Switch back to using AssumeRoleWithWebIdentity
This commit is contained in:
Jeremy Stott
parent
1344edfad5
commit
6622205179
44
cli/exec.go
44
cli/exec.go
@ -6,7 +6,7 @@ import (
|
|||||||
|
|
||||||
"github.com/aws/aws-sdk-go/aws"
|
"github.com/aws/aws-sdk-go/aws"
|
||||||
"github.com/aws/aws-sdk-go/aws/session"
|
"github.com/aws/aws-sdk-go/aws/session"
|
||||||
"github.com/aws/aws-sdk-go/service/cognitoidentity"
|
"github.com/aws/aws-sdk-go/service/sts"
|
||||||
"github.com/stoggi/aws-oidc/provider"
|
"github.com/stoggi/aws-oidc/provider"
|
||||||
|
|
||||||
kingpin "gopkg.in/alecthomas/kingpin.v2"
|
kingpin "gopkg.in/alecthomas/kingpin.v2"
|
||||||
@ -47,6 +47,7 @@ func ConfigureExec(app *kingpin.Application, config *GlobalConfig) {
|
|||||||
cmd.Default()
|
cmd.Default()
|
||||||
|
|
||||||
cmd.Flag("role_arn", "The AWS role you want to assume").
|
cmd.Flag("role_arn", "The AWS role you want to assume").
|
||||||
|
Required().
|
||||||
StringVar(&execConfig.RoleArn)
|
StringVar(&execConfig.RoleArn)
|
||||||
|
|
||||||
cmd.Flag("duration", "The duration to assume the role for in seconds").
|
cmd.Flag("duration", "The duration to assume the role for in seconds").
|
||||||
@ -102,40 +103,29 @@ func ExecCommand(app *kingpin.Application, config *GlobalConfig, execConfig *Exe
|
|||||||
authResult, err := provider.Authenticate(providerConfig)
|
authResult, err := provider.Authenticate(providerConfig)
|
||||||
app.FatalIfError(err, "Error authenticating to identity provider: %v", err)
|
app.FatalIfError(err, "Error authenticating to identity provider: %v", err)
|
||||||
|
|
||||||
svc := cognitoidentity.New(session.New(&aws.Config{
|
svc := sts.New(session.New())
|
||||||
Region: aws.String("ap-southeast-2"),
|
input := &sts.AssumeRoleWithWebIdentityInput{
|
||||||
}))
|
DurationSeconds: aws.Int64(execConfig.Duration),
|
||||||
inputGetID := &cognitoidentity.GetIdInput{
|
RoleArn: aws.String(execConfig.RoleArn),
|
||||||
AccountId: aws.String("811702477007"),
|
RoleSessionName: aws.String(authResult.Claims.Email),
|
||||||
IdentityPoolId: aws.String("ap-southeast-2:b0a04ab4-9989-4ee0-b9f7-9b1e56fe0f19"),
|
WebIdentityToken: aws.String(authResult.JWT),
|
||||||
Logins: map[string]*string{
|
|
||||||
"cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_XloydykNV": aws.String(authResult.JWT),
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
getIDResult, err := svc.GetId(inputGetID)
|
|
||||||
app.FatalIfError(err, "Unable to get ID: %v", err)
|
|
||||||
|
|
||||||
inputGetCredentials := &cognitoidentity.GetCredentialsForIdentityInput{
|
assumeRoleResult, err := svc.AssumeRoleWithWebIdentity(input)
|
||||||
IdentityId: getIDResult.IdentityId,
|
app.FatalIfError(err, "Unable to assume role: %v", err)
|
||||||
Logins: map[string]*string{
|
|
||||||
"cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_XloydykNV": aws.String(authResult.JWT),
|
|
||||||
},
|
|
||||||
}
|
|
||||||
credentialsResult, err := svc.GetCredentialsForIdentity(inputGetCredentials)
|
|
||||||
app.FatalIfError(err, "Unable to get credentials: %v", err)
|
|
||||||
|
|
||||||
expiry := *credentialsResult.Credentials.Expiration
|
expiry := *assumeRoleResult.Credentials.Expiration
|
||||||
credentialData := AwsCredentialHelperData{
|
credentialData := AwsCredentialHelperData{
|
||||||
Version: 1,
|
Version: 1,
|
||||||
AccessKeyID: *credentialsResult.Credentials.AccessKeyId,
|
AccessKeyID: *assumeRoleResult.Credentials.AccessKeyId,
|
||||||
SecretAccessKey: *credentialsResult.Credentials.SecretKey,
|
SecretAccessKey: *assumeRoleResult.Credentials.SecretAccessKey,
|
||||||
SessionToken: *credentialsResult.Credentials.SessionToken,
|
SessionToken: *assumeRoleResult.Credentials.SessionToken,
|
||||||
Expiration: expiry.Format("2006-01-02T15:04:05Z"),
|
Expiration: expiry.Format("2006-01-02T15:04:05Z"),
|
||||||
}
|
}
|
||||||
|
|
||||||
output, err := json.Marshal(credentialData)
|
json, err := json.Marshal(&credentialData)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
app.Fatalf("Error encoding credential json")
|
app.Fatalf("Error creating credential json")
|
||||||
}
|
}
|
||||||
fmt.Println(string(output))
|
fmt.Printf(string(json))
|
||||||
}
|
}
|
||||||
|
|||||||
@ -27,8 +27,9 @@ type ProviderConfig struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type Result struct {
|
type Result struct {
|
||||||
JWT string
|
JWT string
|
||||||
Token *oidc.IDToken
|
Token *oidc.IDToken
|
||||||
|
Claims *TokenClaims
|
||||||
}
|
}
|
||||||
|
|
||||||
type TokenClaims struct {
|
type TokenClaims struct {
|
||||||
@ -48,15 +49,14 @@ func Authenticate(p *ProviderConfig) (Result, error) {
|
|||||||
|
|
||||||
provider, err := oidc.NewProvider(ctx, p.ProviderURL)
|
provider, err := oidc.NewProvider(ctx, p.ProviderURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return Result{"", nil}, err
|
return Result{"", nil, nil}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
listener, err := net.Listen("tcp", "127.0.0.1:8080")
|
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return Result{"", nil}, err
|
return Result{"", nil, nil}, err
|
||||||
}
|
}
|
||||||
// baseURL := "http://" + listener.Addr().String()
|
baseURL := "http://" + listener.Addr().String()
|
||||||
baseURL := "http://localhost:8080"
|
|
||||||
redirectURL := baseURL + "/auth/callback"
|
redirectURL := baseURL + "/auth/callback"
|
||||||
|
|
||||||
oidcConfig := &oidc.Config{
|
oidcConfig := &oidc.Config{
|
||||||
@ -75,13 +75,13 @@ func Authenticate(p *ProviderConfig) (Result, error) {
|
|||||||
|
|
||||||
stateData := make([]byte, 32)
|
stateData := make([]byte, 32)
|
||||||
if _, err = rand.Read(stateData); err != nil {
|
if _, err = rand.Read(stateData); err != nil {
|
||||||
return Result{"", nil}, err
|
return Result{"", nil, nil}, err
|
||||||
}
|
}
|
||||||
state := base64.URLEncoding.EncodeToString(stateData)
|
state := base64.URLEncoding.EncodeToString(stateData)
|
||||||
|
|
||||||
codeData := make([]byte, 32)
|
codeData := make([]byte, 32)
|
||||||
if _, err = rand.Read(codeData); err != nil {
|
if _, err = rand.Read(codeData); err != nil {
|
||||||
return Result{"", nil}, err
|
return Result{"", nil, nil}, err
|
||||||
}
|
}
|
||||||
codeVerifier := base64.StdEncoding.EncodeToString(codeData)
|
codeVerifier := base64.StdEncoding.EncodeToString(codeData)
|
||||||
codeDigest := sha256.Sum256([]byte(codeVerifier))
|
codeDigest := sha256.Sum256([]byte(codeVerifier))
|
||||||
@ -156,7 +156,7 @@ func Authenticate(p *ProviderConfig) (Result, error) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
w.Write([]byte("Signed in successfully, return to cli app"))
|
w.Write([]byte("Signed in successfully, return to cli app"))
|
||||||
resultChannel <- Result{rawIDToken, idToken}
|
resultChannel <- Result{rawIDToken, idToken, claims}
|
||||||
})
|
})
|
||||||
|
|
||||||
// Filter the commands, and replace "{}" with our callback url
|
// Filter the commands, and replace "{}" with our callback url
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user