Aws::Auth::AWSCredentials
OsquerySTSAWSCredentialsProvider::GetAWSCredentials() {
// Grab system time in seconds-since-epoch for token expiration checks.
size_t current_time = osquery::getUnixTime();
// Pull new STS credentials if not cached from a previous run.
if (token_expire_time_ <= current_time) {
// Create and setup a STS client to pull our temporary credentials.
VLOG(1) << "Generating new AWS STS credentials";
// If we have not setup an AWS client yet, we must do so here.
if (access_key_id_.empty()) {
initAwsSdk();
}
makeAWSClient<Aws::STS::STSClient>(client_, false);
Model::AssumeRoleRequest sts_r;
sts_r.SetRoleArn(FLAGS_aws_sts_arn_role);
sts_r.SetRoleSessionName(FLAGS_aws_sts_session_name);
sts_r.SetDurationSeconds(FLAGS_aws_sts_timeout);
// Pull our STS credentials.
Model::AssumeRoleOutcome sts_outcome = client_->AssumeRole(sts_r);
if (sts_outcome.IsSuccess()) {
Model::AssumeRoleResult sts_result = sts_outcome.GetResult();
// Cache our credentials for later use.
access_key_id_ = sts_result.GetCredentials().GetAccessKeyId();
secret_access_key_ = sts_result.GetCredentials().GetSecretAccessKey();
session_token_ = sts_result.GetCredentials().GetSessionToken();
// Calculate when our credentials will expire.
token_expire_time_ = current_time + FLAGS_aws_sts_timeout;
} else {
LOG(ERROR) << "Failed to create STS temporary credentials: "
"No STS policy exists for the AWS user/role";
}
}
return Aws::Auth::AWSCredentials(
access_key_id_, secret_access_key_, session_token_);
}
void SetUp() override { initAwsSdk(); }
