error)
CheckCloudCredCreation will see whether we have enough permissions to create new sub-creds
func CheckCloudCredPassthrough ¶
func CheckCloudCredPassthrough(awsClient Client, params *SimulateParams, logger log.FieldLogger) (bool, error)
CheckCloudCredPassthrough will see if the provided creds are good enough to pass through to other components as-is based on the static list of permissions needed by the various users of CredentialsRequests TODO: move away from static list (to dynamic passthrough validation?)
func CheckPermissionsAgainstActions ¶
func CheckPermissionsAgainstActions(awsClient Client, actionList []string, params *SimulateParams, logger log.FieldLogger) (bool, error)
CheckPermissionsAgainstActions will take the static list of Actions to check whether the provided awsClient creds have sufficient permissions to perform the actions. Will return true/false indicating whether the permissions are sufficient.
func CheckPermissionsAgainstStatementList ¶
func CheckPermissionsAgainstStatementList(awsClient Client, statementEntries []minterv1.StatementEntry, params *SimulateParams, logger log.FieldLogger) (bool, error)
CheckPermissionsAgainstStatementList will test to see whether the list of actions in the provided list of StatementEntries can work with the credentials used by the passed-in awsClient
func CheckPermissionsUsingQueryClient ¶
func CheckPermissionsUsingQueryClient(queryClient, targetClient Client, statementEntries []minterv1.StatementEntry, params *SimulateParams, logger log.FieldLogger) (bool, error)
CheckPermissionsUsingQueryClient will use queryClient to query whether the credentials in targetClient can perform the actions listed in the statementEntries. queryClient will need iam:GetUser and iam:SimulatePrincipalPolicy
Types ¶
type Client ¶
type Client interface {
//IAM
CreateAccessKey(*iam.CreateAccessKeyInput) (*iam.CreateAccessKeyOutput, error)
CreateOpenIDConnectProvider(*iam.CreateOpenIDConnectProviderInput) (*iam.CreateOpenIDConnectProviderOutput, error)
CreateRole(*iam.CreateRoleInput) (*iam.CreateRoleOutput, error)
CreateUser(*iam.CreateUserInput) (*iam.CreateUserOutput, error)
DeleteAccessKey(*iam.DeleteAccessKeyInput) (*iam.DeleteAccessKeyOutput, error)
DeleteUser(*iam.DeleteUserInput) (*iam.DeleteUserOutput, error)
DeleteUserPolicy(*iam.DeleteUserPolicyInput) (*iam.DeleteUserPolicyOutput, error)
GetOpenIDConnectProvider(input *iam.GetOpenIDConnectProviderInput) (*iam.GetOpenIDConnectProviderOutput, error)
GetRole(input *iam.GetRoleInput) (*iam.GetRoleOutput, error)
ListRoles(input *iam.ListRolesInput) (*iam.ListRolesOutput, error)
DeleteRole(input *iam.DeleteRoleInput) (*iam.DeleteRoleOutput, error)
ListRolePolicies(input *iam.ListRolePoliciesInput) (*iam.ListRolePoliciesOutput, error)
DeleteRolePolicy(input *iam.DeleteRolePolicyInput) (*iam.DeleteRolePolicyOutput, error)
GetUser(*iam.GetUserInput) (*iam.GetUserOutput, error)
GetUserPolicy(*iam.GetUserPolicyInput) (*iam.GetUserPolicyOutput, error)
ListAccessKeys(*iam.ListAccessKeysInput) (*iam.ListAccessKeysOutput, error)
ListOpenIDConnectProviders(*iam.ListOpenIDConnectProvidersInput) (*iam.ListOpenIDConnectProvidersOutput, error)
DeleteOpenIDConnectProvider(input *iam.DeleteOpenIDConnectProviderInput) (*iam.DeleteOpenIDConnectProviderOutput, error)
ListUserPolicies(*iam.ListUserPoliciesInput) (*iam.ListUserPoliciesOutput, error)
PutRolePolicy(*iam.PutRolePolicyInput) (*iam.PutRolePolicyOutput, error)
PutUserPolicy(*iam.PutUserPolicyInput) (*iam.PutUserPolicyOutput, error)
SimulatePrincipalPolicy(*iam.SimulatePrincipalPolicyInput) (*iam.SimulatePolicyResponse, error)
SimulatePrincipalPolicyPages(*iam.SimulatePrincipalPolicyInput, func(*iam.SimulatePolicyResponse, bool) bool) error
TagOpenIDConnectProvider(*iam.TagOpenIDConnectProviderInput) (*iam.TagOpenIDConnectProviderOutput, error)
TagUser(*iam.TagUserInput) (*iam.TagUserOutput, error)
UpdateAssumeRolePolicy(*iam.UpdateAssumeRolePolicyInput) (*iam.UpdateAssumeRolePolicyOutput, error)
//S3
CreateBucket(*s3.CreateBucketInput) (*s3.CreateBucketOutput, error)
PutBucketTagging(*s3.PutBucketTaggingInput) (*s3.PutBucketTaggingOutput, error)
GetBucketTagging(input *s3.GetBucketTaggingInput) (*s3.GetBucketTaggingOutput, error)
DeleteBucket(input *s3.DeleteBucketInput) (*s3.DeleteBucketOutput, error)
PutObject(*s3.PutObjectInput) (*s3.PutObjectOutput, error)
ListObjects(input *s3.ListObjectsInput) (*s3.ListObjectsOutput, error)
GetObjectTagging(input *s3.GetObjectTaggingInput) (*s3.GetObjectTaggingOutput, error)
DeleteObject(input *s3.DeleteObjectInput) (*s3.DeleteObjectOutput, error)
PutPublicAccessBlock(input *s3.PutPublicAccessBlockInput) (*s3.PutPublicAccessBlockOutput, error)
PutBucketPolicy(input *s3.PutBucketPolicyInput) (*s3.PutBucketPolicyOutput, error)
//CloudFront
CreateCloudFrontOriginAccessIdentity(input *cloudfront.CreateCloudFrontOriginAccessIdentityInput) (*cloudfront.CreateCloudFrontOriginAccessIdentityOutput, error)
DeleteCloudFrontOriginAccessIdentity(input *cloudfront.DeleteCloudFrontOriginAccessIdentityInput) (*cloudfront.DeleteCloudFrontOriginAccessIdentityOutput, error)
GetCloudFrontOriginAccessIdentity(input *cloudfront.GetCloudFrontOriginAccessIdentityInput) (*cloudfront.GetCloudFrontOriginAccessIdentityOutput, error)
ListCloudFrontOriginAccessIdentities(input *cloudfront.ListCloudFrontOriginAccessIdentitiesInput) (*cloudfront.ListCloudFrontOriginAccessIdentitiesOutput, error)
CreateCloudFrontDistributionWithTags(input *cloudfront.CreateDistributionWithTagsInput) (*cloudfront.CreateDistributionWithTagsOutput, error)
DeleteCloudFrontDistribution(input *cloudfront.DeleteDistributionInput) (*cloudfront.DeleteDistributionOutput, error)
GetCloudFrontDistribution(input *cloudfront.GetDistributionInput) (*cloudfront.GetDistributionOutput, error)
UpdateCloudFrontDistribution(input *cloudfront.UpdateDistributionInput) (*cloudfront.UpdateDistributionOutput, error)
ListCloudFrontDistributions(input *cloudfront.ListDistributionsInput) (*cloudfront.ListDistributionsOutput, error)
ListTagsForCloudFrontResource(input *cloudfront.ListTagsForResourceInput) (*cloudfront.ListTagsForResourceOutput, error)
}
Client is a wrapper object for actual AWS SDK clients to allow for easier testing.
func NewClient ¶
func NewClient(accessKeyID, secretAccessKey []byte, params *ClientParams) (Client, error)
NewClient creates our client wrapper object for the actual AWS clients we use.
func NewClientFromSession ¶
NewClientFromSession will return a basic Client using only the provided awsSession
type ClientParams ¶
ClientParams holds the various optional tunables that can be used to modify the AWS client that will be used for API calls.
type SimulateParams ¶
type SimulateParams struct {
Region string
}
SimulateParams captures any additional details that should be used when simulating permissions.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.