457 lines
12 KiB
Go
457 lines
12 KiB
Go
/*
|
|
* MinIO Go Library for Amazon S3 Compatible Cloud Storage
|
|
* Copyright 2017 MinIO, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package credentials
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"strings"
|
|
"time"
|
|
|
|
jsoniter "github.com/json-iterator/go"
|
|
)
|
|
|
|
// DefaultExpiryWindow - Default expiry window.
|
|
// ExpiryWindow will allow the credentials to trigger refreshing
|
|
// prior to the credentials actually expiring. This is beneficial
|
|
// so race conditions with expiring credentials do not cause
|
|
// request to fail unexpectedly due to ExpiredTokenException exceptions.
|
|
// DefaultExpiryWindow can be used as parameter to (*Expiry).SetExpiration.
|
|
// When used the tokens refresh will be triggered when 80% of the elapsed
|
|
// time until the actual expiration time is passed.
|
|
const DefaultExpiryWindow = -1
|
|
|
|
// A IAM retrieves credentials from the EC2 service, and keeps track if
|
|
// those credentials are expired.
|
|
type IAM struct {
|
|
Expiry
|
|
|
|
// Required http Client to use when connecting to IAM metadata service.
|
|
Client *http.Client
|
|
|
|
// Custom endpoint to fetch IAM role credentials.
|
|
Endpoint string
|
|
|
|
// Region configurable custom region for STS
|
|
Region string
|
|
|
|
// Support for container authorization token https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
|
|
Container struct {
|
|
AuthorizationToken string
|
|
AuthorizationTokenFile string
|
|
CredentialsFullURI string
|
|
CredentialsRelativeURI string
|
|
}
|
|
|
|
// EKS based k8s RBAC authorization - https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html
|
|
EKSIdentity struct {
|
|
TokenFile string
|
|
RoleARN string
|
|
RoleSessionName string
|
|
}
|
|
}
|
|
|
|
// IAM Roles for Amazon EC2
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
const (
|
|
DefaultIAMRoleEndpoint = "http://169.254.169.254"
|
|
DefaultECSRoleEndpoint = "http://169.254.170.2"
|
|
DefaultSTSRoleEndpoint = "https://sts.amazonaws.com"
|
|
DefaultIAMSecurityCredsPath = "/latest/meta-data/iam/security-credentials/"
|
|
TokenRequestTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
|
|
TokenPath = "/latest/api/token"
|
|
TokenTTL = "21600"
|
|
TokenRequestHeader = "X-aws-ec2-metadata-token"
|
|
)
|
|
|
|
// NewIAM returns a pointer to a new Credentials object wrapping the IAM.
|
|
func NewIAM(endpoint string) *Credentials {
|
|
return New(&IAM{
|
|
Client: &http.Client{
|
|
Transport: http.DefaultTransport,
|
|
},
|
|
Endpoint: endpoint,
|
|
})
|
|
}
|
|
|
|
// Retrieve retrieves credentials from the EC2 service.
|
|
// Error will be returned if the request fails, or unable to extract
|
|
// the desired
|
|
func (m *IAM) Retrieve() (Value, error) {
|
|
token := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN")
|
|
if token == "" {
|
|
token = m.Container.AuthorizationToken
|
|
}
|
|
|
|
tokenFile := os.Getenv("AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE")
|
|
if tokenFile == "" {
|
|
tokenFile = m.Container.AuthorizationToken
|
|
}
|
|
|
|
relativeURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
|
|
if relativeURI == "" {
|
|
relativeURI = m.Container.CredentialsRelativeURI
|
|
}
|
|
|
|
fullURI := os.Getenv("AWS_CONTAINER_CREDENTIALS_FULL_URI")
|
|
if fullURI == "" {
|
|
fullURI = m.Container.CredentialsFullURI
|
|
}
|
|
|
|
identityFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
|
|
if identityFile == "" {
|
|
identityFile = m.EKSIdentity.TokenFile
|
|
}
|
|
|
|
roleArn := os.Getenv("AWS_ROLE_ARN")
|
|
if roleArn == "" {
|
|
roleArn = m.EKSIdentity.RoleARN
|
|
}
|
|
|
|
roleSessionName := os.Getenv("AWS_ROLE_SESSION_NAME")
|
|
if roleSessionName == "" {
|
|
roleSessionName = m.EKSIdentity.RoleSessionName
|
|
}
|
|
|
|
region := os.Getenv("AWS_REGION")
|
|
if region == "" {
|
|
region = m.Region
|
|
}
|
|
|
|
var roleCreds ec2RoleCredRespBody
|
|
var err error
|
|
|
|
endpoint := m.Endpoint
|
|
switch {
|
|
case identityFile != "":
|
|
if len(endpoint) == 0 {
|
|
if region != "" {
|
|
if strings.HasPrefix(region, "cn-") {
|
|
endpoint = "https://sts." + region + ".amazonaws.com.cn"
|
|
} else {
|
|
endpoint = "https://sts." + region + ".amazonaws.com"
|
|
}
|
|
} else {
|
|
endpoint = DefaultSTSRoleEndpoint
|
|
}
|
|
}
|
|
|
|
creds := &STSWebIdentity{
|
|
Client: m.Client,
|
|
STSEndpoint: endpoint,
|
|
GetWebIDTokenExpiry: func() (*WebIdentityToken, error) {
|
|
token, err := os.ReadFile(identityFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &WebIdentityToken{Token: string(token)}, nil
|
|
},
|
|
RoleARN: roleArn,
|
|
roleSessionName: roleSessionName,
|
|
}
|
|
|
|
stsWebIdentityCreds, err := creds.Retrieve()
|
|
if err == nil {
|
|
m.SetExpiration(creds.Expiration(), DefaultExpiryWindow)
|
|
}
|
|
return stsWebIdentityCreds, err
|
|
|
|
case relativeURI != "":
|
|
if len(endpoint) == 0 {
|
|
endpoint = fmt.Sprintf("%s%s", DefaultECSRoleEndpoint, relativeURI)
|
|
}
|
|
|
|
roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
|
|
|
|
case tokenFile != "" && fullURI != "":
|
|
endpoint = fullURI
|
|
roleCreds, err = getEKSPodIdentityCredentials(m.Client, endpoint, tokenFile)
|
|
|
|
case fullURI != "":
|
|
if len(endpoint) == 0 {
|
|
endpoint = fullURI
|
|
var ok bool
|
|
if ok, err = isLoopback(endpoint); !ok {
|
|
if err == nil {
|
|
err = fmt.Errorf("uri host is not a loopback address: %s", endpoint)
|
|
}
|
|
break
|
|
}
|
|
}
|
|
|
|
roleCreds, err = getEcsTaskCredentials(m.Client, endpoint, token)
|
|
|
|
default:
|
|
roleCreds, err = getCredentials(m.Client, endpoint)
|
|
}
|
|
|
|
if err != nil {
|
|
return Value{}, err
|
|
}
|
|
// Expiry window is set to 10secs.
|
|
m.SetExpiration(roleCreds.Expiration, DefaultExpiryWindow)
|
|
|
|
return Value{
|
|
AccessKeyID: roleCreds.AccessKeyID,
|
|
SecretAccessKey: roleCreds.SecretAccessKey,
|
|
SessionToken: roleCreds.Token,
|
|
Expiration: roleCreds.Expiration,
|
|
SignerType: SignatureV4,
|
|
}, nil
|
|
}
|
|
|
|
// A ec2RoleCredRespBody provides the shape for unmarshaling credential
|
|
// request responses.
|
|
type ec2RoleCredRespBody struct {
|
|
// Success State
|
|
Expiration time.Time
|
|
AccessKeyID string
|
|
SecretAccessKey string
|
|
Token string
|
|
|
|
// Error state
|
|
Code string
|
|
Message string
|
|
|
|
// Unused params.
|
|
LastUpdated time.Time
|
|
Type string
|
|
}
|
|
|
|
// Get the final IAM role URL where the request will
|
|
// be sent to fetch the rolling access credentials.
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
func getIAMRoleURL(endpoint string) (*url.URL, error) {
|
|
u, err := url.Parse(endpoint)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
u.Path = DefaultIAMSecurityCredsPath
|
|
return u, nil
|
|
}
|
|
|
|
// listRoleNames lists of credential role names associated
|
|
// with the current EC2 service. If there are no credentials,
|
|
// or there is an error making or receiving the request.
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
func listRoleNames(client *http.Client, u *url.URL, token string) ([]string, error) {
|
|
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if token != "" {
|
|
req.Header.Add(TokenRequestHeader, token)
|
|
}
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
return nil, errors.New(resp.Status)
|
|
}
|
|
|
|
credsList := []string{}
|
|
s := bufio.NewScanner(resp.Body)
|
|
for s.Scan() {
|
|
credsList = append(credsList, s.Text())
|
|
}
|
|
|
|
if err := s.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return credsList, nil
|
|
}
|
|
|
|
func getEcsTaskCredentials(client *http.Client, endpoint, token string) (ec2RoleCredRespBody, error) {
|
|
req, err := http.NewRequest(http.MethodGet, endpoint, nil)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
|
|
if token != "" {
|
|
req.Header.Set("Authorization", token)
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
return ec2RoleCredRespBody{}, errors.New(resp.Status)
|
|
}
|
|
|
|
respCreds := ec2RoleCredRespBody{}
|
|
if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
|
|
return respCreds, nil
|
|
}
|
|
|
|
func getEKSPodIdentityCredentials(client *http.Client, endpoint string, tokenFile string) (ec2RoleCredRespBody, error) {
|
|
if tokenFile != "" {
|
|
bytes, err := os.ReadFile(tokenFile)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, fmt.Errorf("getEKSPodIdentityCredentials: failed to read token file:%s", err)
|
|
}
|
|
token := string(bytes)
|
|
return getEcsTaskCredentials(client, endpoint, token)
|
|
}
|
|
return ec2RoleCredRespBody{}, fmt.Errorf("getEKSPodIdentityCredentials: no tokenFile found")
|
|
}
|
|
|
|
func fetchIMDSToken(client *http.Client, endpoint string) (string, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
defer cancel()
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPut, endpoint+TokenPath, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
req.Header.Add(TokenRequestTTLHeader, TokenTTL)
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
data, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
return "", errors.New(resp.Status)
|
|
}
|
|
return string(data), nil
|
|
}
|
|
|
|
// getCredentials - obtains the credentials from the IAM role name associated with
|
|
// the current EC2 service.
|
|
//
|
|
// If the credentials cannot be found, or there is an error
|
|
// reading the response an error will be returned.
|
|
func getCredentials(client *http.Client, endpoint string) (ec2RoleCredRespBody, error) {
|
|
if endpoint == "" {
|
|
endpoint = DefaultIAMRoleEndpoint
|
|
}
|
|
|
|
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
|
|
token, err := fetchIMDSToken(client, endpoint)
|
|
if err != nil {
|
|
// Return only errors for valid situations, if the IMDSv2 is not enabled
|
|
// we will not be able to get the token, in such a situation we have
|
|
// to rely on IMDSv1 behavior as a fallback, this check ensures that.
|
|
// Refer https://github.com/minio/minio-go/issues/1866
|
|
if !errors.Is(err, context.DeadlineExceeded) && !errors.Is(err, context.Canceled) {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
}
|
|
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
u, err := getIAMRoleURL(endpoint)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
roleNames, err := listRoleNames(client, u, token)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
|
|
if len(roleNames) == 0 {
|
|
return ec2RoleCredRespBody{}, errors.New("No IAM roles attached to this EC2 service")
|
|
}
|
|
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
// - An instance profile can contain only one IAM role. This limit cannot be increased.
|
|
roleName := roleNames[0]
|
|
|
|
// http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
|
|
// The following command retrieves the security credentials for an
|
|
// IAM role named `s3access`.
|
|
//
|
|
// $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/s3access
|
|
//
|
|
u.Path = path.Join(u.Path, roleName)
|
|
req, err := http.NewRequest(http.MethodGet, u.String(), nil)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
if token != "" {
|
|
req.Header.Add(TokenRequestHeader, token)
|
|
}
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != http.StatusOK {
|
|
return ec2RoleCredRespBody{}, errors.New(resp.Status)
|
|
}
|
|
|
|
respCreds := ec2RoleCredRespBody{}
|
|
if err := jsoniter.NewDecoder(resp.Body).Decode(&respCreds); err != nil {
|
|
return ec2RoleCredRespBody{}, err
|
|
}
|
|
|
|
if respCreds.Code != "Success" {
|
|
// If an error code was returned something failed requesting the role.
|
|
return ec2RoleCredRespBody{}, errors.New(respCreds.Message)
|
|
}
|
|
|
|
return respCreds, nil
|
|
}
|
|
|
|
// isLoopback identifies if a uri's host is on a loopback address
|
|
func isLoopback(uri string) (bool, error) {
|
|
u, err := url.Parse(uri)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
host := u.Hostname()
|
|
if len(host) == 0 {
|
|
return false, fmt.Errorf("can't parse host from uri: %s", uri)
|
|
}
|
|
|
|
ips, err := net.LookupHost(host)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
for _, ip := range ips {
|
|
if !net.ParseIP(ip).IsLoopback() {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|