iamauth

package module
v0.0.0-...-6b9b263 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 17, 2026 License: MPL-2.0 Imports: 25 Imported by: 9

README

consul-awsauth

This contains the implementation for Consul's AWS IAM auth method.

AWS SDK v2 Migration

The AWS library in the repository has been migrated from AWS SDK for Go v1 to AWS SDK for Go v2.

Migration Resources

For detailed information about the AWS SDK v2 migration:

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateLoginData 

func GenerateLoginData(in *LoginInput) (map[string]interface{}, error)

GenerateLoginData populates the necessary data to send for the bearer token.

Types

type Authenticator 

type Authenticator struct {
	// contains filtered or unexported fields
}

func NewAuthenticator 

func NewAuthenticator(config *Config, logger hclog.Logger) (*Authenticator, error)

func (*Authenticator) ValidateLogin 

func (a *Authenticator) ValidateLogin(ctx context.Context, loginToken string) (*IdentityDetails, error)

ValidateLogin determines if the identity in the loginToken is permitted to login. If so, it returns details about the identity. Otherwise, an error is returned.

type BearerToken 

type BearerToken struct {
	// contains filtered or unexported fields
}

BearerToken is a login "token" for an IAM auth method. It is a signed sts:GetCallerIdentity request in JSON format. Optionally, it can include a signed embedded iam:GetRole or iam:GetUser request in the headers.

func NewBearerToken 

func NewBearerToken(loginToken string, config *Config) (*BearerToken, error)

func (*BearerToken) GetCallerIdentityRequest 

func (t *BearerToken) GetCallerIdentityRequest() (*http.Request, error)

GetCallerIdentityRequest returns the sts:GetCallerIdentity request decoded from the bearer token.

func (*BearerToken) GetEntityRequest 

func (t *BearerToken) GetEntityRequest() (*http.Request, error)

GetEntityRequest returns the iam:GetUser or iam:GetRole request from the request details, if present, embedded in the headers of the sts:GetCallerIdentity request.

func (*BearerToken) UnmarshalJSON 

func (t *BearerToken) UnmarshalJSON(data []byte) error

UnmarshalJSON unmarshals the bearer token details which contains an HTTP request (a signed sts:GetCallerIdentity request).

type Config 

type Config struct {
	BoundIAMPrincipalARNs  []string
	EnableIAMEntityDetails bool
	IAMEntityTags          []string
	ServerIDHeaderValue    string
	MaxRetries             int
	IAMEndpoint            string
	STSEndpoint            string
	AllowedSTSHeaderValues []string

	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

func (*Config) Validate 

func (c *Config) Validate() error

type IdentityDetails 

type IdentityDetails struct {
	EntityName string
	EntityId   string
	AccountId  string

	EntityPath string
	EntityTags map[string]string
}

type LoginInput 

type LoginInput struct {
	// Creds is the AWS credentials provider (v2 uses interface instead of pointer)
	Creds            aws.CredentialsProvider
	IncludeIAMEntity bool
	STSEndpoint      string
	IAMEndpoint      string
	STSRegion        string

	Logger hclog.Logger

	ServerIDHeaderValue string
	// Customizable header names
	ServerIDHeaderName     string
	GetEntityMethodHeader  string
	GetEntityURLHeader     string
	GetEntityHeadersHeader string
	GetEntityBodyHeader    string
}

Source Files

View all Source files

Directories

Path Synopsis
internal
glob
stringslice

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.