diff --git a/README.md b/README.md index 5a0db28..dd5bdfe 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Signs a fixed strings: `"AWS Roles Anywhere Credential Helper Signing Test" || S ### credential-process -Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), and `--session-duration` (the duration of the vended session). Instead of passing in paths to the plaintext private key on your file system, another option could be to use the [PKCS#11 integration](#pkcs11-integration) (using the `--pkcs11-pin` flag to locate objects in PKCS#11 tokens) or (depending on your OS) use the `--cert-selector` flag. More details about the `--cert-selector` flag can be found in [this section](#cert-selector-flag). +Vends temporary credentials by sending a `CreateSession` request to the Roles Anywhere service. The request is signed by the private key whose path can be provided with the `--private-key` parameter. Currently, only plaintext private keys are supported. Other parameters include `--certificate` (the path to the end-entity certificate), `--role-arn` (the ARN of the role to obtain temporary credentials for), `--profile-arn` (the ARN of the profile that provides a mapping for the specified role), and `--trust-anchor-arn` (the ARN of the trust anchor used to authenticate). Optional parameters that can be used are `--debug` (to provide debugging output about the request sent), `--no-verify-ssl` (to skip verification of the SSL certificate on the endpoint called), `--intermediates` (the path to intermediate certificates), `--with-proxy` (to make the binary proxy aware), `--endpoint` (the endpoint to call), `--region` (the region to scope the request to), `--session-duration` (the duration of the vended session), and `--role-session-name` (an identifier of the role session). Instead of passing in paths to the plaintext private key on your file system, another option could be to use the [PKCS#11 integration](#pkcs11-integration) (using the `--pkcs11-pin` flag to locate objects in PKCS#11 tokens) or (depending on your OS) use the `--cert-selector` flag. More details about the `--cert-selector` flag can be found in [this section](#cert-selector-flag). Note that if more than one certificate matches the `--cert-selector` parameter within the OS-specific secure store, the `credential-process` command will fail. To find the list of certificates that match a given `--cert-selector` parameter, you can use the same flag with the `read-certificate-data` command. diff --git a/aws_signing_helper/credentials.go b/aws_signing_helper/credentials.go index 5d73bee..b2cbd91 100644 --- a/aws_signing_helper/credentials.go +++ b/aws_signing_helper/credentials.go @@ -33,6 +33,7 @@ type CredentialsOpts struct { LibPkcs11 string ReusePin bool ServerTTL int + RoleSessionName string } // Function to create session and generate credentials @@ -108,6 +109,9 @@ func GenerateCredentials(opts *CredentialsOpts, signer Signer, signatureAlgorith RoleArn: &opts.RoleArn, SessionName: nil, } + if opts.RoleSessionName != "" { + createSessionRequest.RoleSessionName = &opts.RoleSessionName + } output, err := rolesAnywhereClient.CreateSession(&createSessionRequest) if err != nil { return CredentialProcessOutput{}, err diff --git a/cmd/credentials.go b/cmd/credentials.go index 5c76b97..786a30f 100644 --- a/cmd/credentials.go +++ b/cmd/credentials.go @@ -22,6 +22,7 @@ var ( withProxy bool debug bool reusePin bool + roleSessionName string certificateId string privateKeyId string @@ -72,6 +73,7 @@ func initCredentialsSubCommand(subCmd *cobra.Command) { subCmd.PersistentFlags().BoolVar(&reusePin, "reuse-pin", false, "Use the CKU_USER PIN as the CKU_CONTEXT_SPECIFIC PIN for "+ "private key objects, when they are first used to sign. If the CKU_USER PIN doesn't work as the CKU_CONTEXT_SPECIFIC PIN "+ "for a given private key object, fall back to prompting the user") + subCmd.PersistentFlags().StringVar(&roleSessionName, "role-session-name", "", "An identifier of a role session") subCmd.MarkFlagsMutuallyExclusive("certificate", "cert-selector") subCmd.MarkFlagsMutuallyExclusive("certificate", "system-store-name") @@ -242,6 +244,7 @@ func PopulateCredentialsOptions() error { Version: Version, LibPkcs11: libPkcs11, ReusePin: reusePin, + RoleSessionName: roleSessionName, } return nil diff --git a/rolesanywhere/api.go b/rolesanywhere/api.go index 4b04348..c3ff19c 100644 --- a/rolesanywhere/api.go +++ b/rolesanywhere/api.go @@ -110,6 +110,8 @@ type CreateSessionInput struct { SessionName *string `locationName:"sessionName" min:"2" type:"string"` TrustAnchorArn *string `location:"querystring" locationName:"trustAnchorArn" type:"string"` + + RoleSessionName *string `locationName:"roleSessionName" min:"2" type:"string"` } // String returns the string representation. @@ -146,6 +148,10 @@ func (s *CreateSessionInput) Validate() error { invalidParams.Add(request.NewErrParamMinLen("SessionName", 2)) } + if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { + invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) + } + if invalidParams.Len() > 0 { return invalidParams } @@ -194,6 +200,12 @@ func (s *CreateSessionInput) SetTrustAnchorArn(v string) *CreateSessionInput { return s } +// SetRoleSessionName sets the RoleSessionName field's value. +func (s *CreateSessionInput) SetRoleSessionName(v string) *CreateSessionInput { + s.RoleSessionName = &v + return s +} + type CreateSessionOutput struct { _ struct{} `type:"structure"`