add a new method to fetch aws identity document and signature

PaloAltoNetworks · Jun 27, 2022 · eb8a7cb · eb8a7cb
1 parent c0be8d4
commit eb8a7cb
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 0 deletions.
diff --git a/client/client.go b/client/client.go
@@ -233,6 +233,36 @@ func (a *Client) IssueFromAporetoIdentityToken(ctx context.Context, token string
 	return a.sendRequest(subctx, issueRequest)
 }
 
+// IssueFromAWSIdentityToken issues a Midgard jwt from a security token from amazon.
+// If you don't pass anything, this function will try to retrieve the token using aws magic ip.
+func (a *Client) IssueFromAWSIdentityToken(ctx context.Context, validity time.Duration, options ...Option) (string, error) {
+
+	var err error
+
+	document, signature, err := providers.AWSIdentityDocumentSignature(ctx, validity)
+
+	if err != nil {
+		return "", err
+	}
+
+	opts := issueOpts{}
+	for _, opt := range options {
+		opt(&opts)
+	}
+
+	issueRequest := gaia.NewIssue()
+	issueRequest.Metadata = map[string]interface{}{"document": document, "signature": signature}
+	issueRequest.Realm = gaia.IssueRealmAWSIdentityToken
+	issueRequest.Validity = validity.String()
+
+	applyOptions(issueRequest, opts)
+
+	span, subctx := opentracing.StartSpanFromContext(ctx, "midgardlib.client.issue.awsidentity")
+	defer span.Finish()
+
+	return a.sendRequest(subctx, issueRequest)
+}
+
 // IssueFromAWSSecurityToken issues a Midgard jwt from a security token from amazon.
 // If you don't pass anything, this function will try to retrieve the token using aws magic ip.
 func (a *Client) IssueFromAWSSecurityToken(ctx context.Context, accessKeyID, secretAccessKey, token string, validity time.Duration, options ...Option) (string, error) {

diff --git a/tokenmanager/providers/aws.go b/tokenmanager/providers/aws.go
@@ -12,9 +12,14 @@
 package providers
 
 import (
+	"context"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
+	"time"
+
+	"github.com/capitalone/cloud-custodian/tools/omnissm/pkg/aws/ec2metadata"
 )
 
 var (
@@ -54,3 +59,19 @@ func AWSServiceRoleToken() (roleData string, err error) {
 
 	return string(token), nil
 }
+
+// AWSIdentityToken gets the instance document and its signature
+func AWSIdentityDocumentSignature(ctx context.Context, validity time.Duration) (string, string, error) {
+
+	document := ec2metadata.GetLocalInstanceDocument()
+	if document == nil {
+		return "", "", errors.New("Failed to get aws instance identity document")
+	}
+
+	signature := ec2metadata.GetLocalInstanceSignature()
+	if signature == nil {
+		return "", "", errors.New("Failed to get aws instance identity signature")
+	}
+
+	return string(document), string(signature), nil
+}