Add AWS ec2 auth for Vault

vault/auth.go

@@ -5,8 +5,12 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
+	"strconv"
+	"strings"
+	"time"
 
 	"github.com/blang/vfs"
+	"github.com/hairyhenderson/gomplate/aws"
 	"github.com/hairyhenderson/gomplate/env"
 )
 
@@ -24,6 +28,9 @@ func (v *Vault) GetToken() string {
 	if token := v.UserPassLogin(); token != "" {
 		return token
 	}
+	if token := v.EC2Login(); token != "" {
+		return token
+	}
 	if token := v.TokenLogin(); token != "" {
 		return token
 	}
@@ -148,6 +155,63 @@ func (v *Vault) UserPassLogin() string {
 	return secret.Auth.ClientToken
 }
 
+// EC2Login - AWS EC2 auth backend
+func (v *Vault) EC2Login() string {
+	if env.Getenv("VAULT_AUTH_AWS_METHOD", "ec2") != "ec2" {
+		return ""
+	}
+
+	if skip := env.Getenv("VAULT_AUTH_AWS_EC2_SKIP", ""); skip != "" {
+		enabled, err := strconv.ParseBool(skip)
+		if err != nil {
+			logFatal("Invalid VAULT_AUTH_AWS_EC2_SKIP value", err)
+		}
+		if enabled {
+			return ""
+		}
+	}
+
+	role := env.Getenv("VAULT_AUTH_AWS_ROLE")
+	mount := env.Getenv("VAULT_AUTH_AWS_MOUNT", "aws")
+
+	vars := map[string]interface{}{}
+
+	if role != "" {
+		vars["role"] = role
+	}
+
+	opts := aws.ClientOptions{}
+
+	timeout := os.Getenv("AWS_TIMEOUT")
+	if timeout != "" {
+		t, err := strconv.Atoi(timeout)
+		if err != nil {
+			logFatal("Invalid AWS_TIMEOUT value '%s' - must be an integer\n", timeout)
+		}
+
+		opts.Timeout = time.Duration(t) * time.Millisecond
+	}
+
+	meta := aws.NewEc2Meta(opts)
+
+	vars["pkcs7"] = strings.TrimSpace(meta.Dynamic("instance-identity/pkcs7"))
+
+	if vars["pkcs7"] == "" {
+		return ""
+	}
+
+	path := fmt.Sprintf("auth/%s/login", mount)
+	secret, err := v.client.Logical().Write(path, vars)
+	if err != nil {
+		logFatal("AWS EC2 logon failed", err)
+	}
+	if secret == nil {
+		logFatal("Empty response from AWS EC2 logon")
+	}
+
+	return secret.Auth.ClientToken
+}
+
 // TokenLogin -
 func (v *Vault) TokenLogin() string {
 	if token := env.Getenv("VAULT_TOKEN"); token != "" {