-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
409b024
commit db5f21b
Showing
2 changed files
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # STS Example # | ||
| This go code shows how to take an optional ARN and ExternalID contraint and assume a role via STS. | ||
|
|
||
| ```golang | ||
| creds = stscreds.NewCredentials(sess, arn, func(p *stscreds.AssumeRoleProvider) { | ||
| p.ExternalID = &externalID | ||
| }) | ||
| ``` | ||
|
|
||
| The key here is to use the `stscreds` provider for aws.Config, rather than work with the `sts` package and service directly. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "flag" | ||
| "fmt" | ||
|
|
||
| "github.com/aws/aws-sdk-go/aws" | ||
| "github.com/aws/aws-sdk-go/aws/credentials" | ||
| "github.com/aws/aws-sdk-go/aws/credentials/stscreds" | ||
| "github.com/aws/aws-sdk-go/aws/session" | ||
| "github.com/aws/aws-sdk-go/service/s3" | ||
| ) | ||
|
|
||
| func main() { | ||
| var arn string | ||
| var externalID string | ||
|
|
||
| const ( | ||
| defaultARN = "" | ||
| arnUsage = "The ARN of the role you need to assume" | ||
| defaultExtID = "" | ||
| extIDUsage = "The ExternalID constraint, if applicable for the role you need to assume" | ||
| region = "us-east-1" | ||
| ) | ||
| flag.StringVar(&arn, "arn", defaultARN, arnUsage) | ||
| flag.StringVar(&externalID, "extid", defaultExtID, extIDUsage) | ||
| flag.Parse() | ||
|
|
||
| sess := session.Must(session.NewSession()) | ||
| conf := createConfig(arn, externalID, region, sess) | ||
|
|
||
| fmt.Println("This should print the S3 buckets available in your account. If you passed in an ARN, it will print the S3 buckets in the Assumed Role account.") | ||
| s3Svc := s3.New(sess, &conf) | ||
| var input *s3.ListBucketsInput | ||
| resp, _ := s3Svc.ListBuckets(input) | ||
| fmt.Println(resp) | ||
| } | ||
|
|
||
| func createConfig(arn string, externalID string, region string, sess *session.Session) aws.Config { | ||
|
|
||
| conf := aws.Config{Region: aws.String(region)} | ||
| if arn != "" { | ||
| // if ARN flag is passed in, we need to be able ot assume role here | ||
| var creds *credentials.Credentials | ||
| if externalID != "" { | ||
| // If externalID flag is passed, we need to include it in credentials struct | ||
| creds = stscreds.NewCredentials(sess, arn, func(p *stscreds.AssumeRoleProvider) { | ||
| p.ExternalID = &externalID | ||
| }) | ||
| } else { | ||
| creds = stscreds.NewCredentials(sess, arn, func(p *stscreds.AssumeRoleProvider) {}) | ||
| } | ||
| conf.Credentials = creds | ||
| } | ||
| return conf | ||
| } |