diff options
author | Mike Crute <mike@crute.us> | 2021-11-21 20:54:22 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2021-11-21 20:54:22 -0800 |
commit | 3a5a7e108d9b20f7ef6a7e4bb8439f6e2ba65fa5 (patch) | |
tree | f0a0b65473ada73988c8e4aa73261486ac96a158 /cloud | |
parent | 0049bdd2ab6b6b743e9a0cf89f6cbabc8b08e2d4 (diff) | |
download | cloud-identity-broker-3a5a7e108d9b20f7ef6a7e4bb8439f6e2ba65fa5.tar.bz2 cloud-identity-broker-3a5a7e108d9b20f7ef6a7e4bb8439f6e2ba65fa5.tar.xz cloud-identity-broker-3a5a7e108d9b20f7ef6a7e4bb8439f6e2ba65fa5.zip |
Add cloud account CRUD endpoints
Diffstat (limited to 'cloud')
-rw-r--r-- | cloud/aws/aws.go | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/cloud/aws/aws.go b/cloud/aws/aws.go index 180b2c4..36ac338 100644 --- a/cloud/aws/aws.go +++ b/cloud/aws/aws.go | |||
@@ -82,6 +82,41 @@ func NewAWSClientFromAccount(a *models.Account) (AWSClient, error) { | |||
82 | }, nil | 82 | }, nil |
83 | } | 83 | } |
84 | 84 | ||
85 | // ValidateVaultMaterial is used to check that a Vault material can be accessed | ||
86 | // and that the shape of that material is correct for an AWS access key and | ||
87 | // role list. | ||
88 | // | ||
89 | // This should be used for admission control for the creation of new accounts. | ||
90 | func ValidateVaultMaterial(m string) error { | ||
91 | var ac account | ||
92 | if err := vault.GetVaultKeyStruct(m, &ac); err != nil { | ||
93 | return fmt.Errorf("Unable to access vault material: %w", err) | ||
94 | } | ||
95 | |||
96 | if ac.AccessKeyId == "" { | ||
97 | return fmt.Errorf("AccessKeyId is empty") | ||
98 | } | ||
99 | |||
100 | if ac.SecretAccessKey == "" { | ||
101 | return fmt.Errorf("SecretAccessKey is empty") | ||
102 | } | ||
103 | |||
104 | if len(ac.Roles) == 0 { | ||
105 | return fmt.Errorf("No roles specified") | ||
106 | } | ||
107 | |||
108 | for k, r := range ac.Roles { | ||
109 | if r.ARN == "" { | ||
110 | return fmt.Errorf("ARN for role %s is empty", k) | ||
111 | } | ||
112 | if r.ExternalId == "" { | ||
113 | return fmt.Errorf("ExternalId for role %s is empty", k) | ||
114 | } | ||
115 | } | ||
116 | |||
117 | return nil | ||
118 | } | ||
119 | |||
85 | // AssumeRole uses an IAM user credential with higher privilege to assume a | 120 | // AssumeRole uses an IAM user credential with higher privilege to assume a |
86 | // role in an AWS account and region. It returns the STS credentials. | 121 | // role in an AWS account and region. It returns the STS credentials. |
87 | // | 122 | // |