Skip to content

Commit

Permalink
Elevate stored credentials above source_profile
Browse files Browse the repository at this point in the history
  • Loading branch information
mtibben committed Mar 9, 2023
1 parent cda0841 commit ef2b8b9
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 25 deletions.
14 changes: 1 addition & 13 deletions vault/credentialkeyring.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,25 +18,13 @@ func (ck *CredentialKeyring) Keys() (credentialsNames []string, err error) {
return credentialsNames, err
}
for _, keyName := range allKeys {
if IsStoredCredential(keyName) {
if !IsSessionKey(keyName) && !IsOIDCTokenKey(keyName) {
credentialsNames = append(credentialsNames, keyName)
}
}
return credentialsNames, nil
}

func IsStoredCredential(keyName string) bool {
return !IsSessionKey(keyName) && !IsOIDCTokenKey(keyName)
}

func (ck *CredentialKeyring) HasStoredCredential(credentialsName string) bool {
_, err := ck.Has(credentialsName)
if err == nil {
return IsStoredCredential(credentialsName)
}
return false
}

func (ck *CredentialKeyring) Has(credentialsName string) (bool, error) {
allKeys, err := ck.Keyring.Keys()
if err != nil {
Expand Down
24 changes: 12 additions & 12 deletions vault/vault.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,27 +237,27 @@ type tempCredsCreator struct {
chainedMfa string
}

func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig) (sourcecredsProvider aws.CredentialsProvider, err error) {
func (t *tempCredsCreator) getSourceCreds(config *ProfileConfig, hasStoredCredentials bool) (sourcecredsProvider aws.CredentialsProvider, err error) {
if hasStoredCredentials {
log.Printf("profile %s: using stored credentials", config.ProfileName)
return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
}

if config.HasSourceProfile() {
log.Printf("profile %s: sourcing credentials from profile %s", config.ProfileName, config.SourceProfile.ProfileName)
return t.GetProviderForProfile(config.SourceProfile)
}

return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
}

func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
hasStoredCredentials, err := t.Keyring.Has(config.ProfileName)
if err != nil {
return nil, err
}

if hasStoredCredentials {
log.Printf("profile %s: using stored credentials", config.ProfileName)
return NewMasterCredentialsProvider(t.Keyring, config.ProfileName), nil
}

return nil, fmt.Errorf("profile %s: credentials missing", config.ProfileName)
}

func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.CredentialsProvider, error) {
if !t.Keyring.HasStoredCredential(config.ProfileName) {
if !hasStoredCredentials {
if config.HasSSOStartURL() {
log.Printf("profile %s: using SSO role credentials", config.ProfileName)
return NewSSORoleCredentialsProvider(t.Keyring.Keyring, config, !t.DisableCache)
Expand All @@ -274,7 +274,7 @@ func (t *tempCredsCreator) GetProviderForProfile(config *ProfileConfig) (aws.Cre
}
}

sourcecredsProvider, err := t.getSourceCreds(config)
sourcecredsProvider, err := t.getSourceCreds(config, hasStoredCredentials)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit ef2b8b9

Please sign in to comment.