authenticator

package
v2.23.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 22, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CanonicalizeARN

func CanonicalizeARN(arn string) (string, error)

Canonicalize validates IAM resources are appropriate for the authenticator and converts STS assumed roles into the IAM role resource.

Supported IAM resources are:

  • AWS account: arn:aws:iam::123456789012:root
  • IAM user: arn:aws:iam::123456789012:user/Bob
  • IAM role: arn:aws:iam::123456789012:role/S3Access
  • IAM Assumed role: arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary (converted to IAM role)
  • Federated user: arn:aws:sts::123456789012:federated-user/Bob

func StdinStderrTokenProvider

func StdinStderrTokenProvider() (string, error)

StdinStderrTokenProvider gets MFA token from standard input.

Types

type FormatError

type FormatError struct {
	// contains filtered or unexported fields
}

FormatError is returned when there is a problem with token that is an encoded sts request. This can include the url, data, action or anything else that prevents the sts call from being made.

func (FormatError) Error

func (e FormatError) Error() string

type Generator

type Generator interface {
	// Get a token using credentials in the default credentials chain.
	Get(ctx context.Context, clusterID string) (Token, error)
	// GetWithRole creates a token by assuming the provided role, using the credentials in the default chain.
	GetWithRole(ctx context.Context, clusterID, roleARN string) (Token, error)
	// GetWithRoleForSession creates a token by assuming the provided role, using the provided configuration.
	GetWithRoleForSession(ctx context.Context, clusterID string, roleARN string, cfg *aws.Config) (Token, error)
	// Get a token using the provided options
	GetWithOptions(ctx context.Context, options *GetTokenOptions) (Token, error)
	// GetWithSTS returns a token valid for clusterID using the given STS client.
	GetWithSTS(ctx context.Context, clusterID string, stsAPI *sts.Client) (Token, error)
	// FormatJSON returns the client auth formatted json for the ExecCredential auth
	FormatJSON(Token) string
}

Generator provides new tokens for the AWS IAM Authenticator.

func NewGenerator

func NewGenerator(forwardSessionName bool) (Generator, error)

NewGenerator creates a Generator and returns it.

type GetTokenOptions

type GetTokenOptions struct {
	Region               string
	ClusterID            string
	AssumeRoleARN        string
	AssumeRoleExternalID string
	SessionName          string
	Config               *aws.Config
}

GetTokenOptions is passed to GetWithOptions to provide an extensible get token interface

type Identity

type Identity struct {
	// ARN is the raw Amazon Resource Name returned by sts:GetCallerIdentity
	ARN string

	// CanonicalARN is the Amazon Resource Name converted to a more canonical
	// representation. In particular, STS assumed role ARNs like
	// "arn:aws:sts::ACCOUNTID:assumed-role/ROLENAME/SESSIONNAME" are converted
	// to their IAM ARN equivalent "arn:aws:iam::ACCOUNTID:role/NAME"
	CanonicalARN string

	// AccountID is the 12 digit AWS account number.
	AccountID string

	// UserID is the unique user/role ID (e.g., "AROAAAAAAAAAAAAAAAAAA").
	UserID string

	// SessionName is the STS session name (or "" if this is not a
	// session-based identity). For EC2 instance roles, this will be the EC2
	// instance ID (e.g., "i-0123456789abcdef0"). You should only rely on it
	// if you trust that _only_ EC2 is allowed to assume the IAM Role. If IAM
	// users or other roles are allowed to assume the role, they can provide
	// (nearly) arbitrary strings here.
	SessionName string

	// The AWS Access Key ID used to authenticate the request.  This can be used
	// in conjunction with CloudTrail to determine the identity of the individual
	// if the individual assumed an IAM role before making the request.
	AccessKeyID string
}

Identity is returned on successful Verify() results. It contains a parsed version of the AWS identity used to create the token.

type STSError

type STSError struct {
	// contains filtered or unexported fields
}

STSError is returned when there was either an error calling STS or a problem processing the data returned from STS.

func NewSTSError

func NewSTSError(m string) STSError

NewSTSError creates a error of type STS.

func (STSError) Error

func (e STSError) Error() string

type Token

type Token struct {
	Token      string
	Expiration time.Time
}

Token is generated and used by Kubernetes client-go to authenticate with a Kubernetes cluster.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL