// Assume role uses the current server role to call STS and assume a different role if permitted
// Params:
// roleArn - the requested role ARN (example: arn:aws:iam::11111111111:role/myrole )
// sessionName - a name to associate with the current session. Use the service name +
// unique idenfitifier preferebly.
// duration - the duration of the session in seconds. Must be between 900 and 3600
// Returns aws.Auth object that can be used with any of the existing goamz APIs
//
// Check http://goo.gl/M6uCu5 for more information
//
func AssumeRole(roleArn string, sessionName string, duration int) (*aws.Auth, error) {
if duration < 900 || duration > 3600 {
return nil, fmt.Errorf("Duration out of bounds")
}
//Try to get our local auth
localAuth, err := aws.GetAuth("", "", "", time.Time{})
if err != nil {
return nil, err
}
stsClient := sts.New(localAuth, aws.Regions[util.GetAwsRegionName()])
stsOptions := &sts.AssumeRoleParams{
DurationSeconds: int(duration),
RoleArn: roleArn,
RoleSessionName: sessionName,
}
//Try to assume role
roleAuth, err := stsClient.AssumeRole(stsOptions)
if err != nil {
return nil, err
}
//Marshal the response into an aws.Auth object
auth := aws.NewAuth(roleAuth.Credentials.AccessKeyId, roleAuth.Credentials.SecretAccessKey,
roleAuth.Credentials.SessionToken, roleAuth.Credentials.Expiration)
return auth, nil
}
func hostName(role string) string {
region := util.GetAwsRegionName()
env := util.GetEnvironmentName()
return fmt.Sprintf("%s.%s.%s.%s.%s", role, region, scope, env, domain)
}