mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-14 18:47:01 +02:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
103 lines
2.8 KiB
Go
103 lines
2.8 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package aws
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/fatih/structs"
|
|
"github.com/hashicorp/vault/sdk/framework"
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
)
|
|
|
|
const (
|
|
pathStaticCreds = "static-creds"
|
|
|
|
paramAccessKeyID = "access_key"
|
|
paramSecretsAccessKey = "secret_key"
|
|
)
|
|
|
|
type awsCredentials struct {
|
|
AccessKeyID string `json:"access_key" structs:"access_key" mapstructure:"access_key"`
|
|
SecretAccessKey string `json:"secret_key" structs:"secret_key" mapstructure:"secret_key"`
|
|
}
|
|
|
|
func pathStaticCredentials(b *backend) *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: fmt.Sprintf("%s/%s", pathStaticCreds, framework.GenericNameWithAtRegex(paramRoleName)),
|
|
Fields: map[string]*framework.FieldSchema{
|
|
paramRoleName: {
|
|
Type: framework.TypeString,
|
|
Description: descRoleName,
|
|
},
|
|
},
|
|
|
|
Operations: map[logical.Operation]framework.OperationHandler{
|
|
logical.ReadOperation: &framework.PathOperation{
|
|
Callback: b.pathStaticCredsRead,
|
|
Responses: map[int][]framework.Response{
|
|
http.StatusOK: {{
|
|
Description: http.StatusText(http.StatusOK),
|
|
Fields: map[string]*framework.FieldSchema{
|
|
paramAccessKeyID: {
|
|
Type: framework.TypeString,
|
|
Description: descAccessKeyID,
|
|
},
|
|
paramSecretsAccessKey: {
|
|
Type: framework.TypeString,
|
|
Description: descSecretAccessKey,
|
|
},
|
|
},
|
|
}},
|
|
},
|
|
},
|
|
},
|
|
|
|
HelpSynopsis: pathStaticCredsHelpSyn,
|
|
HelpDescription: pathStaticCredsHelpDesc,
|
|
}
|
|
}
|
|
|
|
func (b *backend) pathStaticCredsRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
|
roleName, ok := data.GetOk(paramRoleName)
|
|
if !ok {
|
|
return nil, fmt.Errorf("missing %q parameter", paramRoleName)
|
|
}
|
|
|
|
entry, err := req.Storage.Get(ctx, formatCredsStoragePath(roleName.(string)))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read credentials for role %q: %w", roleName, err)
|
|
}
|
|
if entry == nil {
|
|
return nil, nil
|
|
}
|
|
|
|
var credentials awsCredentials
|
|
if err := entry.DecodeJSON(&credentials); err != nil {
|
|
return nil, fmt.Errorf("failed to decode credentials: %w", err)
|
|
}
|
|
|
|
return &logical.Response{
|
|
Data: structs.New(credentials).Map(),
|
|
}, nil
|
|
}
|
|
|
|
func formatCredsStoragePath(roleName string) string {
|
|
return fmt.Sprintf("%s/%s", pathStaticCreds, roleName)
|
|
}
|
|
|
|
const pathStaticCredsHelpSyn = `Retrieve static credentials from the named role.`
|
|
|
|
const pathStaticCredsHelpDesc = `
|
|
This path reads AWS credentials for a certain static role. The keys are rotated
|
|
periodically according to their configuration, and will return the same password
|
|
until they are rotated.`
|
|
|
|
const (
|
|
descAccessKeyID = "The access key of the AWS Credential"
|
|
descSecretAccessKey = "The secret key of the AWS Credential"
|
|
)
|