open-vault/builtin/logical/aws/client.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package aws

import (
	"context"
	"fmt"
	"os"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/iam"
	"github.com/aws/aws-sdk-go/service/sts"
	cleanhttp "github.com/hashicorp/go-cleanhttp"
	"github.com/hashicorp/go-hclog"
	"github.com/hashicorp/go-secure-stdlib/awsutil"
	"github.com/hashicorp/vault/sdk/logical"
)

// NOTE: The caller is required to ensure that b.clientMutex is at least read locked
func getRootConfig(ctx context.Context, s logical.Storage, clientType string, logger hclog.Logger) (*aws.Config, error) {
	credsConfig := &awsutil.CredentialsConfig{}
	var endpoint string
	var maxRetries int = aws.UseServiceDefaultRetries

	entry, err := s.Get(ctx, "config/root")
	if err != nil {
		return nil, err
	}
	if entry != nil {
		var config rootConfig
		if err := entry.DecodeJSON(&config); err != nil {
			return nil, fmt.Errorf("error reading root configuration: %w", err)
		}

		credsConfig.AccessKey = config.AccessKey
		credsConfig.SecretKey = config.SecretKey
		credsConfig.Region = config.Region
		maxRetries = config.MaxRetries
		switch {
		case clientType == "iam" && config.IAMEndpoint != "":
			endpoint = *aws.String(config.IAMEndpoint)
		case clientType == "sts" && config.STSEndpoint != "":
			endpoint = *aws.String(config.STSEndpoint)
		}
	}

	if credsConfig.Region == "" {
		credsConfig.Region = os.Getenv("AWS_REGION")
		if credsConfig.Region == "" {
			credsConfig.Region = os.Getenv("AWS_DEFAULT_REGION")
			if credsConfig.Region == "" {
				credsConfig.Region = "us-east-1"
			}
		}
	}

	credsConfig.HTTPClient = cleanhttp.DefaultClient()

	credsConfig.Logger = logger

	creds, err := credsConfig.GenerateCredentialChain()
	if err != nil {
		return nil, err
	}

	return &aws.Config{
		Credentials: creds,
		Region:      aws.String(credsConfig.Region),
		Endpoint:    &endpoint,
		HTTPClient:  cleanhttp.DefaultClient(),
		MaxRetries:  aws.Int(maxRetries),
	}, nil
}

func nonCachedClientIAM(ctx context.Context, s logical.Storage, logger hclog.Logger) (*iam.IAM, error) {
	awsConfig, err := getRootConfig(ctx, s, "iam", logger)
	if err != nil {
		return nil, err
	}
	sess, err := session.NewSession(awsConfig)
	if err != nil {
		return nil, err
	}
	client := iam.New(sess)
	if client == nil {
		return nil, fmt.Errorf("could not obtain iam client")
	}
	return client, nil
}

func nonCachedClientSTS(ctx context.Context, s logical.Storage, logger hclog.Logger) (*sts.STS, error) {
	awsConfig, err := getRootConfig(ctx, s, "sts", logger)
	if err != nil {
		return nil, err
	}
	sess, err := session.NewSession(awsConfig)
	if err != nil {
		return nil, err
	}
	client := sts.New(sess)
	if client == nil {
		return nil, fmt.Errorf("could not obtain sts client")
	}
	return client, nil
}
adding copyright header (#19555) * adding copyright header * fix fmt and a test 2023-03-15 16:00:52 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

logical/aws 2015-03-20 16:59:48 +00:00			`package aws`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
logical/aws 2015-03-20 16:59:48 +00:00			`"fmt"`
Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 22:27:16 +00:00			`"os"`
logical/aws 2015-03-20 16:59:48 +00:00
Update to latest aws and move off of hashicorp/aws-sdk-go 2015-08-06 16:26:41 +00:00			`"github.com/aws/aws-sdk-go/aws"`
Fix breaking API changes 2015-10-30 22:22:48 +00:00			`"github.com/aws/aws-sdk-go/aws/session"`
Update to latest aws and move off of hashicorp/aws-sdk-go 2015-08-06 16:26:41 +00:00			`"github.com/aws/aws-sdk-go/service/iam"`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			`"github.com/aws/aws-sdk-go/service/sts"`
Run goimports across the repository (#6010) The result will still pass gofmtcheck and won't trigger additional changes if someone isn't using goimports, but it will avoid the piecemeal imports changes we've been seeing. 2019-01-09 00:48:57 +00:00			`cleanhttp "github.com/hashicorp/go-cleanhttp"`
Add logging during awskms auto-unseal (#9794) Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure. 2020-09-28 21:06:49 +00:00			`"github.com/hashicorp/go-hclog"`
Move awsutil over to the go-secure-stdlib version (#12128) Unlike the other libraries that were migrated, there are no usages of this lib in any of our plugins, and the only other known usage was in go-kms-wrapping, which has been updated. Aliasing it like the other libs would still keep the aws-sdk-go dep in the sdk module because of the function signatures. So I've simply removed it entirely here. 2021-07-21 00:42:00 +00:00			`"github.com/hashicorp/go-secure-stdlib/awsutil"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/logical"`
logical/aws 2015-03-20 16:59:48 +00:00			`)`

Add AWS Secret Engine Root Credential Rotation (#5140) * Add AWS Secret Engine Root Credential Rotation This allows the AWS Secret Engine to rotate its credentials used to access AWS. This will only work when the AWS Secret Engine has been provided explicit IAM credentials via the config/root endpoint, and further, when the IAM credentials provided are the only access key on the IAM user associated wtih the access key (because AWS allows a maximum of 2 access keys per user). Fixes #4385 * Add test for AWS root credential rotation Also fix a typo in the root credential rotation code * Add docs for AWS root rotation * Add locks around reading and writing config/root And wire the backend up in a bunch of places so the config can get the lock * Respond to PR feedback * Fix casing in error messages * Fix merge errors * Fix locking bugs 2018-09-26 14:10:00 +00:00			`// NOTE: The caller is required to ensure that b.clientMutex is at least read locked`
Add logging during awskms auto-unseal (#9794) Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure. 2020-09-28 21:06:49 +00:00			`func getRootConfig(ctx context.Context, s logical.Storage, clientType string, logger hclog.Logger) (*aws.Config, error) {`
Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`credsConfig := &awsutil.CredentialsConfig{}`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`var endpoint string`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`var maxRetries int = aws.UseServiceDefaultRetries`
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`entry, err := s.Get(ctx, "config/root")`
logical/aws 2015-03-20 16:59:48 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00			`if entry != nil {`
			`var config rootConfig`
			`if err := entry.DecodeJSON(&config); err != nil {`
builtin: deprecate errwrap.Wrapf() throughout (#11430) * audit: deprecate errwrap.Wrapf() * builtin/audit/file: deprecate errwrap.Wrapf() * builtin/crediential/app-id: deprecate errwrap.Wrapf() * builtin/credential/approle: deprecate errwrap.Wrapf() * builtin/credential/aws: deprecate errwrap.Wrapf() * builtin/credentials/token: deprecate errwrap.Wrapf() * builtin/credential/github: deprecate errwrap.Wrapf() * builtin/credential/cert: deprecate errwrap.Wrapf() * builtin/logical/transit: deprecate errwrap.Wrapf() * builtin/logical/totp: deprecate errwrap.Wrapf() * builtin/logical/ssh: deprecate errwrap.Wrapf() * builtin/logical/rabbitmq: deprecate errwrap.Wrapf() * builtin/logical/postgresql: deprecate errwrap.Wrapf() * builtin/logical/pki: deprecate errwrap.Wrapf() * builtin/logical/nomad: deprecate errwrap.Wrapf() * builtin/logical/mssql: deprecate errwrap.Wrapf() * builtin/logical/database: deprecate errwrap.Wrapf() * builtin/logical/consul: deprecate errwrap.Wrapf() * builtin/logical/cassandra: deprecate errwrap.Wrapf() * builtin/logical/aws: deprecate errwrap.Wrapf() 2021-04-22 15:20:59 +00:00			`return nil, fmt.Errorf("error reading root configuration: %w", err)`
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00			`}`

Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`credsConfig.AccessKey = config.AccessKey`
			`credsConfig.SecretKey = config.SecretKey`
			`credsConfig.Region = config.Region`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`maxRetries = config.MaxRetries`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`switch {`
			`case clientType == "iam" && config.IAMEndpoint != "":`
			`endpoint = *aws.String(config.IAMEndpoint)`
			`case clientType == "sts" && config.STSEndpoint != "":`
			`endpoint = *aws.String(config.STSEndpoint)`
			`}`
logical/aws 2015-03-20 16:59:48 +00:00			`}`

Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`if credsConfig.Region == "" {`
Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 22:27:16 +00:00			`credsConfig.Region = os.Getenv("AWS_REGION")`
			`if credsConfig.Region == "" {`
			`credsConfig.Region = os.Getenv("AWS_DEFAULT_REGION")`
			`if credsConfig.Region == "" {`
			`credsConfig.Region = "us-east-1"`
			`}`
			`}`
Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 19:25:11 +00:00			`}`

Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`credsConfig.HTTPClient = cleanhttp.DefaultClient()`

Add logging during awskms auto-unseal (#9794) Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure. 2020-09-28 21:06:49 +00:00			`credsConfig.Logger = logger`

Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`creds, err := credsConfig.GenerateCredentialChain()`
Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 19:10:35 +00:00			`if err != nil {`
			`return nil, err`
logical/aws 2015-03-20 16:59:48 +00:00			`}`

Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			`return &aws.Config{`
Update vault code to match latest aws-sdk-go APIs 2015-08-06 16:37:08 +00:00			`Credentials: creds,`
Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 21:00:16 +00:00			`Region: aws.String(credsConfig.Region),`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`Endpoint: &endpoint,`
Use cleanhttp instead of bare http.Client 2015-10-22 18:37:12 +00:00			`HTTPClient: cleanhttp.DefaultClient(),`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`MaxRetries: aws.Int(maxRetries),`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			`}, nil`
			`}`
Fix breaking API changes 2015-10-30 22:22:48 +00:00
Add logging during awskms auto-unseal (#9794) Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure. 2020-09-28 21:06:49 +00:00			`func nonCachedClientIAM(ctx context.Context, s logical.Storage, logger hclog.Logger) (*iam.IAM, error) {`
			`awsConfig, err := getRootConfig(ctx, s, "iam", logger)`
Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 17:00:29 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Replace deprecated AWS client instantiations (#8060) * replace deprecated aws client instantiation * fix imports 2020-01-09 22:58:33 +00:00			`sess, err := session.NewSession(awsConfig)`
			`if err != nil {`
			`return nil, err`
			`}`
			`client := iam.New(sess)`
Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 17:00:29 +00:00			`if client == nil {`
			`return nil, fmt.Errorf("could not obtain iam client")`
			`}`
			`return client, nil`
logical/aws 2015-03-20 16:59:48 +00:00			`}`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00
Add logging during awskms auto-unseal (#9794) Adds debug and warn logging around AWS credential chain generation, specifically to help users debugging auto-unseal problems on AWS, by logging which role is being used in the case of a webidentity token. Adds a deferred call to flush the log output as well, to ensure logs are output in the event of an initialization failure. 2020-09-28 21:06:49 +00:00			`func nonCachedClientSTS(ctx context.Context, s logical.Storage, logger hclog.Logger) (*sts.STS, error) {`
			`awsConfig, err := getRootConfig(ctx, s, "sts", logger)`
Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 17:00:29 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Replace deprecated AWS client instantiations (#8060) * replace deprecated aws client instantiation * fix imports 2020-01-09 22:58:33 +00:00			`sess, err := session.NewSession(awsConfig)`
			`if err != nil {`
			`return nil, err`
			`}`
			`client := sts.New(sess)`
Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 17:00:29 +00:00			`if client == nil {`
			`return nil, fmt.Errorf("could not obtain sts client")`
			`}`
			`return client, nil`
Add STS path to AWS backend. The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user. 2015-12-08 04:32:49 +00:00			`}`