1 files changed, 35 insertions, 0 deletions
diff --git a/cloud/aws/aws.go b/cloud/aws/aws.go
index 180b2c4..36ac338 100644
--- a/cloud/aws/aws.go
+++ b/cloud/aws/aws.go
@@ -82,6 +82,41 @@ func NewAWSClientFromAccount(a *models.Account) (AWSClient, error) {
        }, nil
 }
+// ValidateVaultMaterial is used to check that a Vault material can be accessed
+// and that the shape of that material is correct for an AWS access key and
+// role list.
+//
+// This should be used for admission control for the creation of new accounts.
+func ValidateVaultMaterial(m string) error {
+        var ac account
+        if err := vault.GetVaultKeyStruct(m, &ac); err != nil {
+                return fmt.Errorf("Unable to access vault material: %w", err)
+        }
+        if ac.AccessKeyId == "" {
+                return fmt.Errorf("AccessKeyId is empty")
+        }
+        if ac.SecretAccessKey == "" {
+                return fmt.Errorf("SecretAccessKey is empty")
+        }
+        if len(ac.Roles) == 0 {
+                return fmt.Errorf("No roles specified")
+        }
+        for k, r := range ac.Roles {
+                if r.ARN == "" {
+                        return fmt.Errorf("ARN for role %s is empty", k)
+                }
+                if r.ExternalId == "" {
+                        return fmt.Errorf("ExternalId for role %s is empty", k)
+                }
+        }
+        return nil
+}
 // AssumeRole uses an IAM user credential with higher privilege to assume a
 // role in an AWS account and region. It returns the STS credentials.
 //

diff --git a/cloud/aws/aws.go b/cloud/aws/aws.go index 180b2c4..36ac338 100644 --- a/cloud/aws/aws.go +++ b/cloud/aws/aws.go
@@ -82,6 +82,41 @@ func NewAWSClientFromAccount(a *models.Account) (AWSClient, error) {
82	}, nil	82	}, nil
83	}	83	}
84		84
		85	// ValidateVaultMaterial is used to check that a Vault material can be accessed
		86	// and that the shape of that material is correct for an AWS access key and
		87	// role list.
		88	//
		89	// This should be used for admission control for the creation of new accounts.
		90	func ValidateVaultMaterial(m string) error {
		91	var ac account
		92	if err := vault.GetVaultKeyStruct(m, &ac); err != nil {
		93	return fmt.Errorf("Unable to access vault material: %w", err)
		94	}
		95
		96	if ac.AccessKeyId == "" {
		97	return fmt.Errorf("AccessKeyId is empty")
		98	}
		99
		100	if ac.SecretAccessKey == "" {
		101	return fmt.Errorf("SecretAccessKey is empty")
		102	}
		103
		104	if len(ac.Roles) == 0 {
		105	return fmt.Errorf("No roles specified")
		106	}
		107
		108	for k, r := range ac.Roles {
		109	if r.ARN == "" {
		110	return fmt.Errorf("ARN for role %s is empty", k)
		111	}
		112	if r.ExternalId == "" {
		113	return fmt.Errorf("ExternalId for role %s is empty", k)
		114	}
		115	}
		116
		117	return nil
		118	}
		119
85	// AssumeRole uses an IAM user credential with higher privilege to assume a	120	// AssumeRole uses an IAM user credential with higher privilege to assume a
86	// role in an AWS account and region. It returns the STS credentials.	121	// role in an AWS account and region. It returns the STS credentials.
87	//	122	//