func (creds Credentials) verifyUserAndAccount() error { // need to check both the username and the account alias for the // supplied creds match the passed-in username and account alias auth := aws.Auth{ AccessKey: creds.Encryptions[0].decoded.KeyId, SecretKey: creds.Encryptions[0].decoded.SecretKey, } // Note: the region is irrelevant for IAM instance := iam.New(auth, aws.APSoutheast2) // Make sure the account is who we expect err := verify_account(creds.AccountAliasOrId, instance) if err != nil { return err } // Make sure the user is who we expect // If the username is the same as the account name, then it's the root user // and there's actually no username at all (oddly) if creds.IamUsername == creds.AccountAliasOrId { err = verify_user("", instance) } else { err = verify_user(creds.IamUsername, instance) } if err != nil { return err } return nil }
func (s *AmazonClientSuite) SetUpSuite(c *C) { if !testutil.Amazon { c.Skip("AmazonClientSuite tests not enabled") } s.srv.SetUp(c) s.iam = iam.New(s.srv.auth, aws.USEast) }
// Only delete the oldest key *if* the new key is valid; otherwise, // delete the newest key func (cred *Credential) deleteOneKey(username string) (err error) { auth := aws.Auth{ AccessKey: cred.KeyId, SecretKey: cred.SecretKey, } instance := iam.New(auth, aws.APSoutheast2) allKeys, err := instance.AccessKeys(username) if err != nil { return err } // wtf? if len(allKeys.AccessKeys) == 0 { err = errors.New("Zero access keys found for this account -- cannot rotate") return err } // only one key if len(allKeys.AccessKeys) == 1 { return nil } // Find out which key to delete. var oldestId string var oldest int64 for _, key := range allKeys.AccessKeys { t, err := time.Parse("2006-01-02T15:04:05Z", key.CreateDate) key_create_date := t.Unix() if err != nil { return err } // If we find an inactive one, just delete it if key.Status == "Inactive" { oldestId = key.Id break } if oldest == 0 || key_create_date < oldest { oldest = key_create_date oldestId = key.Id } } if oldestId == "" { err = errors.New("Cannot find oldest key for this account, will not rotate") return err } _, err = instance.DeleteAccessKey(oldestId, username) if err != nil { return err } return nil }
func (cred *Credential) createNewAccessKey(username string) (err error) { auth := aws.Auth{ AccessKey: cred.KeyId, SecretKey: cred.SecretKey, } instance := iam.New(auth, aws.APSoutheast2) resp, err := instance.CreateAccessKey(username) if err != nil { return err } cred.KeyId = resp.AccessKey.Id cred.SecretKey = resp.AccessKey.Secret return nil }
func getAWSUsernameAndAlias(cred Credential) (username, alias string, err error) { auth := aws.Auth{ AccessKey: cred.KeyId, SecretKey: cred.SecretKey, } // Note: the region is irrelevant for IAM instance := iam.New(auth, aws.APSoutheast2) username, err = getAWSUsername(instance) if err != nil { return "", "", err } alias, err = getAWSAccountAlias(instance) if err != nil { return "", "", err } return username, alias, nil }
func (s *LocalServerSuite) SetUpSuite(c *C) { s.srv.SetUp(c) s.ClientTests.iam = iam.New(s.srv.auth, s.srv.region) }
func (s *S) SetUpSuite(c *C) { testServer.Start() auth := aws.Auth{"abc", "123"} s.iam = iam.New(auth, aws.Region{IAMEndpoint: testServer.URL}) }
func SaveCredentials(data SaveData) (err error) { var key_create_date int64 if data.force { key_create_date = time.Now().Unix() } else { auth := aws.Auth{AccessKey: data.cred.KeyId, SecretKey: data.cred.SecretKey} instance := iam.New(auth, aws.APSoutheast2) if data.username == "" { data.username, err = getAWSUsername(instance) if err != nil { return err } } if data.alias == "" { data.alias, err = getAWSAccountAlias(instance) if err != nil { return err } } date, _ := getKeyCreateDate(instance) t, err := time.Parse("2006-01-02T15:04:05Z", date) key_create_date = t.Unix() if err != nil { return err } } fmt.Printf("saving credentials for %s@%s\n", data.username, data.alias) plaintext, err := json.Marshal(data.cred) if err != nil { return err } enc_slice := []Encryption{} for _, pubkey := range data.pubkeys { encoded, err := CredulousEncode(string(plaintext), pubkey) if err != nil { return err } enc_slice = append(enc_slice, Encryption{ Ciphertext: encoded, Fingerprint: SSHFingerprint(pubkey), }) } creds := Credentials{ Version: FORMAT_VERSION, AccountAliasOrId: data.alias, IamUsername: data.username, CreateTime: fmt.Sprintf("%d", key_create_date), Encryptions: enc_slice, LifeTime: data.lifetime, } filename := fmt.Sprintf("%v-%v.json", key_create_date, data.cred.KeyId[12:]) err = creds.WriteToDisk(data.repo, filename) return err }