Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CanonicalizeARN ¶
Canonicalize validates IAM resources are appropriate for the authenticator and converts STS assumed roles into the IAM role resource.
Supported IAM resources are:
- AWS account: arn:aws:iam::123456789012:root
- IAM user: arn:aws:iam::123456789012:user/Bob
- IAM role: arn:aws:iam::123456789012:role/S3Access
- IAM Assumed role: arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary (converted to IAM role)
- Federated user: arn:aws:sts::123456789012:federated-user/Bob
func StdinStderrTokenProvider ¶
StdinStderrTokenProvider gets MFA token from standard input.
Types ¶
type FormatError ¶
type FormatError struct {
// contains filtered or unexported fields
}
FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.
func (FormatError) Error ¶
func (e FormatError) Error() string
type Generator ¶
type Generator interface {
// Get a token using credentials in the default credentials chain.
Get(ctx context.Context, clusterID string) (Token, error)
// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
GetWithRole(ctx context.Context, clusterID, roleARN string) (Token, error)
// GetWithRoleForSession creates a token by assuming the provided role, using the provided configuration.
GetWithRoleForSession(ctx context.Context, clusterID string, roleARN string, cfg *aws.Config) (Token, error)
// Get a token using the provided options
GetWithOptions(ctx context.Context, options *GetTokenOptions) (Token, error)
// GetWithSTS returns a token valid for clusterID using the given STS client.
GetWithSTS(ctx context.Context, clusterID string, stsAPI *sts.Client) (Token, error)
// FormatJSON returns the client auth formatted json for the ExecCredential auth
FormatJSON(Token) string
}
Generator provides new tokens for the AWS IAM Authenticator.
func NewGenerator ¶
NewGenerator creates a Generator and returns it.
type GetTokenOptions ¶
type GetTokenOptions struct {
Region string
ClusterID string
AssumeRoleARN string
AssumeRoleExternalID string
SessionName string
Config *aws.Config
}
GetTokenOptions is passed to GetWithOptions to provide an extensible get token interface
type Identity ¶
type Identity struct {
// ARN is the raw Amazon Resource Name returned by sts:GetCallerIdentity
ARN string
// CanonicalARN is the Amazon Resource Name converted to a more canonical
// representation. In particular, STS assumed role ARNs like
// "arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted
// to their IAM ARN equivalent "arn:aws:iam::ACCOUNTID:role/NAME"
CanonicalARN string
// AccountID is the 12 digit AWS account number.
AccountID string
// UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA").
UserID string
// SessionName is the STS session name (or "" if this is not a
// session-based identity). For EC2 instance roles, this will be the EC2
// instance ID (e.g., "i-0123456789abcdef0"). You should only rely on it
// if you trust that _only_ EC2 is allowed to assume the IAM Role. If IAM
// users or other roles are allowed to assume the role, they can provide
// (nearly) arbitrary strings here.
SessionName string
// The AWS Access Key ID used to authenticate the request. This can be used
// in conjunction with CloudTrail to determine the identity of the individual
// if the individual assumed an IAM role before making the request.
AccessKeyID string
}
Identity is returned on successful Verify() results. It contains a parsed version of the AWS identity used to create the token.
Source Files