Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanonicalizeARN ¶
Canonicalize validates IAM resources are appropriate for the authenticator and converts STS assumed roles into the IAM role resource.
Supported IAM resources are:
- AWS account: arn:aws:iam::123456789012:root
- IAM user: arn:aws:iam::123456789012:user/Bob
- IAM role: arn:aws:iam::123456789012:role/S3Access
- IAM Assumed role: arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary (converted to IAM role)
- Federated user: arn:aws:sts::123456789012:federated-user/Bob
func StdinStderrTokenProvider ¶
StdinStderrTokenProvider gets MFA token from standard input.
Types ¶
type FormatError ¶
type FormatError struct {
// contains filtered or unexported fields
}
FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.
func (FormatError) Error ¶
func (e FormatError) Error() string
type Generator ¶
type Generator interface { // Get a token using credentials in the default credentials chain. Get(string) (Token, error) // GetWithRole creates a token by assuming the provided role, using the credentials in the default chain. GetWithRole(clusterID, roleARN string) (Token, error) // GetWithRoleForSession creates a token by assuming the provided role, using the provided session. GetWithRoleForSession(clusterID string, roleARN string, sess *session.Session) (Token, error) // Get a token using the provided options GetWithOptions(options *GetTokenOptions) (Token, error) // GetWithSTS returns a token valid for clusterID using the given STS client. GetWithSTS(clusterID string, stsAPI stsiface.STSAPI) (Token, error) // FormatJSON returns the client auth formatted json for the ExecCredential auth FormatJSON(Token) string }
Generator provides new tokens for the AWS IAM Authenticator.
func NewGenerator ¶
NewGenerator creates a Generator and returns it.
type GetTokenOptions ¶
type GetTokenOptions struct { Region string ClusterID string AssumeRoleARN string AssumeRoleExternalID string SessionName string Session *session.Session }
GetTokenOptions is passed to GetWithOptions to provide an extensible get token interface
type Identity ¶
type Identity struct { // ARN is the raw Amazon Resource Name returned by sts:GetCallerIdentity ARN string // CanonicalARN is the Amazon Resource Name converted to a more canonical // representation. In particular, STS assumed role ARNs like // "arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted // to their IAM ARN equivalent "arn:aws:iam::ACCOUNTID:role/NAME" CanonicalARN string // AccountID is the 12 digit AWS account number. AccountID string // UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA"). UserID string // SessionName is the STS session name (or "" if this is not a // session-based identity). For EC2 instance roles, this will be the EC2 // instance ID (e.g., "i-0123456789abcdef0"). You should only rely on it // if you trust that _only_ EC2 is allowed to assume the IAM Role. If IAM // users or other roles are allowed to assume the role, they can provide // (nearly) arbitrary strings here. SessionName string // The AWS Access Key ID used to authenticate the request. This can be used // in conjunction with CloudTrail to determine the identity of the individual // if the individual assumed an IAM role before making the request. AccessKeyID string }
Identity is returned on successful Verify() results. It contains a parsed version of the AWS identity used to create the token.
type STSError ¶
type STSError struct {
// contains filtered or unexported fields
}
STSError is returned when there was either an error calling STS or a problem processing the data returned from STS.
type Token ¶
Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.
type Verifier ¶
Verifier validates tokens by calling STS and returning the associated identity.
func NewVerifier ¶
NewVerifier creates a Verifier that is bound to the clusterID and uses the default http client.