createSTSConfig uses AWS STS to assume a role and returns a config configured with that role's credentials. It returns an error if it fails to construct a session name, or assume the role.
(ctx context.Context, config *aws.Config)
| 435 | // configured with that role's credentials. It returns an error if |
| 436 | // it fails to construct a session name, or assume the role. |
| 437 | func (key MasterKey) createSTSConfig(ctx context.Context, config *aws.Config) (*aws.Config, error) { |
| 438 | name, err := stsSessionName() |
| 439 | if err != nil { |
| 440 | return nil, err |
| 441 | } |
| 442 | input := &sts.AssumeRoleInput{ |
| 443 | RoleArn: &key.Role, |
| 444 | RoleSessionName: &name, |
| 445 | } |
| 446 | |
| 447 | client := sts.NewFromConfig(*config) |
| 448 | out, err := client.AssumeRole(ctx, input) |
| 449 | if err != nil { |
| 450 | return nil, fmt.Errorf("failed to assume role '%s': %w", key.Role, err) |
| 451 | } |
| 452 | |
| 453 | config.Credentials = credentials.NewStaticCredentialsProvider(*out.Credentials.AccessKeyId, |
| 454 | *out.Credentials.SecretAccessKey, *out.Credentials.SessionToken, |
| 455 | ) |
| 456 | return config, nil |
| 457 | } |
| 458 | |
| 459 | // stsSessionName returns the name for the STS session in the format of |
| 460 | // `sops@<hostname>`. It sanitizes the hostname with stsSessionRegex, and |