Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Canonicalize ¶
Canonicalize validates IAM resources are appropriate for the authenticator and converts STS assumed roles into the IAM role resource.
Supported IAM resources are:
- AWS account: arn:aws:iam::123456789012:root
- IAM user: arn:aws:iam::123456789012:user/Bob
- IAM role: arn:aws:iam::123456789012:role/S3Access
- IAM Assumed role: arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary (converted to IAM role)
- Federated user: arn:aws:sts::123456789012:federated-user/Bob
Types ¶
type FormatError ¶
type FormatError struct {
// contains filtered or unexported fields
}
FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.
func (FormatError) Error ¶
func (e FormatError) Error() string
type Generator ¶
type Generator interface {
// GetWithSTS returns a token valid for clusterID using the given STS client.
GetWithSTS(clusterID string, stsAPI *sts.STS) (Token, error)
}
Generator provides new tokens for the AWS IAM Authenticator.
type Identity ¶
type Identity struct {
// ARN is the raw Amazon Resource Name returned by sts:GetCallerIdentity
ARN string
// CanonicalARN is the Amazon Resource Name converted to a more canonical
// representation. In particular, STS assumed role ARNs like
// "arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted
// to their IAM ARN equivalent "arn:aws:iam::ACCOUNTID:role/NAME"
CanonicalARN string
// AccountID is the 12 digit AWS account number.
AccountID string
// UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA").
UserID string
// SessionName is the STS session name (or "" if this is not a
// session-based identity). For EC2 instance roles, this will be the EC2
// instance ID (e.g., "i-0123456789abcdef0"). You should only rely on it
// if you trust that _only_ EC2 is allowed to assume the IAM Role. If IAM
// users or other roles are allowed to assume the role, they can provide
// (nearly) arbitrary strings here.
SessionName string
// The AWS Access Key ID used to authenticate the request. This can be used
// in conjunction with CloudTrail to determine the identity of the individual
// if the individual assumed an IAM role before making the request.
AccessKeyID string
}
Identity is returned on successful Verify() results. It contains a parsed version of the AWS identity used to create the token.
type STSError ¶
type STSError struct {
// contains filtered or unexported fields
}
STSError is returned when there was either an error calling STS or a problem processing the data returned from STS.
type Token ¶
Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.
type Verifier ¶
Verifier validates tokens by calling STS and returning the associated identity.
func NewVerifier ¶
NewVerifier creates a Verifier that is bound to the clusterID and uses the default http client.
Source Files