open-vault/helper/awsutil/generate_providers.go

package awsutil

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
	"github.com/aws/aws-sdk-go/aws/ec2metadata"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/hashicorp/go-cleanhttp"
)

type AWSCredentialsConfig struct {
	AccessKey string
	SecretKey string
	Region    string
}

func GenerateCredentialChain(config *AWSCredentialsConfig) (*credentials.Credentials, error) {
	if config == nil {
		return nil, fmt.Errorf("nil configuration provided")
	}
	if config.Region == "" {
		return nil, fmt.Errorf("region must be provided in credentials configuration")
	}

	var providers []credentials.Provider

	switch {
	case config.AccessKey != "" && config.SecretKey != "":
		// Add the static credential provider
		providers = append(providers, &credentials.StaticProvider{
			Value: credentials.Value{
				AccessKeyID:     config.AccessKey,
				SecretAccessKey: config.SecretKey,
			}})
	case config.AccessKey == "" && config.AccessKey == "":
		// Attempt to get credentials from the IAM instance role below

	default: // Have one or the other but not both and not neither
		return nil, fmt.Errorf(
			"static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)")
	}

	// Add the environment credential provider
	providers = append(providers, &credentials.EnvProvider{})

	// Add the instance metadata role provider
	// Create the credentials required to access the API.
	providers = append(providers, &ec2rolecreds.EC2RoleProvider{
		Client: ec2metadata.New(session.New(&aws.Config{
			Region:     aws.String(config.Region),
			HTTPClient: cleanhttp.DefaultClient(),
		})),
		ExpiryWindow: 15,
	})

	creds := credentials.NewChainCredentials(providers)
	if creds == nil {
		return nil, fmt.Errorf("could not compile valid credential providers from static config, environemnt, or instance metadata")
	}

	return creds, nil
}
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00			`package awsutil`

			`import (`
			`"fmt"`

			`"github.com/aws/aws-sdk-go/aws"`
			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"`
			`"github.com/aws/aws-sdk-go/aws/ec2metadata"`
			`"github.com/aws/aws-sdk-go/aws/session"`
			`"github.com/hashicorp/go-cleanhttp"`
			`)`

			`type AWSCredentialsConfig struct {`
			`AccessKey string`
			`SecretKey string`
			`Region string`
			`}`

			`func GenerateCredentialChain(config AWSCredentialsConfig) (credentials.Credentials, error) {`
			`if config == nil {`
			`return nil, fmt.Errorf("nil configuration provided")`
			`}`
Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 19:25:11 +00:00			`if config.Region == "" {`
			`return nil, fmt.Errorf("region must be provided in credentials configuration")`
			`}`
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00
			`var providers []credentials.Provider`

			`switch {`
			`case config.AccessKey != "" && config.SecretKey != "":`
			`// Add the static credential provider`
			`providers = append(providers, &credentials.StaticProvider{`
			`Value: credentials.Value{`
			`AccessKeyID: config.AccessKey,`
			`SecretAccessKey: config.SecretKey,`
			`}})`
			`case config.AccessKey == "" && config.AccessKey == "":`
			`// Attempt to get credentials from the IAM instance role below`

			`default: // Have one or the other but not both and not neither`
			`return nil, fmt.Errorf(`
			`"static AWS client credentials haven't been properly configured (the access key or secret key were provided but not both)")`
			`}`

			`// Add the environment credential provider`
			`providers = append(providers, &credentials.EnvProvider{})`

			`// Add the instance metadata role provider`
			`// Create the credentials required to access the API.`
			`providers = append(providers, &ec2rolecreds.EC2RoleProvider{`
			`Client: ec2metadata.New(session.New(&aws.Config{`
			`Region: aws.String(config.Region),`
			`HTTPClient: cleanhttp.DefaultClient(),`
			`})),`
			`ExpiryWindow: 15,`
			`})`

			`creds := credentials.NewChainCredentials(providers)`
			`if creds == nil {`
			`return nil, fmt.Errorf("could not compile valid credential providers from static config, environemnt, or instance metadata")`
			`}`

			`return creds, nil`
			`}`