mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-04 12:37:59 +00:00
85 lines
2.5 KiB
Go
85 lines
2.5 KiB
Go
package awsutil
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
|
"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
|
|
"github.com/aws/aws-sdk-go/aws/ec2metadata"
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
|
)
|
|
|
|
type CredentialsConfig struct {
|
|
// The access key if static credentials are being used
|
|
AccessKey string
|
|
|
|
// The secret key if static credentials are being used
|
|
SecretKey string
|
|
|
|
// The session token if it is being used
|
|
SessionToken string
|
|
|
|
// If specified, the region will be provided to the config of the
|
|
// EC2RoleProvider's client. This may be useful if you want to e.g. reuse
|
|
// the client elsewhere.
|
|
Region string
|
|
|
|
// The filename for the shared credentials provider, if being used
|
|
Filename string
|
|
|
|
// The profile for the shared credentials provider, if being used
|
|
Profile string
|
|
|
|
// The http.Client to use, or nil for the client to use its default
|
|
HTTPClient *http.Client
|
|
}
|
|
|
|
func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, error) {
|
|
var providers []credentials.Provider
|
|
|
|
switch {
|
|
case c.AccessKey != "" && c.SecretKey != "":
|
|
// Add the static credential provider
|
|
providers = append(providers, &credentials.StaticProvider{
|
|
Value: credentials.Value{
|
|
AccessKeyID: c.AccessKey,
|
|
SecretAccessKey: c.SecretKey,
|
|
SessionToken: c.SessionToken,
|
|
}})
|
|
case c.AccessKey == "" && c.AccessKey == "":
|
|
// Attempt to get credentials from the IAM instance role below
|
|
|
|
default: // Have one or the other but not both and not neither
|
|
return nil, fmt.Errorf(
|
|
"static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)")
|
|
}
|
|
|
|
// Add the environment credential provider
|
|
providers = append(providers, &credentials.EnvProvider{})
|
|
|
|
// Add the shared credentials provider
|
|
providers = append(providers, &credentials.SharedCredentialsProvider{
|
|
Filename: c.Filename,
|
|
Profile: c.Profile,
|
|
})
|
|
|
|
// Add the instance metadata role provider
|
|
providers = append(providers, &ec2rolecreds.EC2RoleProvider{
|
|
Client: ec2metadata.New(session.New(&aws.Config{
|
|
Region: aws.String(c.Region),
|
|
HTTPClient: c.HTTPClient,
|
|
})),
|
|
ExpiryWindow: 15,
|
|
})
|
|
|
|
// Create the credentials required to access the API.
|
|
creds := credentials.NewChainCredentials(providers)
|
|
if creds == nil {
|
|
return nil, fmt.Errorf("could not compile valid credential providers from static config, environemnt, shared, or instance metadata")
|
|
}
|
|
|
|
return creds, nil
|
|
}
|