open-vault/builtin/credential/aws-ec2/client.go

package awsec2

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/ec2"
	"github.com/aws/aws-sdk-go/service/iam"
	"github.com/hashicorp/go-cleanhttp"
	"github.com/hashicorp/vault/helper/awsutil"
	"github.com/hashicorp/vault/logical"
)

// getClientConfig creates a aws-sdk-go config, which is used to create client
// that can interact with AWS API. This builds credentials in the following
// order of preference:
//
// * Static credentials from 'config/client'
// * Environment variables
// * Instance metadata role
func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config, error) {
	credsConfig := &awsutil.CredentialsConfig{
		Region: region,
	}

	// Read the configured secret key and access key
	config, err := b.nonLockedClientConfigEntry(s)
	if err != nil {
		return nil, err
	}

	endpoint := aws.String("")
	if config != nil {
		// Override the default endpoint with the configured endpoint.
		if config.Endpoint != "" {
			endpoint = aws.String(config.Endpoint)
		}

		credsConfig.AccessKey = config.AccessKey
		credsConfig.SecretKey = config.SecretKey
	}

	credsConfig.HTTPClient = cleanhttp.DefaultClient()

	creds, err := credsConfig.GenerateCredentialChain()
	if err != nil {
		return nil, err
	}
	if creds == nil {
		return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata")
	}

	// Create a config that can be used to make the API calls.
	return &aws.Config{
		Credentials: creds,
		Region:      aws.String(region),
		HTTPClient:  cleanhttp.DefaultClient(),
		Endpoint:    endpoint,
	}, nil
}

// getStsClientConfig returns an aws-sdk-go config, with assumed credentials
// It uses getClientConfig to obtain config for the runtime environemnt, which is
// then used to obtain a set of assumed credentials. The credentials will expire
// after 15 minutes but will auto-refresh.
func (b *backend) getStsClientConfig(s logical.Storage, region string, stsRole string) (*aws.Config, error) {
	config, err := b.getClientConfig(s, region)
	if err != nil {
		return nil, err
	}
	if config == nil {
		return nil, fmt.Errorf("could not compile valid credentials through the default provider chain")
	}
	assumedCredentials := stscreds.NewCredentials(session.New(config), stsRole)
	// Test that we actually have permissions to assume the role
	if _, err = assumedCredentials.Get(); err != nil {
		return nil, err
	}

	config.Credentials = assumedCredentials

	return config, nil
}

// flushCachedEC2Clients deletes all the cached ec2 client objects from the backend.
// If the client credentials configuration is deleted or updated in the backend, all
// the cached EC2 client objects will be flushed. Config mutex lock should be
// acquired for write operation before calling this method.
func (b *backend) flushCachedEC2Clients() {
	// deleting items in map during iteration is safe
	for region, _ := range b.EC2ClientsMap {
		delete(b.EC2ClientsMap, region)
	}
}

// flushCachedIAMClients deletes all the cached iam client objects from the
// backend. If the client credentials configuration is deleted or updated in
// the backend, all the cached IAM client objects will be flushed. Config mutex
// lock should be acquired for write operation before calling this method.
func (b *backend) flushCachedIAMClients() {
	// deleting items in map during iteration is safe
	for region, _ := range b.IAMClientsMap {
		delete(b.IAMClientsMap, region)
	}
}

// clientEC2 creates a client to interact with AWS EC2 API
func (b *backend) clientEC2(s logical.Storage, region string, stsRole string) (*ec2.EC2, error) {
	b.configMutex.RLock()
	if b.EC2ClientsMap[region] != nil && b.EC2ClientsMap[region][stsRole] != nil {
		defer b.configMutex.RUnlock()
		// If the client object was already created, return it
		return b.EC2ClientsMap[region][stsRole], nil
	}

	// Release the read lock and acquire the write lock
	b.configMutex.RUnlock()
	b.configMutex.Lock()
	defer b.configMutex.Unlock()

	// If the client gets created while switching the locks, return it
	if b.EC2ClientsMap[region] != nil && b.EC2ClientsMap[region][stsRole] != nil {
		return b.EC2ClientsMap[region][stsRole], nil
	}

	// Create an AWS config object using a chain of providers
	var awsConfig *aws.Config
	var err error
	// The empty stsRole signifies the master account
	if stsRole == "" {
		awsConfig, err = b.getClientConfig(s, region)
	} else {
		awsConfig, err = b.getStsClientConfig(s, region, stsRole)
	}

	if err != nil {
		return nil, err
	}

	if awsConfig == nil {
		return nil, fmt.Errorf("could not retrieve valid assumed credentials")
	}

	// Create a new EC2 client object, cache it and return the same
	client := ec2.New(session.New(awsConfig))
	if client == nil {
		return nil, fmt.Errorf("could not obtain ec2 client")
	}
	if _, ok := b.EC2ClientsMap[region]; !ok {
		b.EC2ClientsMap[region] = map[string]*ec2.EC2{stsRole: client}
	} else {
		b.EC2ClientsMap[region][stsRole] = client
	}

	return b.EC2ClientsMap[region][stsRole], nil
}

// clientIAM creates a client to interact with AWS IAM API
func (b *backend) clientIAM(s logical.Storage, region string, stsRole string) (*iam.IAM, error) {
	b.configMutex.RLock()
	if b.IAMClientsMap[region] != nil && b.IAMClientsMap[region][stsRole] != nil {
		defer b.configMutex.RUnlock()
		// If the client object was already created, return it
		return b.IAMClientsMap[region][stsRole], nil
	}

	// Release the read lock and acquire the write lock
	b.configMutex.RUnlock()
	b.configMutex.Lock()
	defer b.configMutex.Unlock()

	// If the client gets created while switching the locks, return it
	if b.IAMClientsMap[region] != nil && b.IAMClientsMap[region][stsRole] != nil {
		return b.IAMClientsMap[region][stsRole], nil
	}

	// Create an AWS config object using a chain of providers
	var awsConfig *aws.Config
	var err error
	// The empty stsRole signifies the master account
	if stsRole == "" {
		awsConfig, err = b.getClientConfig(s, region)
	} else {
		awsConfig, err = b.getStsClientConfig(s, region, stsRole)
	}

	if err != nil {
		return nil, err
	}

	if awsConfig == nil {
		return nil, fmt.Errorf("could not retrieve valid assumed credentials")
	}

	// Create a new IAM client object, cache it and return the same
	client := iam.New(session.New(awsConfig))
	if client == nil {
		return nil, fmt.Errorf("could not obtain iam client")
	}
	if _, ok := b.IAMClientsMap[region]; !ok {
		b.IAMClientsMap[region] = map[string]*iam.IAM{stsRole: client}
	} else {
		b.IAMClientsMap[region][stsRole] = client
	}
	return b.IAMClientsMap[region][stsRole], nil
}
Use entry.Type as a criteria for upgrade 2016-06-01 14:10:12 +00:00			`package awsec2`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00
			`import (`
			`"fmt"`

			`"github.com/aws/aws-sdk-go/aws"`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`"github.com/aws/aws-sdk-go/aws/credentials/stscreds"`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/aws/aws-sdk-go/service/ec2"`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`"github.com/aws/aws-sdk-go/service/iam"`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`"github.com/hashicorp/go-cleanhttp"`
Switch client code to shared awsutil code 2016-05-05 14:40:49 +00:00			`"github.com/hashicorp/vault/helper/awsutil"`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`

Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`// getClientConfig creates a aws-sdk-go config, which is used to create client`
			`// that can interact with AWS API. This builds credentials in the following`
			`// order of preference:`
			`//`
			`// * Static credentials from 'config/client'`
			`// * Environment variables`
			`// * Instance metadata role`
Removed `region` parameter from `config/client` endpoint. Region to create ec2 client objects is fetched from the identity document. Maintaining a map of cached clients indexed by region. 2016-04-14 04:11:17 +00:00			`func (b backend) getClientConfig(s logical.Storage, region string) (aws.Config, error) {`
Switch client code to shared awsutil code 2016-05-05 14:40:49 +00:00			`credsConfig := &awsutil.CredentialsConfig{`
			`Region: region,`
			`}`

AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`// Read the configured secret key and access key`
Naming of the locked and nonLocked methods 2016-05-18 00:39:24 +00:00			`config, err := b.nonLockedClientConfigEntry(s)`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00
Change image/ to a more flexible /role endpoint 2016-05-03 16:14:07 +00:00			`endpoint := aws.String("")`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`if config != nil {`
Change image/ to a more flexible /role endpoint 2016-05-03 16:14:07 +00:00			`// Override the default endpoint with the configured endpoint.`
			`if config.Endpoint != "" {`
			`endpoint = aws.String(config.Endpoint)`
			`}`

Switch client code to shared awsutil code 2016-05-05 14:40:49 +00:00			`credsConfig.AccessKey = config.AccessKey`
			`credsConfig.SecretKey = config.SecretKey`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`}`

Switch client code to shared awsutil code 2016-05-05 14:40:49 +00:00			`credsConfig.HTTPClient = cleanhttp.DefaultClient()`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00
Switch client code to shared awsutil code 2016-05-05 14:40:49 +00:00			`creds, err := credsConfig.GenerateCredentialChain()`
			`if err != nil {`
			`return nil, err`
			`}`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`if creds == nil {`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata")`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`}`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00
			`// Create a config that can be used to make the API calls.`
Change image/ to a more flexible /role endpoint 2016-05-03 16:14:07 +00:00			`return &aws.Config{`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`Credentials: creds,`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`Region: aws.String(region),`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`HTTPClient: cleanhttp.DefaultClient(),`
Change image/ to a more flexible /role endpoint 2016-05-03 16:14:07 +00:00			`Endpoint: endpoint,`
			`}, nil`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`}`

Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`// getStsClientConfig returns an aws-sdk-go config, with assumed credentials`
			`// It uses getClientConfig to obtain config for the runtime environemnt, which is`
			`// then used to obtain a set of assumed credentials. The credentials will expire`
			`// after 15 minutes but will auto-refresh.`
			`func (b backend) getStsClientConfig(s logical.Storage, region string, stsRole string) (aws.Config, error) {`
			`config, err := b.getClientConfig(s, region)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if config == nil {`
			`return nil, fmt.Errorf("could not compile valid credentials through the default provider chain")`
			`}`
			`assumedCredentials := stscreds.NewCredentials(session.New(config), stsRole)`
			`// Test that we actually have permissions to assume the role`
			`if _, err = assumedCredentials.Get(); err != nil {`
			`return nil, err`
			`}`

			`config.Credentials = assumedCredentials`

			`return config, nil`
			`}`

Removed `region` parameter from `config/client` endpoint. Region to create ec2 client objects is fetched from the identity document. Maintaining a map of cached clients indexed by region. 2016-04-14 04:11:17 +00:00			`// flushCachedEC2Clients deletes all the cached ec2 client objects from the backend.`
Remove recreate parameter from clientEC2 2016-04-28 00:01:39 +00:00			`// If the client credentials configuration is deleted or updated in the backend, all`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// the cached EC2 client objects will be flushed. Config mutex lock should be`
			`// acquired for write operation before calling this method.`
Removed `region` parameter from `config/client` endpoint. Region to create ec2 client objects is fetched from the identity document. Maintaining a map of cached clients indexed by region. 2016-04-14 04:11:17 +00:00			`func (b *backend) flushCachedEC2Clients() {`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// deleting items in map during iteration is safe`
Removed `region` parameter from `config/client` endpoint. Region to create ec2 client objects is fetched from the identity document. Maintaining a map of cached clients indexed by region. 2016-04-14 04:11:17 +00:00			`for region, _ := range b.EC2ClientsMap {`
			`delete(b.EC2ClientsMap, region)`
			`}`
			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// flushCachedIAMClients deletes all the cached iam client objects from the`
			`// backend. If the client credentials configuration is deleted or updated in`
			`// the backend, all the cached IAM client objects will be flushed. Config mutex`
			`// lock should be acquired for write operation before calling this method.`
			`func (b *backend) flushCachedIAMClients() {`
			`// deleting items in map during iteration is safe`
			`for region, _ := range b.IAMClientsMap {`
			`delete(b.IAMClientsMap, region)`
			`}`
			`}`

			`// clientEC2 creates a client to interact with AWS EC2 API`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`func (b backend) clientEC2(s logical.Storage, region string, stsRole string) (ec2.EC2, error) {`
Remove recreate parameter from clientEC2 2016-04-28 00:01:39 +00:00			`b.configMutex.RLock()`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if b.EC2ClientsMap[region] != nil && b.EC2ClientsMap[region][stsRole] != nil {`
Remove recreate parameter from clientEC2 2016-04-28 00:01:39 +00:00			`defer b.configMutex.RUnlock()`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// If the client object was already created, return it`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`return b.EC2ClientsMap[region][stsRole], nil`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// Release the read lock and acquire the write lock`
Remove recreate parameter from clientEC2 2016-04-28 00:01:39 +00:00			`b.configMutex.RUnlock()`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00			`b.configMutex.Lock()`
			`defer b.configMutex.Unlock()`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// If the client gets created while switching the locks, return it`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if b.EC2ClientsMap[region] != nil && b.EC2ClientsMap[region][stsRole] != nil {`
			`return b.EC2ClientsMap[region][stsRole], nil`
Remove recreate parameter from clientEC2 2016-04-28 00:01:39 +00:00			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// Create an AWS config object using a chain of providers`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`var awsConfig *aws.Config`
			`var err error`
			`// The empty stsRole signifies the master account`
			`if stsRole == "" {`
			`awsConfig, err = b.getClientConfig(s, region)`
			`} else {`
			`awsConfig, err = b.getStsClientConfig(s, region, stsRole)`
			`}`

AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-07 18:13:19 +00:00
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if awsConfig == nil {`
			`return nil, fmt.Errorf("could not retrieve valid assumed credentials")`
			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// Create a new EC2 client object, cache it and return the same`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`client := ec2.New(session.New(awsConfig))`
			`if client == nil {`
			`return nil, fmt.Errorf("could not obtain ec2 client")`
			`}`
			`if _, ok := b.EC2ClientsMap[region]; !ok {`
			`b.EC2ClientsMap[region] = map[string]*ec2.EC2{stsRole: client}`
			`} else {`
			`b.EC2ClientsMap[region][stsRole] = client`
			`}`

			`return b.EC2ClientsMap[region][stsRole], nil`
AWS EC2 instances authentication backend 2016-04-06 00:42:26 +00:00			`}`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00
			`// clientIAM creates a client to interact with AWS IAM API`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`func (b backend) clientIAM(s logical.Storage, region string, stsRole string) (iam.IAM, error) {`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`b.configMutex.RLock()`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if b.IAMClientsMap[region] != nil && b.IAMClientsMap[region][stsRole] != nil {`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`defer b.configMutex.RUnlock()`
			`// If the client object was already created, return it`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`return b.IAMClientsMap[region][stsRole], nil`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`}`

			`// Release the read lock and acquire the write lock`
			`b.configMutex.RUnlock()`
			`b.configMutex.Lock()`
			`defer b.configMutex.Unlock()`

			`// If the client gets created while switching the locks, return it`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if b.IAMClientsMap[region] != nil && b.IAMClientsMap[region][stsRole] != nil {`
			`return b.IAMClientsMap[region][stsRole], nil`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`}`

			`// Create an AWS config object using a chain of providers`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`var awsConfig *aws.Config`
			`var err error`
			`// The empty stsRole signifies the master account`
			`if stsRole == "" {`
			`awsConfig, err = b.getClientConfig(s, region)`
			`} else {`
			`awsConfig, err = b.getStsClientConfig(s, region, stsRole)`
			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`if awsConfig == nil {`
			`return nil, fmt.Errorf("could not retrieve valid assumed credentials")`
			`}`

Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`// Create a new IAM client object, cache it and return the same`
Support for Cross-Account AWS Auth (#2148) 2017-02-01 19:16:03 +00:00			`client := iam.New(session.New(awsConfig))`
			`if client == nil {`
			`return nil, fmt.Errorf("could not obtain iam client")`
			`}`
			`if _, ok := b.IAMClientsMap[region]; !ok {`
			`b.IAMClientsMap[region] = map[string]*iam.IAM{stsRole: client}`
			`} else {`
			`b.IAMClientsMap[region][stsRole] = client`
			`}`
			`return b.IAMClientsMap[region][stsRole], nil`
Implemented bound_iam_role_arn constraint 2016-09-23 16:47:35 +00:00			`}`