func (grantStaff) run(ctx scope.Context, c *console, args []string) error {
if len(args) < 2 {
return usageError("account and kms type must be given")
}
kmsType := security.KMSType(args[1])
kmsCred, err := kmsType.KMSCredential()
if err != nil {
return err
}
if len(args) < 3 {
if kmsType != security.LocalKMSType {
return usageError("kms type %s requires credentials to be provided", kmsType)
}
mockKMS, ok := c.kms.(security.MockKMS)
if !ok {
return usageError("this backend does not support kms type %s", kmsType)
}
kmsCred = mockKMS.KMSCredential()
} else {
if err := kmsCred.UnmarshalJSON([]byte(args[2])); err != nil {
return err
}
}
account, err := c.resolveAccount(ctx, args[0])
if err != nil {
return err
}
c.Printf("Granting staff capability to account %s\n", account.ID())
return c.backend.AccountManager().GrantStaff(ctx, account.ID(), kmsCred)
}
import (
"fmt"
"encoding/json"
"euphoria.io/heim/proto/security"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/kms"
)
const AwsKMSType = security.KMSType("aws")
func init() {
security.RegisterKMSType(AwsKMSType, &KMSCredential{})
}
func New(region, keyID string) (*KMS, error) {
config := aws.NewConfig().WithCredentials(credentials.NewEnvCredentials()).WithRegion(region)
session := session.New(config)
kms := &KMS{
kms: kms.New(session),
keyID: keyID,
}
return kms, nil
}