aws: support for temporary credentials

- add optional token parameter, which is required when using temporary credentials - add optional role parameter to fetch temporary credentials - make route API param more fine grained Signed-off-by: Lev Stipakov <lev@openvpn.net>
2024-09-20 12:12:15 +02:00 · 2020-01-15 12:18:12 +02:00 · 2020-01-15 12:18:12 +02:00 · d534049f5e
commit d534049f5e
parent 1af01f3e20
1 changed files with 41 additions and 0 deletions
--- a/openvpn/aws/awspc.hpp
+++ b/openvpn/aws/awspc.hpp
@ -14,6 +14,7 @@
 #include <string>
 #include <utility>

+#include <openvpn/aws/awscreds.hpp>
 #include <openvpn/ws/httpcliset.hpp>
 #include <openvpn/common/jsonhelper.hpp>
 #include <openvpn/common/hexstr.hpp>
@ -38,6 +39,9 @@ namespace openvpn {
 	std::string instanceId;
 	std::string region;
 	std::string privateIp;
+
+	Creds creds;
+
 	int concurrentConnections = -1;
 	std::string error;

@ -77,6 +81,17 @@ namespace openvpn {
      {
      }

+      PCQuery(WS::ClientSet::Ptr cs_arg,
+	      std::string role_for_credentials_arg)
+	: cs(std::move(cs_arg)),
+	  rng(new DevURand()),
+	  frame(frame_init_simple(1024)),
+	  lookup_product_code(false),
+	  debug_level(0),
+	  role_for_credentials(role_for_credentials_arg)
+      {
+      }
+
      void start(std::function<void(Info info)> completion_arg)
      {
 	// make sure we are not in a pending state
@ -130,6 +145,15 @@ namespace openvpn {
 	      ts->transactions.push_back(std::move(t));
 	    }

+	  // transaction #4
+	  if (!role_for_credentials.empty())
+	    {
+	      std::unique_ptr<WS::ClientSet::Transaction> t(new WS::ClientSet::Transaction);
+	      t->req.method = "GET";
+	      t->req.uri = "/latest/meta-data/iam/security-credentials/" + role_for_credentials;
+	      ts->transactions.push_back(std::move(t));
+	    }
+
 	  // completion handler
 	  ts->completion = [self=Ptr(this)](WS::ClientSet::TransactionSet& ts) {
 	    self->local_query_complete(ts);
@ -215,6 +239,22 @@ namespace openvpn {
 	      else
 		done("could not fetch AWS product code: " + pc_trans.format_status(lts));
 	    }
+
+	  if (!role_for_credentials.empty())
+	    {
+	      WS::ClientSet::Transaction& cred_trans = *lts.transactions.at(lookup_product_code ? 3 : 2);
+	      if (cred_trans.request_status_success())
+		{
+		  const std::string creds = cred_trans.content_in.to_string();
+		  const Json::Value root = json::parse(creds);
+		  info.creds.access_key = json::get_string(root, "AccessKeyId");
+		  info.creds.secret_key = json::get_string(root, "SecretAccessKey");
+		  info.creds.token = json::get_string(root, "Token");
+		  done("");
+		}
+	      else
+		done("could not fetch role credentials: " + cred_trans.format_status(lts));
+	    }
 	  else
 	    done("");
 	}
@ -478,6 +518,7 @@ namespace openvpn {
      Frame::Ptr frame;
      const bool lookup_product_code;
      const int debug_level;
+      std::string role_for_credentials;

      std::function<void(Info info)> completion;
      Info info;