README
¶
go-aws-auth
Go package providing methods and tools for determining or assigning AWS credentials.
Documentation
Tools
$> make cli
go build -mod vendor -ldflags="-s -w" -o bin/aws-sts-session cmd/aws-sts-session/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-mfa-session cmd/aws-mfa-session/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-get-credentials cmd/aws-get-credentials/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-cognito-credentials cmd/aws-cognito-credentials/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-set-env cmd/aws-set-env/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-sign-request cmd/aws-sign-request/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-credentials-json-to-ini cmd/aws-credentials-json-to-ini/main.go
go build -mod vendor -ldflags="-s -w" -o bin/aws-imds-credentials cmd/aws-imds-credentials/main.go
aws-cognito-credentials
aws-cognito-credentials generates temporary STS credentials for a given user in a Cognito identity pool.
$> ./bin/aws-cognito-credentials -h
Usage of ./bin/aws-cognito-credentials:
-aws-config-uri string
A valid github.com/aaronland/go-aws-auth.Config URI.
-duration int
The duration, in seconds, of the role session. Can not be less than 900. (default 900)
-identity-pool-id string
A valid AWS Cognito Identity Pool ID.
-login value
One or more key=value strings mapping to AWS Cognito authentication providers.
-role-arn string
A valid AWS IAM role ARN to assign to STS credentials.
-role-session-name string
An identifier for the assumed role session.
-session-policy value
Zero or more IAM ARNs to use as session policies to supplement the default role ARN.
For example:
$> go bin/aws-cognito-credentials \
-aws-config-uri 'aws://us-east-1?credentials=session' \
-identity-pool-id us-east-1:{GUID} \
-login org.sfomuseum=bob
-role-session-name bob -role-arn 'arn:aws:iam::{ACCOUNT_ID}:role/{ROLE}' \
| jq
{
"AccessKeyId": "...",
"Expiration": "...",
"SecretAccessKey": "...",
"SessionToken": "..."
}
aws-credentials-json-to-ini
aws-credentials-json-to-ini reads JSON-encoded AWS credentials information and generates an AWS ini-style configuration file with those data.
$> ./bin/aws-credentials-json-to-ini -h
Usage of ./bin/aws-credentials-json-to-ini:
-ini string
Path to the ini-style file where AWS credentials should be written. If "-" then data will be written to STDOUT.
-json string
Path to the JSON file containing AWS credentials. If "-" then data will be read from STDIN.
-name string
The name of the ini section where AWS credentials should be written. (default "default")
-region string
The AWS region for the AWS credentials. (default "us-east-1")
For example:
$> go bin/aws-cognito-credentials \
-aws-config-uri 'aws://us-east-1?credentials=session' \
-identity-pool-id us-east-1:{GUID} \
-login org.sfomuseum=bob
-role-session-name bob -role-arn 'arn:aws:iam::{ACCOUNT_ID}:role/{ROLE}' \
| ./bin/aws-credentials-json-to-ini -json - -ini -
[default]
region = us-east-1
aws_access_key_id = ...
aws_secret_access_key = ...
aws_session_token = ...
aws-get-credentials
aws-get-credentials is a command line tool to emit one or more keys from a given profile in an AWS .credentials file.
$> ./bin/aws-get-credentials -h
Usage of ./bin/aws-get-credentials:
-profile string
A valid AWS credentials profile (default "default")
aws-imds-credentials
aws-imds-credentials returns the current aws.Credentials derived from the EC2 IMDS API. For example:
$> ./bin/aws-imds-credentials | jq
{
"AccessKeyID": "...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Source": "EC2RoleProvider",
"CanExpire": true,
"Expires": "2024-03-28T19:44:42.59621653Z"
}
aws-mfa-session
aws-mfa-session is a command line to create session-based authentication keys and secrets for a given profile and multi-factor authentication (MFA) token and then writing that key and secret back to a "credentials" file in a specific profile section.
$> > ./bin/aws-mfa-session -h
Usage of ./bin/aws-mfa-session:
-code string
A valid MFA code. If empty the application will block and prompt the user
-device string
The device ID (serial number) used to validate MFA codes
-duration string
A valid ISO8601 duration string indicating how long the session should last (months are currently not supported) (default "PT1H")
-profile string
A valid AWS credentials profile (default "default")
-session-profile string
The name of the AWS credentials profile to update with session credentials (default "session")
For example:
$> ./bin/aws-mfa-session -profile {PROFILE} -device {MFA_DEVICE_ARN} -duration PT8H
Enter your MFA token code: 123456
2018/07/26 09:47:09 Updated session credentials for 'session' profile, expires Jul 26 17:47:09 (2018-07-27 00:51:52 +0000 UTC)
Note that the -device flag is optional. If empty and there is only one MFA device registered that one will be used. If empty and there are multiple MFA devices registered then an error will be thrown.
aws-set-env
aws-set-env is a command line tool to assign required AWS authentication environment variables for a given profile in a AWS .credentials file.
$> ./bin/aws-set-env -h
Usage of ./bin/aws-set-env:
-profile string
A valid AWS credentials profile (default "default")
-session-token
Require AWS_SESSION_TOKEN environment variable (default true)
aws-sign-request
aws-sign-request signs a HTTP request with an AWS "v4" signature, optionally executing the request and emitting the output to STDOUT or writing the request itself to STDOUT.
$> ./bin/aws-sign-request -h
Usage of ./bin/aws-sign-request:
-api-signing-name string
The name the API uses to identify the service the request is scoped to.
-api-signing-region string
If empty then the value of the region associated with the AWS config/credentials will be used.
-credentials-uri string
A valid aaronland/go-aws-auth config URI.
-debug
Enable verbose debug logging to STDOUT.
-do
If true then execute the signed request and output the response to STDOUT.
-header value
Zero or more HTTP headers to assign to the request in the form of key=value.
-method string
A valid HTTP method. (default "GET")
-uri string
The URI you are trying to sign.
For example, to call a Lambda Function URL:
$> bin/aws-sign-request \
-credentials-uri 'aws://{REGION}?credentials=iam:' \
-api-signing-name 'lambda' \
-uri https://{GIBBERISH}.lambda-url.{REGION}.on.aws/api/point-in-polygon \
-method POST \
-do \
'{"latitude": 25.0, "longitude": -45.6 }' \
| jq
{
"places": [
{
"wof:id": "404528709",
"wof:parent_id": "-1",
"wof:name": "North Atlantic Ocean",
"wof:country": "",
"wof:placetype": "ocean",
"mz:latitude": 0,
"mz:longitude": 0,
"mz:min_latitude": 24.965357,
"mz:min_longitude": 0,
"mz:max_latitude": -45.616087,
"mz:max_longitude": -45.570425,
"mz:is_current": 1,
"mz:is_deprecated": -1,
"mz:is_ceased": -1,
"mz:is_superseded": 0,
"mz:is_superseding": 0,
"edtf:inception": "",
"edtf:cessation": "",
"wof:supersedes": [],
"wof:superseded_by": [],
"wof:belongsto": [],
"wof:path": "404/528/709/404528709.geojson",
"wof:repo": "whosonfirst-data-admin-xy",
"wof:lastmodified": 1690923898
}
]
}
aws-sts-session
Generate STS credentials for a given profile and MFA token and then write those credentials back to an AWS "credentials" file in a specific profile section.
$> ./bin/aws-sts-session -h
Generate STS credentials for a given profile and MFA token and then write those credentials back to an AWS "credentials" file in a specific profile section.
Usage:
./bin/aws-sts-session [options]
Valid options are:
-config-uri string
A valid aaronland/gp-aws-auth.Config URI.
-mfa
Require a valid MFA token code when assuming role. (default true)
-mfa-serial-number string
The unique identifier of the MFA device being used for authentication.
-mfa-token string
A valid MFA token string. If empty then data will be read from a command line prompt.
-role-arn string
The AWS role ARN URI of the role you want to assume.
-role-duration int
The duration, in seconds, of the role session. (default 3600)
-role-session string
A unique name to identify the session.
-session-profile string
The name of the AWS credentials profile to associate the temporary credentials with.
For example:
$> ./bin/aws-sts-session -config-uri 'aws://?region={REGION}&credentials={CREDENTIALS}' \
-role-arn 'arn:aws:iam::{AWS_ACCOUNT}:role/{IAM_ROLE}' \
-role-session debug \
-mfa-serial-number arn:aws:iam::{AWS_ACCOUNT}:mfa/{MFA_LABEL} \
-mfa-token {TOKEN} \
-session-profile test
2024/11/08 08:23:25 Assumed role "arn:aws:sts::{AWS_ACCOUNT}:assumed-role/{IAM_ROLE}/debug", expires 2024-11-08 17:23:25 +0000 UTC
Note that this assumes a role with a "trust policy" equivalent to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{AWS_ACCOUNT}:user/{IAM_USER}"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": true
}
}
}
]
}
Credentials
Credentials for URIs are defined as string labels. They are:
| Label | Description |
|---|---|
anon: |
Empty or anonymous credentials. |
env: |
Read credentials from AWS defined environment variables. |
iam: |
Assume AWS IAM credentials are in effect. |
sts:{ARN} |
Assume the role defined by {ARN} using STS credentials. |
{AWS_PROFILE_NAME} |
This this profile from the default AWS credentials location. |
{AWS_CREDENTIALS_PATH}:{AWS_PROFILE_NAME} |
This this profile from a user-defined AWS credentials location. |
For example:
aws:///us-east-1?credentials=iam:
See also:
Documentation
¶
Overview ¶
package auth provides methods and tools for determining or assigning AWS credentials.
Index ¶
- Constants
- func CredentialsStringPatterns() []string
- func EC2RoleCredentials(ctx context.Context) (aws.Credentials, error)
- func GetCredentialsWithMFAWithContext(ctx context.Context, cfg aws.Config, device string, token string, ...) (*types.Credentials, error)
- func NewConfig(ctx context.Context, uri string) (aws.Config, error)
- func NewConfigWithCredentialsString(ctx context.Context, str_creds string) (aws.Config, error)
- func NewSSMClient(ctx context.Context, uri string) (*ssm.Client, error)
- func NewSSMClientWithCredentialsString(ctx context.Context, str_creds string) (*ssm.Client, error)
- func STSCredentialsForDeveloperIdentity(ctx context.Context, aws_cfg aws.Config, ...) (*types.Credentials, error)
- func ValidCredentials() []string
- func ValidCredentialsString() string
- type Credentials
- type STSCredentialsForDeveloperIdentityOptions
Constants ¶
const AnonymousCredentialsString string = "anon:"
const EnvironmentCredentialsString string = "env:"
const IAMCredentialsString string = "iam:"
const ProfileCredentialsTemplate string = "{profile}"
const ProfileFromPathCredentialsTemplate string = "{path}:{profile}"
const STSCredentialsPrefix string = "sts:"
const StaticCredentialsPrefix string = "static:"
const StaticCredentialsTemplate string = "static:{id}:{key}:{secret}"
Variables ¶
This section is empty.
Functions ¶
func CredentialsStringPatterns ¶
func CredentialsStringPatterns() []string
CredentialsStringPatterns() returns the list of valid credential strings patterns. DEPRECATED. Please use `ValidCredentials` instead.
func EC2RoleCredentials ¶
func EC2RoleCredentials(ctx context.Context) (aws.Credentials, error)
func GetCredentialsWithMFAWithContext ¶
func GetCredentialsWithMFAWithContext(ctx context.Context, cfg aws.Config, device string, token string, duration int32) (*types.Credentials, error)
GetCredentialsWithMFAWithContext will return a time-limited AWS credentials (defined by 'duration') for the account associated with 'cfg' a valid multi-factor authentication (MFS) token defined by 'token' using a custom `context.Context` instance.
func NewConfig ¶
NewConfig() returns a new `aws.Config` derived from 'uri' which is expected to be configured in the form of:
aws://{AWS_REGION}?credentials={CREDENTIALS_STRING}
Where {AWS_REGION} is a valid AWS region name and {CREDENTIALS_STRING} is a string in the form of:
`anon:` Use anonymous credentials
`env:` Use credentials derived from "AWS_" environment variables
`iam:` Use IAM credentials
`{PROFILE}` Use a specific profile defined by {PROFILE} from the default credentials file
`{PATH}:{PROFILE}` Use a specific profile definied by {PROFILE} from the credentials file defined by {PATH}
`static:{KEY}:{SECRET}:{TOKEN}` Read credentials as positional elements in a string
`` If credentials are passed as an empty string then use default credentials strategy defined by `aws-sdk-go-v2`
func NewConfigWithCredentialsString ¶
NewConfigWithCredentialsString() returns a new `aws.Config` derived from 'str_creds' which is expected to be passed in as one of the following:
`anon:` Use anonymous credentials
`env:` Use credentials derived from "AWS_" environment variables
`iam:` Use IAM credentials
`{PROFILE}` Use a specific profile defined by {PROFILE} from the default credentials file
`{PATH}:{PROFILE}` Use a specific profile definied by {PROFILE} from the credentials file defined by {PATH}
`static:{KEY}:{SECRET}:{TOKEN}` Read credentials as positional elements in a string
`` If credentials are passed as an empty string then use default credentials strategy defined by `aws-sdk-go-v2`
func STSCredentialsForDeveloperIdentity ¶
func STSCredentialsForDeveloperIdentity(ctx context.Context, aws_cfg aws.Config, opts *STSCredentialsForDeveloperIdentityOptions) (*types.Credentials, error)
STSCredentialsForDeveloperIdentity generate temporary STS (AWS) credentials for a developer identity.
func ValidCredentials ¶
func ValidCredentials() []string
ValidCredentials() returns the list of valid credential strings patterns.
func ValidCredentialsString ¶
func ValidCredentialsString() string
Types ¶
type Credentials ¶
type Credentials struct {
// Path is the path to the credentials file on disk
Path string
// contains filtered or unexported fields
}
type Credentials defines a struct for encapsulating information about an .ini style AWS credentials file
func NewCredentials ¶
func NewCredentials() (*Credentials, error)
NewCredentials will iterate through the list of default shared credentials files locations and return a new `Credentials` instance for the first match that can be successfully opened and parsed as a .ini-style config file.
func (*Credentials) AWSConfigWithProfile ¶
AWSConfigWithProfile will return a new `aws.Config` instance for the profile matching 'profile' in 'c'. This method also assumes that AWS region information is stored in a "region" key inside a "default" section block of the underlying AWS credentials file.
func (*Credentials) SetSessionCredentialsWithProfile ¶
func (c *Credentials) SetSessionCredentialsWithProfile(ctx context.Context, profile string, creds *types.Credentials) error
SetSessionCredentialsWithProfile will write AWS credentials information derived from 'creds' to a block labeled after 'profile' to the the underlying AWS credentials file.
type STSCredentialsForDeveloperIdentityOptions ¶
type STSCredentialsForDeveloperIdentityOptions struct {
// An identity pool ID in the format REGION:GUID.
IdentityPoolId string
// A set of name-value pairs that map developer or provider names to a user.
Logins map[string]string
// The Amazon Resource Name (ARN) of the role that the caller is assuming.
RoleArn string
// An identifier for the assumed role session.
RoleSessionName string
// The duration, in seconds, of the role session.
Duration int32
// An optional list of Amazon Resource Names (ARNs) that you want to use as managed session policies.
Policies []string
}
STSCredentialsForDeveloperIdentityOptions defines configuration options for generating temporary STS (AWS) credentials for a developer identity.
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
aws-cognito-credentials
aws-cognito-credentials generates temporary STS credentials for a given user in a Cognito identity pool.
|
aws-cognito-credentials generates temporary STS credentials for a given user in a Cognito identity pool. |
|
aws-credentials-json-to-ini
aws-credentials-json-to-ini reads JSON-encoded AWS credentials information and generates an AWS ini-style configuration file with those data.
|
aws-credentials-json-to-ini reads JSON-encoded AWS credentials information and generates an AWS ini-style configuration file with those data. |
|
aws-get-credentials
aws-get-credentials is a command line tool to emit one or more keys from a given profile in an AWS .credentials file.
|
aws-get-credentials is a command line tool to emit one or more keys from a given profile in an AWS .credentials file. |
|
aws-mfa-session
aws-mfa-session is a command line to create session-based authentication keys and secrets for a given profile and multi-factor authentication (MFA) token and then writing that key and secret back to a "credentials" file in a specific profile section.
|
aws-mfa-session is a command line to create session-based authentication keys and secrets for a given profile and multi-factor authentication (MFA) token and then writing that key and secret back to a "credentials" file in a specific profile section. |
|
aws-set-env
aws-set-env is a command line tool to assign required AWS authentication environment variables for a given profile in a AWS .credentials file.
|
aws-set-env is a command line tool to assign required AWS authentication environment variables for a given profile in a AWS .credentials file. |
|
aws-sign-request
aws-sign-request signs a HTTP request with an AWS "v4" signature, optionally executing the request and emitting the output to STDOUT or writing the request itself to STDOUT.
|
aws-sign-request signs a HTTP request with an AWS "v4" signature, optionally executing the request and emitting the output to STDOUT or writing the request itself to STDOUT. |