2015-12-08 04:32:49 +00:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2016-02-23 13:55:43 +00:00
|
|
|
"strings"
|
2015-12-08 04:32:49 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
func pathSTS(b *backend) *framework.Path {
|
|
|
|
return &framework.Path{
|
|
|
|
Pattern: "sts/" + framework.GenericNameRegex("name"),
|
|
|
|
Fields: map[string]*framework.FieldSchema{
|
|
|
|
"name": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeString,
|
|
|
|
Description: "Name of the role",
|
|
|
|
},
|
2016-01-21 19:28:34 +00:00
|
|
|
"ttl": &framework.FieldSchema{
|
|
|
|
Type: framework.TypeDurationSecond,
|
2015-12-11 06:00:54 +00:00
|
|
|
Description: "Lifetime of the token in seconds",
|
2016-02-19 21:35:06 +00:00
|
|
|
Default: 3600,
|
2015-12-11 06:00:54 +00:00
|
|
|
},
|
2015-12-08 04:32:49 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
|
|
logical.ReadOperation: b.pathSTSRead,
|
|
|
|
},
|
|
|
|
|
|
|
|
HelpSynopsis: pathSTSHelpSyn,
|
|
|
|
HelpDescription: pathSTSHelpDesc,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *backend) pathSTSRead(
|
|
|
|
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
|
|
policyName := d.Get("name").(string)
|
2016-01-21 19:28:34 +00:00
|
|
|
ttl := int64(d.Get("ttl").(int))
|
2015-12-08 04:32:49 +00:00
|
|
|
|
|
|
|
// Read the policy
|
|
|
|
policy, err := req.Storage.Get("policy/" + policyName)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("error retrieving role: %s", err)
|
|
|
|
}
|
|
|
|
if policy == nil {
|
|
|
|
return logical.ErrorResponse(fmt.Sprintf(
|
|
|
|
"Role '%s' not found", policyName)), nil
|
|
|
|
}
|
2016-02-23 13:55:43 +00:00
|
|
|
policyValue := string(policy.Value)
|
|
|
|
if strings.HasPrefix(policyValue, "arn:") {
|
2016-04-12 02:30:30 +00:00
|
|
|
if strings.Contains(policyValue, ":role/") {
|
|
|
|
return b.assumeRole(
|
|
|
|
req.Storage,
|
|
|
|
req.DisplayName, policyName, policyValue,
|
2016-05-19 16:26:02 +00:00
|
|
|
ttl,
|
2016-04-12 02:30:30 +00:00
|
|
|
)
|
|
|
|
} else {
|
|
|
|
return logical.ErrorResponse(
|
|
|
|
"Can't generate STS credentials for a managed policy; use a role to assume or an inline policy instead"),
|
|
|
|
logical.ErrInvalidRequest
|
|
|
|
}
|
2016-02-23 13:55:43 +00:00
|
|
|
}
|
2015-12-08 04:32:49 +00:00
|
|
|
// Use the helper to create the secret
|
2016-02-19 21:35:06 +00:00
|
|
|
return b.secretTokenCreate(
|
2015-12-11 06:00:54 +00:00
|
|
|
req.Storage,
|
2016-02-23 13:55:43 +00:00
|
|
|
req.DisplayName, policyName, policyValue,
|
2016-05-19 16:26:02 +00:00
|
|
|
ttl,
|
2015-12-11 06:00:54 +00:00
|
|
|
)
|
2015-12-08 04:32:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
const pathSTSHelpSyn = `
|
|
|
|
Generate an access key pair + security token for a specific role.
|
|
|
|
`
|
|
|
|
|
|
|
|
const pathSTSHelpDesc = `
|
|
|
|
This path will generate a new, never before used key pair + security token for
|
|
|
|
accessing AWS. The IAM policy used to back this key pair will be
|
|
|
|
the "name" parameter. For example, if this backend is mounted at "aws",
|
|
|
|
then "aws/sts/deploy" would generate access keys for the "deploy" role.
|
|
|
|
|
|
|
|
Note, these credentials are instantiated using the AWS STS backend.
|
|
|
|
|
|
|
|
The access keys will have a lease associated with them. The access keys
|
|
|
|
can be revoked by using the lease ID.
|
|
|
|
`
|