2015-03-20 16:59:48 +00:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2015-03-20 16:59:48 +00:00
|
|
|
"fmt"
|
2017-07-31 22:27:16 +00:00
|
|
|
"os"
|
2015-03-20 16:59:48 +00:00
|
|
|
|
2015-08-06 16:26:41 +00:00
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
2015-10-30 22:22:48 +00:00
|
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
2015-08-06 16:26:41 +00:00
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
2015-12-08 04:32:49 +00:00
|
|
|
"github.com/aws/aws-sdk-go/service/sts"
|
2018-04-05 15:49:21 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
2019-01-09 00:48:57 +00:00
|
|
|
cleanhttp "github.com/hashicorp/go-cleanhttp"
|
2020-09-28 21:06:49 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2020-01-11 01:39:52 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/awsutil"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-03-20 16:59:48 +00:00
|
|
|
)
|
|
|
|
|
2018-09-26 14:10:00 +00:00
|
|
|
// NOTE: The caller is required to ensure that b.clientMutex is at least read locked
|
2020-09-28 21:06:49 +00:00
|
|
|
func getRootConfig(ctx context.Context, s logical.Storage, clientType string, logger hclog.Logger) (*aws.Config, error) {
|
2016-05-03 21:00:16 +00:00
|
|
|
credsConfig := &awsutil.CredentialsConfig{}
|
2017-11-06 18:31:38 +00:00
|
|
|
var endpoint string
|
2018-02-16 16:11:17 +00:00
|
|
|
var maxRetries int = aws.UseServiceDefaultRetries
|
2016-05-03 19:10:35 +00:00
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
entry, err := s.Get(ctx, "config/root")
|
2015-03-20 16:59:48 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-05-03 19:10:35 +00:00
|
|
|
if entry != nil {
|
|
|
|
var config rootConfig
|
|
|
|
if err := entry.DecodeJSON(&config); err != nil {
|
2018-04-05 15:49:21 +00:00
|
|
|
return nil, errwrap.Wrapf("error reading root configuration: {{err}}", err)
|
2016-05-03 19:10:35 +00:00
|
|
|
}
|
|
|
|
|
2016-05-03 21:00:16 +00:00
|
|
|
credsConfig.AccessKey = config.AccessKey
|
|
|
|
credsConfig.SecretKey = config.SecretKey
|
|
|
|
credsConfig.Region = config.Region
|
2018-02-16 16:11:17 +00:00
|
|
|
maxRetries = config.MaxRetries
|
2017-11-06 18:31:38 +00:00
|
|
|
switch {
|
|
|
|
case clientType == "iam" && config.IAMEndpoint != "":
|
|
|
|
endpoint = *aws.String(config.IAMEndpoint)
|
|
|
|
case clientType == "sts" && config.STSEndpoint != "":
|
|
|
|
endpoint = *aws.String(config.STSEndpoint)
|
|
|
|
}
|
2015-03-20 16:59:48 +00:00
|
|
|
}
|
|
|
|
|
2016-05-03 21:00:16 +00:00
|
|
|
if credsConfig.Region == "" {
|
2017-07-31 22:27:16 +00:00
|
|
|
credsConfig.Region = os.Getenv("AWS_REGION")
|
|
|
|
if credsConfig.Region == "" {
|
|
|
|
credsConfig.Region = os.Getenv("AWS_DEFAULT_REGION")
|
|
|
|
if credsConfig.Region == "" {
|
|
|
|
credsConfig.Region = "us-east-1"
|
|
|
|
}
|
|
|
|
}
|
2016-05-03 19:25:11 +00:00
|
|
|
}
|
|
|
|
|
2016-05-03 21:00:16 +00:00
|
|
|
credsConfig.HTTPClient = cleanhttp.DefaultClient()
|
|
|
|
|
2020-09-28 21:06:49 +00:00
|
|
|
credsConfig.Logger = logger
|
|
|
|
|
2016-05-03 21:00:16 +00:00
|
|
|
creds, err := credsConfig.GenerateCredentialChain()
|
2016-05-03 19:10:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2015-03-20 16:59:48 +00:00
|
|
|
}
|
|
|
|
|
2015-12-08 04:32:49 +00:00
|
|
|
return &aws.Config{
|
2015-08-06 16:37:08 +00:00
|
|
|
Credentials: creds,
|
2016-05-03 21:00:16 +00:00
|
|
|
Region: aws.String(credsConfig.Region),
|
2017-11-06 18:31:38 +00:00
|
|
|
Endpoint: &endpoint,
|
2015-10-22 18:37:12 +00:00
|
|
|
HTTPClient: cleanhttp.DefaultClient(),
|
2018-02-16 16:11:17 +00:00
|
|
|
MaxRetries: aws.Int(maxRetries),
|
2015-12-08 04:32:49 +00:00
|
|
|
}, nil
|
|
|
|
}
|
2015-10-30 22:22:48 +00:00
|
|
|
|
2020-09-28 21:06:49 +00:00
|
|
|
func nonCachedClientIAM(ctx context.Context, s logical.Storage, logger hclog.Logger) (*iam.IAM, error) {
|
|
|
|
awsConfig, err := getRootConfig(ctx, s, "iam", logger)
|
2017-09-08 17:00:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-01-09 22:58:33 +00:00
|
|
|
sess, err := session.NewSession(awsConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
client := iam.New(sess)
|
2017-09-08 17:00:29 +00:00
|
|
|
if client == nil {
|
|
|
|
return nil, fmt.Errorf("could not obtain iam client")
|
|
|
|
}
|
|
|
|
return client, nil
|
2015-03-20 16:59:48 +00:00
|
|
|
}
|
2015-12-08 04:32:49 +00:00
|
|
|
|
2020-09-28 21:06:49 +00:00
|
|
|
func nonCachedClientSTS(ctx context.Context, s logical.Storage, logger hclog.Logger) (*sts.STS, error) {
|
|
|
|
awsConfig, err := getRootConfig(ctx, s, "sts", logger)
|
2017-09-08 17:00:29 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2020-01-09 22:58:33 +00:00
|
|
|
sess, err := session.NewSession(awsConfig)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
client := sts.New(sess)
|
2017-09-08 17:00:29 +00:00
|
|
|
if client == nil {
|
|
|
|
return nil, fmt.Errorf("could not obtain sts client")
|
|
|
|
}
|
|
|
|
return client, nil
|
2015-12-08 04:32:49 +00:00
|
|
|
}
|