First cut of invoking lambda to assume role

2019-04-16 09:21:39 +12:00 · 2019-04-16 09:21:39 +12:00 · b4ce982c35
commit b4ce982c35
parent 0235ceaa79
1 changed files with 48 additions and 15 deletions
--- a/cli/exec.go
+++ b/cli/exec.go
@ -5,7 +5,9 @@ import (
 	"fmt"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/stoggi/aws-oidc/provider"
@ -33,6 +35,11 @@ type AwsCredentialHelperData struct {
 	Expiration      string `json:"Expiration,omitempty"`
 }
 type LambdaPayload struct {
 	Role  string `json:"role"`
 	Token string `json:"token"`
 }
 func ConfigureExec(app *kingpin.Application, config *GlobalConfig) {
 	execConfig := ExecConfig{}
@ -98,29 +105,55 @@ func ExecCommand(app *kingpin.Application, config *GlobalConfig, execConfig *Exe
 	authResult, err := provider.Authenticate(providerConfig)
 	app.FatalIfError(err, "Error authenticating to identity provider: %v", err)
-	svc := sts.New(session.New())
+	svcSTS := sts.New(session.New())
-	input := &sts.AssumeRoleWithWebIdentityInput{
+	inputSTS := &sts.AssumeRoleWithWebIdentityInput{
 		DurationSeconds:  aws.Int64(execConfig.Duration),
-		RoleArn:          aws.String(execConfig.RoleArn),
+		RoleArn:          aws.String("arn:aws:iam::892845094662:role/onelogin-test-oidc"),
 		RoleSessionName:  aws.String(authResult.Token.Subject),
 		WebIdentityToken: aws.String(authResult.JWT),
 	}
-	assumeRoleResult, err := svc.AssumeRoleWithWebIdentity(input)
+	assumeRoleResult, err := svcSTS.AssumeRoleWithWebIdentity(inputSTS)
 	app.FatalIfError(err, "Unable to assume role: %v", err)
-	expiry := *assumeRoleResult.Credentials.Expiration
+	svcLambda := lambda.New(session.New(&aws.Config{
-	credentialData := AwsCredentialHelperData{
+		Credentials: credentials.NewStaticCredentials(
-		Version:         1,
+			*assumeRoleResult.Credentials.AccessKeyId,
-		AccessKeyID:     *assumeRoleResult.Credentials.AccessKeyId,
+			*assumeRoleResult.Credentials.SecretAccessKey,
-		SecretAccessKey: *assumeRoleResult.Credentials.SecretAccessKey,
+			*assumeRoleResult.Credentials.SessionToken,
-		SessionToken:    *assumeRoleResult.Credentials.SessionToken,
+		),
-		Expiration:      expiry.Format("2006-01-02T15:04:05Z"),
+		Region: aws.String("us-west-2"),
 	}))
 	lambdaPayload := LambdaPayload{
 		Token: authResult.JWT,
 		Role:  execConfig.RoleArn,
 	}
 	lambdaPayloadJSON, err := json.Marshal(&lambdaPayload)
 	if err != nil {
 		app.Fatalf("Error creating lambda payload json")
 	}
-	json, err := json.Marshal(&credentialData)
+	inputLambda := &lambda.InvokeInput{
-	if err != nil {
+		FunctionName:   aws.String("identity-broker"),
-		app.Fatalf("Error creating credential json")
+		InvocationType: aws.String("RequestResponse"),
 		Payload:        lambdaPayloadJSON,
 	}
-	fmt.Printf(string(json))
+	result, err := svcLambda.Invoke(inputLambda)
 	if err != nil {
 		app.Fatalf("Error invoking Lambda: " + err.Error())
 	}
 	if *result.FunctionError != "" {
 		app.Fatalf("Remote error: " + string(result.Payload))
 	}
 	awsCreds := AwsCredentialHelperData{}
 	if err := json.Unmarshal(result.Payload, &awsCreds); err != nil {
 		app.Fatalf("Error decoding credential json")
 	}
 	output, err := json.Marshal(awsCreds)
 	if err != nil {
 		app.Fatalf("Error encoding credential json")
 	}
 	fmt.Println(string(output))
 }