2016-06-01 14:10:12 +00:00
|
|
|
package awsec2
|
2016-04-06 00:42:26 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
|
|
|
"github.com/aws/aws-sdk-go/service/ec2"
|
2016-09-23 16:47:35 +00:00
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
2016-04-06 00:42:26 +00:00
|
|
|
"github.com/hashicorp/go-cleanhttp"
|
2016-05-05 14:40:49 +00:00
|
|
|
"github.com/hashicorp/vault/helper/awsutil"
|
2016-04-06 00:42:26 +00:00
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
)
|
|
|
|
|
2016-04-07 18:13:19 +00:00
|
|
|
// getClientConfig creates a aws-sdk-go config, which is used to create client
|
|
|
|
// that can interact with AWS API. This builds credentials in the following
|
|
|
|
// order of preference:
|
|
|
|
//
|
|
|
|
// * Static credentials from 'config/client'
|
|
|
|
// * Environment variables
|
|
|
|
// * Instance metadata role
|
2016-04-14 04:11:17 +00:00
|
|
|
func (b *backend) getClientConfig(s logical.Storage, region string) (*aws.Config, error) {
|
2016-05-05 14:40:49 +00:00
|
|
|
credsConfig := &awsutil.CredentialsConfig{
|
|
|
|
Region: region,
|
|
|
|
}
|
|
|
|
|
2016-04-06 00:42:26 +00:00
|
|
|
// Read the configured secret key and access key
|
2016-05-18 00:39:24 +00:00
|
|
|
config, err := b.nonLockedClientConfigEntry(s)
|
2016-04-06 00:42:26 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-07 18:13:19 +00:00
|
|
|
|
2016-05-03 16:14:07 +00:00
|
|
|
endpoint := aws.String("")
|
2016-04-07 18:13:19 +00:00
|
|
|
if config != nil {
|
2016-05-03 16:14:07 +00:00
|
|
|
// Override the default endpoint with the configured endpoint.
|
|
|
|
if config.Endpoint != "" {
|
|
|
|
endpoint = aws.String(config.Endpoint)
|
|
|
|
}
|
|
|
|
|
2016-05-05 14:40:49 +00:00
|
|
|
credsConfig.AccessKey = config.AccessKey
|
|
|
|
credsConfig.SecretKey = config.SecretKey
|
2016-04-06 00:42:26 +00:00
|
|
|
}
|
|
|
|
|
2016-05-05 14:40:49 +00:00
|
|
|
credsConfig.HTTPClient = cleanhttp.DefaultClient()
|
2016-04-07 18:13:19 +00:00
|
|
|
|
2016-05-05 14:40:49 +00:00
|
|
|
creds, err := credsConfig.GenerateCredentialChain()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-07 18:13:19 +00:00
|
|
|
if creds == nil {
|
2016-05-05 14:40:49 +00:00
|
|
|
return nil, fmt.Errorf("could not compile valid credential providers from static config, environemnt, shared, or instance metadata")
|
2016-04-07 18:13:19 +00:00
|
|
|
}
|
2016-04-06 00:42:26 +00:00
|
|
|
|
|
|
|
// Create a config that can be used to make the API calls.
|
2016-05-03 16:14:07 +00:00
|
|
|
return &aws.Config{
|
2016-04-06 00:42:26 +00:00
|
|
|
Credentials: creds,
|
2016-04-07 18:13:19 +00:00
|
|
|
Region: aws.String(region),
|
2016-04-06 00:42:26 +00:00
|
|
|
HTTPClient: cleanhttp.DefaultClient(),
|
2016-05-03 16:14:07 +00:00
|
|
|
Endpoint: endpoint,
|
|
|
|
}, nil
|
2016-04-06 00:42:26 +00:00
|
|
|
}
|
|
|
|
|
2016-04-14 04:11:17 +00:00
|
|
|
// flushCachedEC2Clients deletes all the cached ec2 client objects from the backend.
|
2016-04-28 00:01:39 +00:00
|
|
|
// If the client credentials configuration is deleted or updated in the backend, all
|
2016-09-23 16:47:35 +00:00
|
|
|
// the cached EC2 client objects will be flushed. Config mutex lock should be
|
|
|
|
// acquired for write operation before calling this method.
|
2016-04-14 04:11:17 +00:00
|
|
|
func (b *backend) flushCachedEC2Clients() {
|
2016-09-23 16:47:35 +00:00
|
|
|
// deleting items in map during iteration is safe
|
2016-04-14 04:11:17 +00:00
|
|
|
for region, _ := range b.EC2ClientsMap {
|
|
|
|
delete(b.EC2ClientsMap, region)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-09-23 16:47:35 +00:00
|
|
|
// flushCachedIAMClients deletes all the cached iam client objects from the
|
|
|
|
// backend. If the client credentials configuration is deleted or updated in
|
|
|
|
// the backend, all the cached IAM client objects will be flushed. Config mutex
|
|
|
|
// lock should be acquired for write operation before calling this method.
|
|
|
|
func (b *backend) flushCachedIAMClients() {
|
|
|
|
// deleting items in map during iteration is safe
|
|
|
|
for region, _ := range b.IAMClientsMap {
|
|
|
|
delete(b.IAMClientsMap, region)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// clientEC2 creates a client to interact with AWS EC2 API
|
2016-04-28 00:01:39 +00:00
|
|
|
func (b *backend) clientEC2(s logical.Storage, region string) (*ec2.EC2, error) {
|
|
|
|
b.configMutex.RLock()
|
|
|
|
if b.EC2ClientsMap[region] != nil {
|
|
|
|
defer b.configMutex.RUnlock()
|
2016-09-23 16:47:35 +00:00
|
|
|
// If the client object was already created, return it
|
2016-04-28 00:01:39 +00:00
|
|
|
return b.EC2ClientsMap[region], nil
|
2016-04-07 18:13:19 +00:00
|
|
|
}
|
|
|
|
|
2016-09-23 16:47:35 +00:00
|
|
|
// Release the read lock and acquire the write lock
|
2016-04-28 00:01:39 +00:00
|
|
|
b.configMutex.RUnlock()
|
2016-04-07 18:13:19 +00:00
|
|
|
b.configMutex.Lock()
|
|
|
|
defer b.configMutex.Unlock()
|
|
|
|
|
2016-09-23 16:47:35 +00:00
|
|
|
// If the client gets created while switching the locks, return it
|
2016-04-28 00:01:39 +00:00
|
|
|
if b.EC2ClientsMap[region] != nil {
|
|
|
|
return b.EC2ClientsMap[region], nil
|
|
|
|
}
|
|
|
|
|
2016-09-23 16:47:35 +00:00
|
|
|
// Create an AWS config object using a chain of providers
|
2016-04-14 04:11:17 +00:00
|
|
|
awsConfig, err := b.getClientConfig(s, region)
|
2016-04-06 00:42:26 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2016-04-07 18:13:19 +00:00
|
|
|
|
2016-09-23 16:47:35 +00:00
|
|
|
// Create a new EC2 client object, cache it and return the same
|
2016-04-14 04:11:17 +00:00
|
|
|
b.EC2ClientsMap[region] = ec2.New(session.New(awsConfig))
|
|
|
|
return b.EC2ClientsMap[region], nil
|
2016-04-06 00:42:26 +00:00
|
|
|
}
|
2016-09-23 16:47:35 +00:00
|
|
|
|
|
|
|
// clientIAM creates a client to interact with AWS IAM API
|
|
|
|
func (b *backend) clientIAM(s logical.Storage, region string) (*iam.IAM, error) {
|
|
|
|
b.configMutex.RLock()
|
|
|
|
if b.IAMClientsMap[region] != nil {
|
|
|
|
defer b.configMutex.RUnlock()
|
|
|
|
// If the client object was already created, return it
|
|
|
|
return b.IAMClientsMap[region], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Release the read lock and acquire the write lock
|
|
|
|
b.configMutex.RUnlock()
|
|
|
|
b.configMutex.Lock()
|
|
|
|
defer b.configMutex.Unlock()
|
|
|
|
|
|
|
|
// If the client gets created while switching the locks, return it
|
|
|
|
if b.IAMClientsMap[region] != nil {
|
|
|
|
return b.IAMClientsMap[region], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create an AWS config object using a chain of providers
|
|
|
|
awsConfig, err := b.getClientConfig(s, region)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create a new IAM client object, cache it and return the same
|
|
|
|
b.IAMClientsMap[region] = iam.New(session.New(awsConfig))
|
|
|
|
return b.IAMClientsMap[region], nil
|
|
|
|
}
|