open-vault/builtin/logical/aws/path_config_root.go

package aws

import (
	"context"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

func pathConfigRoot() *framework.Path {
	return &framework.Path{
		Pattern: "config/root",
		Fields: map[string]*framework.FieldSchema{
			"access_key": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Access key with permission to create new keys.",
			},

			"secret_key": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Secret key with permission to create new keys.",
			},

			"region": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Region for API calls.",
			},
			"iam_endpoint": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Endpoint to custom IAM server URL",
			},
			"sts_endpoint": &framework.FieldSchema{
				Type:        framework.TypeString,
				Description: "Endpoint to custom STS server URL",
			},
			"max_retries": &framework.FieldSchema{
				Type:        framework.TypeInt,
				Default:     aws.UseServiceDefaultRetries,
				Description: "Maximum number of retries for recoverable exceptions of AWS APIs",
			},
		},

		Callbacks: map[logical.Operation]framework.OperationFunc{
			logical.UpdateOperation: pathConfigRootWrite,
		},

		HelpSynopsis:    pathConfigRootHelpSyn,
		HelpDescription: pathConfigRootHelpDesc,
	}
}

func pathConfigRootWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
	region := data.Get("region").(string)
	iamendpoint := data.Get("iam_endpoint").(string)
	stsendpoint := data.Get("sts_endpoint").(string)
	maxretries := data.Get("max_retries").(int)

	entry, err := logical.StorageEntryJSON("config/root", rootConfig{
		AccessKey:   data.Get("access_key").(string),
		SecretKey:   data.Get("secret_key").(string),
		IAMEndpoint: iamendpoint,
		STSEndpoint: stsendpoint,
		Region:      region,
		MaxRetries:  maxretries,
	})
	if err != nil {
		return nil, err
	}

	if err := req.Storage.Put(ctx, entry); err != nil {
		return nil, err
	}

	return nil, nil
}

type rootConfig struct {
	AccessKey   string `json:"access_key"`
	SecretKey   string `json:"secret_key"`
	IAMEndpoint string `json:"iam_endpoint"`
	STSEndpoint string `json:"sts_endpoint"`
	Region      string `json:"region"`
	MaxRetries  int    `json:"max_retries"`
}

const pathConfigRootHelpSyn = `
Configure the root credentials that are used to manage IAM.
`

const pathConfigRootHelpDesc = `
Before doing anything, the AWS backend needs credentials that are able
to manage IAM policies, users, access keys, etc. This endpoint is used
to configure those credentials. They don't necessarily need to be root
keys as long as they have permission to manage IAM.
`
logical/aws 2015-03-20 16:59:48 +00:00			`package aws`

			`import (`
Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`"context"`

Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`"github.com/aws/aws-sdk-go/aws"`
logical/aws 2015-03-20 16:59:48 +00:00			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

logical/aws: fix build 2015-04-19 05:22:35 +00:00			`func pathConfigRoot() *framework.Path {`
logical/aws 2015-03-20 16:59:48 +00:00			`return &framework.Path{`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00			`Pattern: "config/root",`
logical/aws 2015-03-20 16:59:48 +00:00			`Fields: map[string]*framework.FieldSchema{`
			`"access_key": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Access key with permission to create new keys.",`
			`},`

			`"secret_key": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Secret key with permission to create new keys.",`
			`},`

			`"region": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Region for API calls.",`
			`},`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`"iam_endpoint": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Endpoint to custom IAM server URL",`
			`},`
			`"sts_endpoint": &framework.FieldSchema{`
			`Type: framework.TypeString,`
			`Description: "Endpoint to custom STS server URL",`
			`},`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`"max_retries": &framework.FieldSchema{`
			`Type: framework.TypeInt,`
			`Default: aws.UseServiceDefaultRetries,`
			`Description: "Maximum number of retries for recoverable exceptions of AWS APIs",`
			`},`
logical/aws 2015-03-20 16:59:48 +00:00			`},`

			`Callbacks: map[logical.Operation]framework.OperationFunc{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`logical.UpdateOperation: pathConfigRootWrite,`
logical/aws 2015-03-20 16:59:48 +00:00			`},`
logical/aws: help 2015-04-04 04:10:54 +00:00
logical/aws: fix build 2015-04-19 05:22:35 +00:00			`HelpSynopsis: pathConfigRootHelpSyn,`
			`HelpDescription: pathConfigRootHelpDesc,`
logical/aws 2015-03-20 16:59:48 +00:00			`}`
			`}`

Pass context to backends (#3750) * Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers 2018-01-08 18:31:38 +00:00			`func pathConfigRootWrite(ctx context.Context, req logical.Request, data framework.FieldData) (*logical.Response, error) {`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00			`region := data.Get("region").(string)`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`iamendpoint := data.Get("iam_endpoint").(string)`
			`stsendpoint := data.Get("sts_endpoint").(string)`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`maxretries := data.Get("max_retries").(int)`
logical/aws: move root creds config to config/root 2015-04-19 05:21:31 +00:00
			`entry, err := logical.StorageEntryJSON("config/root", rootConfig{`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			`AccessKey: data.Get("access_key").(string),`
			`SecretKey: data.Get("secret_key").(string),`
			`IAMEndpoint: iamendpoint,`
			`STSEndpoint: stsendpoint,`
			`Region: region,`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			`MaxRetries: maxretries,`
logical/aws 2015-03-20 16:59:48 +00:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`if err := req.Storage.Put(ctx, entry); err != nil {`
logical/aws 2015-03-20 16:59:48 +00:00			`return nil, err`
			`}`

			`return nil, nil`
			`}`

			`type rootConfig struct {`
added AWS enpoint handling (#3416) 2017-11-06 18:31:38 +00:00			AccessKey string `json:"access_key"`
			SecretKey string `json:"secret_key"`
			IAMEndpoint string `json:"iam_endpoint"`
			STSEndpoint string `json:"sts_endpoint"`
			Region string `json:"region"`
Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 16:11:17 +00:00			MaxRetries int `json:"max_retries"`
logical/aws 2015-03-20 16:59:48 +00:00			`}`
logical/aws: help 2015-04-04 04:10:54 +00:00
logical/aws: fix build 2015-04-19 05:22:35 +00:00			const pathConfigRootHelpSyn = `
logical/aws: help 2015-04-04 04:10:54 +00:00			`Configure the root credentials that are used to manage IAM.`
			`

logical/aws: fix build 2015-04-19 05:22:35 +00:00			const pathConfigRootHelpDesc = `
logical/aws: help 2015-04-04 04:10:54 +00:00			`Before doing anything, the AWS backend needs credentials that are able`
			`to manage IAM policies, users, access keys, etc. This endpoint is used`
Spelling (#4119) 2018-03-20 18:54:10 +00:00			`to configure those credentials. They don't necessarily need to be root`
logical/aws: help 2015-04-04 04:10:54 +00:00			`keys as long as they have permission to manage IAM.`
			`