Aws::Auth::AWSCredentials OsquerySTSAWSCredentialsProvider::GetAWSCredentials() { // Grab system time in seconds-since-epoch for token expiration checks. size_t current_time = osquery::getUnixTime(); // Pull new STS credentials if not cached from a previous run. if (token_expire_time_ <= current_time) { // Create and setup a STS client to pull our temporary credentials. VLOG(1) << "Generating new AWS STS credentials"; // If we have not setup an AWS client yet, we must do so here. if (access_key_id_.empty()) { initAwsSdk(); } makeAWSClient<Aws::STS::STSClient>(client_, false); Model::AssumeRoleRequest sts_r; sts_r.SetRoleArn(FLAGS_aws_sts_arn_role); sts_r.SetRoleSessionName(FLAGS_aws_sts_session_name); sts_r.SetDurationSeconds(FLAGS_aws_sts_timeout); // Pull our STS credentials. Model::AssumeRoleOutcome sts_outcome = client_->AssumeRole(sts_r); if (sts_outcome.IsSuccess()) { Model::AssumeRoleResult sts_result = sts_outcome.GetResult(); // Cache our credentials for later use. access_key_id_ = sts_result.GetCredentials().GetAccessKeyId(); secret_access_key_ = sts_result.GetCredentials().GetSecretAccessKey(); session_token_ = sts_result.GetCredentials().GetSessionToken(); // Calculate when our credentials will expire. token_expire_time_ = current_time + FLAGS_aws_sts_timeout; } else { LOG(ERROR) << "Failed to create STS temporary credentials: " "No STS policy exists for the AWS user/role"; } } return Aws::Auth::AWSCredentials( access_key_id_, secret_access_key_, session_token_); }
void SetUp() override { initAwsSdk(); }