Add AWS ec2 auth for Vault

hairyhenderson · Aug 6, 2017 · 008b470 · 008b470
1 parent cbc2af1
commit 008b470
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/vault/auth.go b/vault/auth.go
@@ -5,9 +5,13 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
+	"strings"
+	"time"
 
 	"github.com/blang/vfs"
+	"github.com/hairyhenderson/gomplate/aws"
 	"github.com/hairyhenderson/gomplate/env"
+	"github.com/hairyhenderson/gomplate/typeconv"
 )
 
 // GetToken -
@@ -27,6 +31,9 @@ func (v *Vault) GetToken() string {
 	if token := v.TokenLogin(); token != "" {
 		return token
 	}
+	if token := v.EC2Login(); token != "" {
+		return token
+	}
 	logFatal("All vault auth failed")
 	return ""
 }
@@ -148,6 +155,44 @@ func (v *Vault) UserPassLogin() string {
 	return secret.Auth.ClientToken
 }
 
+// EC2Login - AWS EC2 auth backend
+func (v *Vault) EC2Login() string {
+	role := env.Getenv("VAULT_AUTH_AWS_ROLE")
+	mount := env.Getenv("VAULT_AUTH_AWS_MOUNT", "aws")
+
+	vars := map[string]interface{}{}
+
+	if role != "" {
+		vars["role"] = role
+	}
+
+	opts := aws.ClientOptions{}
+
+	timeout := os.Getenv("AWS_TIMEOUT")
+	if timeout != "" {
+		opts.Timeout = time.Duration(typeconv.MustAtoi(os.Getenv("AWS_TIMEOUT"))) * time.Millisecond
+	}
+
+	meta := aws.NewEc2Meta(opts)
+
+	vars["pkcs7"] = strings.TrimSpace(meta.Dynamic("instance-identity/pkcs7"))
+
+	if vars["pkcs7"] == "" {
+		return ""
+	}
+
+	path := fmt.Sprintf("auth/%s/login", mount)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("AWS EC2 logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from AWS EC2 logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
 // TokenLogin -
 func (v *Vault) TokenLogin() string {
 	if token := env.Getenv("VAULT_TOKEN"); token != "" {