conjur-api-go icon indicating copy to clipboard operation
conjur-api-go copied to clipboard

Published 20 hours ago verified publisher icon cyberark

Add IAM authenticator

Open gl-johnson opened this issue 1 year ago • 1 comments

Rough POC for adding IAM authentication to the Go SDK.

NOTE: This depends on the AWS config existing on the system, which should be the case for any user of the AWS CLI or when running on ec2 or lambda.

Usage example:

	config := conjurapi.Config{
		ApplianceURL: "http://localhost:3000",
		Account:      "cucumber",
		AuthnType:    "iam",
		ServiceID:    "aws",
		HostID:       "conjur/authn-iam/aws/production/578847545830/glen",
	}

	client, err := conjurapi.NewClientFromEnvironment(config)
	if err != nil {
		fmt.Println("Error creating Conjur client:", err)
		return
	}

	resp, err := client.WhoAmI()

	fmt.Println(string(resp))

Improvements:

  • Add tests
  • If configured host ID doesn't match the AWS config, we could attempt to assume the AWS role and fetch temporary credentials like so:
	svc := sts.NewFromConfig(cfg)
	credsProvider := stscreds.NewAssumeRoleProvider(svc, "arn:aws:iam::578847545830:role/MyAppRole")
	credentials, err := credsProvider.Retrieve(ctx)
	if err != nil {
		fmt.Println("Error retrieving credentials:", err)
		return nil
	}

	return &credentials

gl-johnson avatar Jul 28 '23 20:07 gl-johnson