This repository was archived by the owner on Mar 5, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathaws_iam.go
More file actions
108 lines (97 loc) · 2.63 KB
/
aws_iam.go
File metadata and controls
108 lines (97 loc) · 2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package main
import (
"errors"
"reflect"
"strings"
"github.com/realestate-com-au/goamz/aws"
"github.com/realestate-com-au/goamz/iam"
)
type Instancer interface {
GetUser(string) (*iam.GetUserResp, error)
AccessKeys(string) (*iam.AccessKeysResp, error)
ListAccountAliases() (*iam.AccountAliasesResp, error)
}
func getAWSUsernameAndAlias(cred Credential) (username, alias string, err error) {
auth := aws.Auth{
AccessKey: cred.KeyId,
SecretKey: cred.SecretKey,
}
// Note: the region is irrelevant for IAM
instance := iam.New(auth, aws.APSoutheast2)
username, err = getAWSUsername(instance)
if err != nil {
return "", "", err
}
alias, err = getAWSAccountAlias(instance)
if err != nil {
return "", "", err
}
return username, alias, nil
}
func getAWSUsername(instance Instancer) (string, error) {
response, err := instance.GetUser("")
if err != nil {
return "", err
}
return response.User.Name, nil
}
func getKeyCreateDate(instance Instancer) (string, error) {
response, err := instance.AccessKeys("")
panic_the_err(err)
// This mess is because iam.IAM and TestIamInstance are structs
elem := reflect.ValueOf(instance).Elem()
auth := elem.FieldByName("Auth")
accessKey := auth.FieldByName("AccessKey").String()
for _, key := range response.AccessKeys {
if key.Id == accessKey {
return key.CreateDate, nil
}
}
return "", errors.New("Couldn't find this key")
}
func getAWSAccountAlias(instance Instancer) (string, error) {
response, err := instance.ListAccountAliases()
if err != nil {
return "", err
}
// There really is only one alias
if len(response.Aliases) == 0 {
// we have to do a getuser instead and parse out the
// account ID from the ARN
response, err := instance.GetUser("")
if err != nil {
return "", err
}
id := strings.Split(response.User.Arn, ":")
return id[4], nil
}
return response.Aliases[0], nil
}
func verify_account(alias string, instance Instancer) error {
acct_alias, err := getAWSAccountAlias(instance)
if err != nil {
return err
}
if acct_alias == alias {
return nil
}
err = errors.New("Cannot verify account: does not match alias " + alias)
return err
}
func verify_user(username string, instance Instancer) error {
response, err := instance.AccessKeys(username)
if err != nil {
return err
}
// This mess is because iam.IAM and TestIamInstance are structs
elem := reflect.ValueOf(instance).Elem()
auth := elem.FieldByName("Auth")
accessKey := auth.FieldByName("AccessKey").String()
for _, key := range response.AccessKeys {
if key.Id == accessKey {
return nil
}
}
err = errors.New("Cannot verify user: access keys are not for user " + username)
return err
}