53 lines
1.6 KiB
Go
53 lines
1.6 KiB
Go
|
package ca
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
|
||
|
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/providers"
|
||
|
"github.com/hashicorp/consul/agent/structs"
|
||
|
"github.com/hashicorp/vault-plugin-auth-alicloud/tools"
|
||
|
)
|
||
|
|
||
|
func NewAliCloudAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
|
||
|
params := authMethod.Params
|
||
|
authClient := NewVaultAPIAuthClient(authMethod, "")
|
||
|
// check for login data already in params (for backwards compability)
|
||
|
legacyKeys := []string{"access_key", "secret_key", "access_token"}
|
||
|
if legacyCheck(params, legacyKeys...) {
|
||
|
return authClient, nil
|
||
|
}
|
||
|
|
||
|
if r, ok := params["role"].(string); !ok || r == "" {
|
||
|
return nil, fmt.Errorf("role is required for AliCloud login")
|
||
|
}
|
||
|
if r, ok := params["region"].(string); !ok || r == "" {
|
||
|
return nil, fmt.Errorf("region is required for AliCloud login")
|
||
|
}
|
||
|
client := NewVaultAPIAuthClient(authMethod, "")
|
||
|
client.LoginDataGen = AliLoginDataGen
|
||
|
return client, nil
|
||
|
}
|
||
|
|
||
|
func AliLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
|
||
|
// validity of these params is checked above in New..
|
||
|
role := authMethod.Params["role"].(string)
|
||
|
region := authMethod.Params["region"].(string)
|
||
|
// Credentials can be provided either explicitly via env vars,
|
||
|
// or we will try to derive them from instance metadata.
|
||
|
credentialChain := []providers.Provider{
|
||
|
providers.NewEnvCredentialProvider(),
|
||
|
providers.NewInstanceMetadataProvider(),
|
||
|
}
|
||
|
creds, err := providers.NewChainProvider(credentialChain).Retrieve()
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
loginData, err := tools.GenerateLoginData(role, creds, region)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
return loginData, nil
|
||
|
}
|