awsauth

package

v1.16.109 Latest Latest Go to latest Published: Aug 14, 2023 License: MPL-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/hernad/consul

Documentation ¶

Index ¶

Constants
type Config
type Validator
- func NewValidator(logger hclog.Logger, method *structs.ACLAuthMethod) (*Validator, error)

Constants ¶

View Source

const (
	IAMServerIDHeaderName  string = "X-Consul-IAM-ServerID"
	GetEntityMethodHeader  string = "X-Consul-IAM-GetEntity-Method"
	GetEntityURLHeader     string = "X-Consul-IAM-GetEntity-URL"
	GetEntityHeadersHeader string = "X-Consul-IAM-GetEntity-Headers"
	GetEntityBodyHeader    string = "X-Consul-IAM-GetEntity-Body"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// BoundIAMPrincipalARNs are the trusted AWS IAM principal ARNs that are permitted
	// to login to the auth method. These can be the exact ARNs or wildcards. Wildcards
	// are only supported if EnableIAMEntityDetails is true.
	BoundIAMPrincipalARNs []string `json:",omitempty"`

	// EnableIAMEntityDetails will fetch the IAM User or IAM Role details to include
	// in binding rules. Required if wildcard principal ARNs are used.
	EnableIAMEntityDetails bool `json:",omitempty"`

	// IAMEntityTags are the specific IAM User or IAM Role tags to include as selectable
	// fields in the binding rule attributes. Requires EnableIAMEntityDetails = true.
	IAMEntityTags []string `json:",omitempty"`

	// ServerIDHeaderValue adds a X-Consul-IAM-ServerID header to each AWS API request.
	// This helps protect against replay attacks.
	ServerIDHeaderValue string `json:",omitempty"`

	// MaxRetries is the maximum number of retries on AWS API requests for recoverable errors.
	MaxRetries int `json:",omitempty"`
	// IAMEndpoint is the AWS IAM endpoint where iam:GetRole or iam:GetUser requests will be sent.
	// Note that the Host header in a signed request cannot be changed.
	IAMEndpoint string `json:",omitempty"`
	// STSEndpoint is the AWS STS endpoint where sts:GetCallerIdentity requests will be sent.
	// Note that the Host header in a signed request cannot be changed.
	STSEndpoint string `json:",omitempty"`

	// AllowedSTSHeaderValues is a list of additional allowed headers on the sts:GetCallerIdentity
	// request in the bearer token. A default list of necessary headers is allowed in any case.
	AllowedSTSHeaderValues []string `json:",omitempty"`
}

type Validator ¶

type Validator struct {
	// contains filtered or unexported fields
}

func NewValidator ¶

func NewValidator(logger hclog.Logger, method *structs.ACLAuthMethod) (*Validator, error)

func (*Validator) Name ¶

func (v *Validator) Name() string

Name implements authmethod.Validator.

func (*Validator) NewIdentity ¶

func (v *Validator) NewIdentity() *authmethod.Identity

func (*Validator) Stop ¶

func (v *Validator) Stop()

Stop implements authmethod.Validator.

func (*Validator) ValidateLogin ¶

func (v *Validator) ValidateLogin(ctx context.Context, loginToken string) (*authmethod.Identity, error)

ValidateLogin implements authmethod.Validator.

Source Files ¶

View all Source files

aws.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL