Use Vault for IAM users

1 files changed, 50 insertions, 87 deletions

diff --git a/cloud/aws/aws.go b/cloud/aws/aws.go
index 36ac338..3229dd2 100644
--- a/cloud/aws/aws.go
+++ b/cloud/aws/aws.go
@@ -1,6 +1,7 @@
 package aws
 
 import (
+        "context"
         "encoding/json"
         "fmt"
         "io/ioutil"
@@ -9,9 +10,10 @@ import (
         "strconv"
 
         "code.crute.us/mcrute/cloud-identity-broker/app/models"
+        "code.crute.us/mcrute/golib/secrets"
 
-        "code.crute.us/mcrute/golib/vault"
         "github.com/aws/aws-sdk-go/aws"
+        "github.com/aws/aws-sdk-go/aws/awserr"
         "github.com/aws/aws-sdk-go/aws/credentials"
         "github.com/aws/aws-sdk-go/aws/session"
         "github.com/aws/aws-sdk-go/service/ec2"
@@ -27,28 +29,18 @@ type Region struct {
         Enabled bool
 }
 
+// AWSClient is a client for working with the AWS APIs.
+//
+// Instances of AWSClient are safe for concurrent access.
 type AWSClient interface {
         AssumeRole(string, *string) (*sts.Credentials, error)
         GetFederationURL(string, string) (string, error)
         GetRegionList() ([]*Region, error)
 }
 
-// account models the account configuration stored in Vault for an AWS account
-// with assumable roles that are stored within a kv JSON record.
-type account struct {
-        AccessKeyId     string
-        SecretAccessKey string
-        Roles           map[string]struct {
-                ARN        string
-                ExternalId string
-        }
-}
-
 type client struct {
-        AccessKeyId                string
-        SecretAccessKey            string
+        Credentials                credentials.Value
         ARN                        string
-        ExternalId                 string
         ConsoleSessionDurationSecs int64
 }
 
@@ -62,61 +54,22 @@ var _ AWSClient = (*client)(nil)
 // which is used as the scope for this AWS client. Thus even if an account has
 // multiple roles there must be one instance of the AWS client per account/role
 // pair.
-func NewAWSClientFromAccount(a *models.Account) (AWSClient, error) {
-        var ac account
-        if err := vault.GetVaultKeyStruct(a.VaultMaterial, &ac); err != nil {
+func NewAWSClientFromAccount(ctx context.Context, a *models.Account, sc secrets.Client) (AWSClient, error) {
+        u, _, err := sc.AWSIAMUser(ctx, a.AdminVaultMaterial)
+        if err != nil {
                 return nil, err
         }
 
-        r, ok := ac.Roles[a.ShortName]
-        if !ok {
-                return nil, fmt.Errorf("No roles for account %s in vault response", a.ShortName)
-        }
-
         return &client{
-                AccessKeyId:                ac.AccessKeyId,
-                SecretAccessKey:            ac.SecretAccessKey,
-                ARN:                        r.ARN,
-                ExternalId:                 r.ExternalId,
+                Credentials: credentials.Value{
+                        AccessKeyID:     u.AccessKeyId,
+                        SecretAccessKey: u.SecretAccessKey,
+                },
+                ARN:                        a.AssumedRoleARN,
                 ConsoleSessionDurationSecs: a.ConsoleSessionDurationSecs(),
         }, nil
 }
 
-// ValidateVaultMaterial is used to check that a Vault material can be accessed
-// and that the shape of that material is correct for an AWS access key and
-// role list.
-//
-// This should be used for admission control for the creation of new accounts.
-func ValidateVaultMaterial(m string) error {
-        var ac account
-        if err := vault.GetVaultKeyStruct(m, &ac); err != nil {
-                return fmt.Errorf("Unable to access vault material: %w", err)
-        }
-
-        if ac.AccessKeyId == "" {
-                return fmt.Errorf("AccessKeyId is empty")
-        }
-
-        if ac.SecretAccessKey == "" {
-                return fmt.Errorf("SecretAccessKey is empty")
-        }
-
-        if len(ac.Roles) == 0 {
-                return fmt.Errorf("No roles specified")
-        }
-
-        for k, r := range ac.Roles {
-                if r.ARN == "" {
-                        return fmt.Errorf("ARN for role %s is empty", k)
-                }
-                if r.ExternalId == "" {
-                        return fmt.Errorf("ExternalId for role %s is empty", k)
-                }
-        }
-
-        return nil
-}
-
 // AssumeRole uses an IAM user credential with higher privilege to assume a
 // role in an AWS account and region. It returns the STS credentials.
 //
@@ -124,32 +77,34 @@ func ValidateVaultMaterial(m string) error {
 // regions AWS has been siloing assumed role credentials to that region so it's
 // important to use the correct regional endpoint to fetch the credentials.
 //
-// Note that this is not simply a passthrough to Vault's AWS backend because
-// the Vault backend works by assuming roles and when assuming roles with an
-// assumed role AWS limits the chained role lifetime to 1 hour which doesn't
-// work depending on how the upstream web application tied to this client
-// works. This method instead uses a long-lived IAM user credential to assume a
-// role, which has a limited lifetime which is typically greater than 1 hour.
+// Note that this is not simply a passthrough to Vault's AWS backend
+// because the Vault backend will only call AssumeRole within the region
+// of the root account configured in Vault and clients of this method
+// need to be able to make the correct calls in the region of their
+// choice.
 func (a *client) AssumeRole(user string, region *string) (*sts.Credentials, error) {
         if region != nil && *region == "global" {
                 region = nil
         }
 
-        c := sts.New(session.New(&aws.Config{
-                Region: region,
-                Credentials: credentials.NewStaticCredentials(
-                        a.AccessKeyId,
-                        a.SecretAccessKey,
-                        "",
-                ),
-        }))
-        result, err := c.AssumeRole(&sts.AssumeRoleInput{
-                ExternalId:      aws.String(a.ExternalId),
+        s, err := session.NewSessionWithOptions(session.Options{
+                Config: aws.Config{
+                        Region:      region,
+                        Credentials: credentials.NewStaticCredentialsFromCreds(a.Credentials),
+                },
+                SharedConfigState: session.SharedConfigDisable,
+        })
+        if err != nil {
+                return nil, err
+        }
+
+        result, err := sts.New(s).AssumeRole(&sts.AssumeRoleInput{
                 RoleArn:         aws.String(a.ARN),
                 RoleSessionName: aws.String(user),
                 DurationSeconds: aws.Int64(a.ConsoleSessionDurationSecs),
         })
         if err != nil {
+                fmt.Printf("AWS AssumeRole Error: %s\n", err.(awserr.Error).Message())
                 return nil, err
         }
 
@@ -167,16 +122,24 @@ func (a *client) GetRegionList() ([]*Region, error) {
                 return nil, err
         }
 
-        ec2c := ec2.New(session.New(&aws.Config{
-                Region: defaultRegion,
-                Credentials: credentials.NewStaticCredentials(
-                        *r.AccessKeyId,
-                        *r.SecretAccessKey,
-                        *r.SessionToken,
-                ),
-        }))
+        s, err := session.NewSessionWithOptions(session.Options{
+                Config: aws.Config{
+                        Region: defaultRegion,
+                        Credentials: credentials.NewStaticCredentials(
+                                *r.AccessKeyId,
+                                *r.SecretAccessKey,
+                                *r.SessionToken,
+                        ),
+                },
+                SharedConfigState: session.SharedConfigDisable,
+        })
+        if err != nil {
+                return nil, err
+        }
 
-        ro, err := ec2c.DescribeRegions(&ec2.DescribeRegionsInput{AllRegions: aws.Bool(true)})
+        ro, err := ec2.New(s).DescribeRegions(&ec2.DescribeRegionsInput{
+                AllRegions: aws.Bool(true),
+        })
         if err != nil {
                 return nil, err
         }