forked from remind101/assume-role
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathassume.go
104 lines (84 loc) · 2.72 KB
/
assume.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package main
import (
"flag"
"fmt"
"os"
"regexp"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
log "github.com/sirupsen/logrus"
)
var (
duration *time.Duration
roleArnRe = regexp.MustCompile(`^arn:aws:iam::(.+):role/([^/]+)(/.+)?$`)
)
func init() {
duration = flag.Duration("duration", time.Hour, "The duration that the credentials will be valid for.")
}
func loadCredentials(role string) (*credentials.Value, error) {
// Load credentials from configFilePath if it exists, else use regular AWS config
if roleArnRe.MatchString(role) {
return assumeRole(role, "", *duration)
}
if _, err := os.Stat(configFilePath); err == nil {
log.WithField("configFilePath", configFilePath).Warn(
"Using deprecated role file, switch to config file" +
" (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html)")
config, err := loadConfig()
if err != nil {
return nil, err
}
if roleConfig, ok := config[role]; ok {
return assumeRole(roleConfig.Role, roleConfig.MFA, *duration)
}
return nil, fmt.Errorf("%s not in %s", role, configFilePath)
}
return assumeProfile(role)
}
// assumeProfile assumes the named profile which must exist in ~/.aws/config
// (https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) and returns the temporary STS
// credentials.
func assumeProfile(profile string) (*credentials.Value, error) {
log.Debug("Assuming role via named profile")
sess := session.Must(session.NewSessionWithOptions(session.Options{
Profile: profile,
SharedConfigState: session.SharedConfigEnable,
AssumeRoleTokenProvider: readTokenCode,
}))
creds, err := sess.Config.Credentials.Get()
if err != nil {
return nil, err
}
return &creds, nil
}
// assumeRole assumes the given role and returns the temporary STS credentials.
func assumeRole(role, mfa string, duration time.Duration) (*credentials.Value, error) {
log.Debug("Assume role via temporary STS credentials")
sess := session.Must(session.NewSession())
svc := sts.New(sess)
params := &sts.AssumeRoleInput{
RoleArn: aws.String(role),
RoleSessionName: aws.String("cli"),
DurationSeconds: aws.Int64(int64(duration / time.Second)),
}
if mfa != "" {
params.SerialNumber = aws.String(mfa)
token, err := readTokenCode()
if err != nil {
return nil, err
}
params.TokenCode = aws.String(token)
}
resp, err := svc.AssumeRole(params)
if err != nil {
return nil, err
}
var creds credentials.Value
creds.AccessKeyID = *resp.Credentials.AccessKeyId
creds.SecretAccessKey = *resp.Credentials.SecretAccessKey
creds.SessionToken = *resp.Credentials.SessionToken
return &creds, nil
}