open-consul/agent/connect/ca/provider_vault_auth_aliclou...

53 lines
1.6 KiB
Go

package ca
import (
"fmt"
"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/providers"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/vault-plugin-auth-alicloud/tools"
)
func NewAliCloudAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
params := authMethod.Params
authClient := NewVaultAPIAuthClient(authMethod, "")
// check for login data already in params (for backwards compability)
legacyKeys := []string{"access_key", "secret_key", "access_token"}
if legacyCheck(params, legacyKeys...) {
return authClient, nil
}
if r, ok := params["role"].(string); !ok || r == "" {
return nil, fmt.Errorf("role is required for AliCloud login")
}
if r, ok := params["region"].(string); !ok || r == "" {
return nil, fmt.Errorf("region is required for AliCloud login")
}
client := NewVaultAPIAuthClient(authMethod, "")
client.LoginDataGen = AliLoginDataGen
return client, nil
}
func AliLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
// validity of these params is checked above in New..
role := authMethod.Params["role"].(string)
region := authMethod.Params["region"].(string)
// Credentials can be provided either explicitly via env vars,
// or we will try to derive them from instance metadata.
credentialChain := []providers.Provider{
providers.NewEnvCredentialProvider(),
providers.NewInstanceMetadataProvider(),
}
creds, err := providers.NewChainProvider(credentialChain).Retrieve()
if err != nil {
return nil, err
}
loginData, err := tools.GenerateLoginData(role, creds, region)
if err != nil {
return nil, err
}
return loginData, nil
}