-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add code to derive temporary STS credentials for Cognito Identity pro…
…vider (#2) * snapshot: block out tool to derive creds from cognito * snapshot: derive credentials, not sure anything works though * rename aws-sts-credentials as aws-cognito-credentials * snapshot: add cmd/aws-credentials-json-to-ini * add docs for cognito and credentials json-to-ini stuff --------- Co-authored-by: sfomuseumbot <sfomuseumbot@localhost>
- Loading branch information
1 parent
975f1dc
commit 9e77da2
Showing
62 changed files
with
16,511 additions
and
129 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
// aws-cognito-credentials generates temporary STS credentials for a given user in a Cognito identity pool. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"encoding/json" | ||
"flag" | ||
"log" | ||
"os" | ||
|
||
"github.com/aaronland/go-aws-auth" | ||
"github.com/sfomuseum/go-flags/multi" | ||
) | ||
|
||
func main() { | ||
|
||
var aws_config_uri string | ||
|
||
var identity_pool_id string | ||
var role_arn string | ||
var role_session_name string | ||
var duration int | ||
|
||
var kv_logins multi.KeyValueString | ||
|
||
flag.StringVar(&aws_config_uri, "aws-config-uri", "", "A valid github.com/aaronland/go-aws-auth.Config URI.") | ||
|
||
flag.StringVar(&identity_pool_id, "identity-pool-id", "", "A valid AWS Cognito Identity Pool ID.") | ||
flag.StringVar(&role_arn, "role-arn", "", "A valid AWS IAM role ARN to assign to STS credentials.") | ||
flag.StringVar(&role_session_name, "role-session-name", "", "An identifier for the assumed role session.") | ||
flag.IntVar(&duration, "duration", 900, "The duration, in seconds, of the role session. Can not be less than 900.") // Note: Can not be less than 900 | ||
flag.Var(&kv_logins, "login", "One or more key=value strings mapping to AWS Cognito authentication providers.") | ||
|
||
flag.Parse() | ||
|
||
ctx := context.Background() | ||
|
||
cfg, err := auth.NewConfig(ctx, aws_config_uri) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to derive AWS config, %v", err) | ||
} | ||
|
||
logins := make(map[string]string, 0) | ||
|
||
for _, kv := range kv_logins { | ||
logins[kv.Key()] = kv.Value().(string) | ||
} | ||
|
||
opts := &auth.STSCredentialsForDeveloperIdentityOptions{ | ||
RoleArn: role_arn, | ||
RoleSessionName: role_session_name, | ||
Duration: int32(duration), | ||
IdentityPoolId: identity_pool_id, | ||
Logins: logins, | ||
} | ||
|
||
creds, err := auth.STSCredentialsForDeveloperIdentity(ctx, cfg, opts) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to derive credentials, %v", err) | ||
} | ||
|
||
enc := json.NewEncoder(os.Stdout) | ||
err = enc.Encode(creds) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to encode credentials, %v", err) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
[{{.Name}}] | ||
region = {{ .Region }} | ||
aws_access_key_id = {{ .KeyId }} | ||
aws_secret_access_key = {{ .KeySecret }} | ||
aws_session_token = {{ .SessionToken }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
// aws-credentials-json-to-ini reads JSON-encoded AWS credentials information and generates an AWS ini-style configuration file with those data. | ||
package main | ||
|
||
import ( | ||
"bufio" | ||
_ "embed" | ||
"encoding/json" | ||
"flag" | ||
"fmt" | ||
"io" | ||
"log" | ||
"os" | ||
"text/template" | ||
|
||
"github.com/aws/aws-sdk-go-v2/service/sts/types" | ||
) | ||
|
||
//go:embed credentials.ini | ||
var credentials_t string | ||
|
||
type CredentialsVars struct { | ||
Name string | ||
Region string | ||
KeyId string | ||
KeySecret string | ||
SessionToken string | ||
} | ||
|
||
func main() { | ||
|
||
var infile string | ||
var outfile string | ||
|
||
var name string | ||
var region string | ||
|
||
flag.StringVar(&infile, "json", "", "Path to the JSON file containing AWS credentials. If \"-\" then data will be read from STDIN.") | ||
flag.StringVar(&outfile, "ini", "", "Path to the ini-style file where AWS credentials should be written. If \"-\" then data will be written to STDOUT.") | ||
|
||
flag.StringVar(&name, "name", "default", "The name of the ini section where AWS credentials should be written.") | ||
flag.StringVar(®ion, "region", "us-east-1", "The AWS region for the AWS credentials.") | ||
|
||
flag.Parse() | ||
|
||
var r io.ReadCloser | ||
var wr io.WriteCloser | ||
|
||
switch infile { | ||
case "-": | ||
br := bufio.NewReader(os.Stdin) | ||
r = io.NopCloser(br) | ||
default: | ||
|
||
_r, err := os.Open(infile) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to open %s for reading, %v", infile, err) | ||
} | ||
|
||
r = _r | ||
} | ||
|
||
defer r.Close() | ||
|
||
switch outfile { | ||
case "-": | ||
wr = os.Stdout | ||
default: | ||
_wr, err := os.OpenFile(outfile, os.O_RDWR|os.O_CREATE, 0600) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to open %s for writing, %v", outfile, err) | ||
} | ||
|
||
wr = _wr | ||
} | ||
|
||
err := Convert(r, wr, name, region) | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to convert credentials, %v", err) | ||
} | ||
|
||
err = wr.Close() | ||
|
||
if err != nil { | ||
log.Fatalf("Failed to close %s after writing, %v", outfile, err) | ||
} | ||
|
||
} | ||
|
||
func Convert(r io.Reader, wr io.Writer, name string, region string) error { | ||
|
||
t, err := template.New("credentials").Parse(credentials_t) | ||
|
||
if err != nil { | ||
return fmt.Errorf("Failed to parse credentials template, %w", err) | ||
} | ||
|
||
var creds *types.Credentials | ||
|
||
dec := json.NewDecoder(r) | ||
err = dec.Decode(&creds) | ||
|
||
if err != nil { | ||
return fmt.Errorf("Failed to decode credentials reader, %w", err) | ||
} | ||
|
||
vars := CredentialsVars{ | ||
Name: name, | ||
Region: region, | ||
KeyId: *creds.AccessKeyId, | ||
KeySecret: *creds.SecretAccessKey, | ||
SessionToken: *creds.SessionToken, | ||
} | ||
|
||
err = t.Execute(wr, vars) | ||
|
||
if err != nil { | ||
return fmt.Errorf("Failed to write credentials template, %w", err) | ||
} | ||
|
||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.