├── .github ├── prerelease.sh └── workflows │ ├── release.yml │ └── test.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.pre.yml ├── .goreleaser.yml ├── CHANGELOG.md ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── cmd └── vac │ └── main.go ├── go.mod ├── go.sum ├── internal ├── cli │ ├── cli.go │ ├── cli_test.go │ └── flags │ │ └── flags.go └── cmd │ ├── get.go │ ├── get_test.go │ ├── status.go │ ├── status_test.go │ ├── switch.go │ ├── switch_test.go │ ├── utils.go │ ├── utils_linux.go │ ├── utils_other.go │ └── utils_test.go ├── pkg ├── client │ ├── client.go │ ├── client_test.go │ ├── vault.go │ └── vault_test.go └── state │ ├── state.go │ └── state_test.go └── renovate.json5 /.github/prerelease.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -ex 4 | 5 | RELEASE_ID=$(curl -sL https://api.github.com/repos/${REPOSITORY}/releases/tags/edge | jq -r .id) 6 | HEAD_SHA=$(curl -sL https://api.github.com/repos/${REPOSITORY}/git/refs/heads/main | jq -r .object.sha) 7 | PRERELEASE_TAG=$(git describe --always --abbrev=7 --tags --exclude=edge) 8 | 9 | # Bump the edge tag to the head of main 10 | curl -sL \ 11 | -X PATCH \ 12 | -u "_:${GITHUB_TOKEN}" \ 13 | -H "Accept: application/vnd.github.v3+json" \ 14 | -d '{"sha":"'${HEAD_SHA}'","force":true}' \ 15 | "https://api.github.com/repos/${REPOSITORY}/git/refs/tags/edge" 16 | 17 | # Ensure we execute some cleanup functions on exit 18 | function cleanup { 19 | git tag -d ${PRERELEASE_TAG} || true 20 | git fetch --tags -f || true 21 | } 22 | trap cleanup EXIT 23 | 24 | # Build the binaries using a prerelease tag 25 | git tag -d edge 26 | git tag -f ${PRERELEASE_TAG} 27 | go run github.com/goreleaser/goreleaser@v1.25.1 release \ 28 | --rm-dist \ 29 | --skip-validate \ 30 | -f .goreleaser.pre.yml 31 | 32 | # Delete existing assets from the edge prerelease on GitHub 33 | for asset_url in $(curl -sL -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${REPOSITORY}/releases/tags/edge | jq -r ".assets[].url"); do 34 | echo "deleting edge release asset: ${asset_url}" 35 | curl -sL \ 36 | -X DELETE \ 37 | -u "_:${GITHUB_TOKEN}" \ 38 | ${asset_url} 39 | done 40 | 41 | # Upload new assets onto the edge prerelease on GitHub 42 | for asset in $(find dist -type f -name "${NAME}_edge*"); do 43 | echo "uploading ${asset}.." 44 | curl -sL \ 45 | -u "_:${GITHUB_TOKEN}" \ 46 | -H "Accept: application/vnd.github.v3+json" \ 47 | -H "Content-Type: $(file -b --mime-type ${asset})" \ 48 | --data-binary @${asset} \ 49 | "https://uploads.github.com/repos/${REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $asset)" 50 | done 51 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: release 3 | 4 | on: 5 | push: 6 | tags: 7 | - 'v[0-9]+.[0-9]+.[0-9]+' 8 | branches: 9 | - main 10 | 11 | jobs: 12 | release: 13 | runs-on: ubuntu-24.04 14 | 15 | env: 16 | DOCKER_CLI_EXPERIMENTAL: 'enabled' 17 | 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 21 | with: 22 | fetch-depth: 0 23 | 24 | - name: Set up QEMU 25 | uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 26 | 27 | - name: Set up Docker Buildx 28 | uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3 29 | 30 | - name: docker.io Login 31 | uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 32 | with: 33 | registry: docker.io 34 | username: ${{ github.repository_owner }} 35 | password: ${{ secrets.DOCKER_HUB_TOKEN }} 36 | 37 | - name: ghcr.io login 38 | uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 39 | with: 40 | registry: ghcr.io 41 | username: ${{ github.repository_owner }} 42 | password: ${{ secrets.GH_PAT }} 43 | 44 | - name: quay.io Login 45 | uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 46 | with: 47 | registry: quay.io 48 | username: ${{ github.repository_owner }} 49 | password: ${{ secrets.QUAY_TOKEN }} 50 | 51 | - name: Set up Go 52 | uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5 53 | with: 54 | go-version: '1.22' 55 | 56 | - name: Import GPG key 57 | uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6 58 | with: 59 | gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} 60 | passphrase: ${{ secrets.GPG_PASSPHRASE }} 61 | 62 | - name: Run goreleaser 63 | run: make ${{ github.ref == 'refs/heads/main' && 'pre' || '' }}release 64 | env: 65 | GITHUB_TOKEN: ${{ secrets.GH_PAT }} 66 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: test 3 | 4 | on: 5 | push: 6 | branches: 7 | - main 8 | tags: 9 | - 'v[0-9]+.[0-9]+.[0-9]+' 10 | pull_request: 11 | branches: 12 | - main 13 | 14 | jobs: 15 | test: 16 | strategy: 17 | matrix: 18 | os: 19 | - ubuntu-22.04 20 | - macos-14 21 | - windows-2022 22 | 23 | runs-on: ${{ matrix.os }} 24 | 25 | steps: 26 | - name: Checkout code 27 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 28 | 29 | - name: Install Go 30 | uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5 31 | with: 32 | go-version: '1.22' 33 | 34 | - name: Lint 35 | if: ${{ matrix.os == 'ubuntu-22.04' }} 36 | run: make lint 37 | 38 | - name: Test 39 | run: make test 40 | 41 | - name: Publish coverage to coveralls.io 42 | uses: shogo82148/actions-goveralls@e6875f831db61e6abffbd8df91a2eb6cd24b46c9 # v1 43 | if: ${{ matrix.os == 'ubuntu-22.04' }} 44 | with: 45 | path-to-profile: coverage.out 46 | 47 | - name: Build 48 | run: make build 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **.tgz 2 | **.DS_Store 3 | coverage.out 4 | dist 5 | vac 6 | vendor 7 | !cmd/vac 8 | .idea/ 9 | -------------------------------------------------------------------------------- /.golangci.yml: -------------------------------------------------------------------------------- 1 | 2 | linters: 3 | enable: 4 | - gci 5 | - gofmt 6 | - goimports 7 | - gosec 8 | - loggercheck 9 | - misspell 10 | - nilerr 11 | - nilnil 12 | - noctx 13 | - unparam 14 | 15 | linters-settings: 16 | gci: 17 | sections: 18 | - standard 19 | - default 20 | - prefix(github.com/mvisonneau) 21 | -------------------------------------------------------------------------------- /.goreleaser.pre.yml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - go mod download 4 | 5 | builds: 6 | - main: ./cmd/vac 7 | env: 8 | - CGO_ENABLED=0 9 | goos: 10 | - darwin 11 | - linux 12 | - windows 13 | goarch: 14 | - 386 15 | - amd64 16 | - arm64 17 | flags: 18 | - -trimpath 19 | ignore: 20 | - goos: darwin 21 | goarch: 386 22 | - goos: windows 23 | goarch: arm64 24 | 25 | archives: 26 | - name_template: '{{ .ProjectName }}_edge_{{ .Os }}_{{ .Arch }}' 27 | format_overrides: 28 | - goos: windows 29 | format: zip 30 | 31 | release: 32 | disable: true 33 | 34 | dockers: 35 | - image_templates: 36 | - docker.io/mvisonneau/vac:latest-amd64 37 | - ghcr.io/mvisonneau/vac:latest-amd64 38 | - quay.io/mvisonneau/vac:latest-amd64 39 | ids: [vac] 40 | goarch: amd64 41 | use: buildx 42 | build_flag_templates: 43 | - --platform=linux/amd64 44 | - --label=org.opencontainers.image.title={{ .ProjectName }} 45 | - --label=org.opencontainers.image.description={{ .ProjectName }} 46 | - --label=org.opencontainers.image.url=https://github.com/mvisonneau/vac 47 | - --label=org.opencontainers.image.source=https://github.com/mvisonneau/vac 48 | - --label=org.opencontainers.image.version={{ .Version }} 49 | - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }} 50 | - --label=org.opencontainers.image.revision={{ .FullCommit }} 51 | - --label=org.opencontainers.image.licenses=Apache-2.0 52 | 53 | - image_templates: 54 | - docker.io/mvisonneau/vac:latest-arm64 55 | - ghcr.io/mvisonneau/vac:latest-arm64 56 | - quay.io/mvisonneau/vac:latest-arm64 57 | ids: [vac] 58 | goarch: arm64 59 | use: buildx 60 | build_flag_templates: 61 | - --platform=linux/arm64 62 | - --label=org.opencontainers.image.title={{ .ProjectName }} 63 | - --label=org.opencontainers.image.description={{ .ProjectName }} 64 | - --label=org.opencontainers.image.url=https://github.com/mvisonneau/vac 65 | - --label=org.opencontainers.image.source=https://github.com/mvisonneau/vac 66 | - --label=org.opencontainers.image.version={{ .Version }} 67 | - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }} 68 | - --label=org.opencontainers.image.revision={{ .FullCommit }} 69 | - --label=org.opencontainers.image.licenses=Apache-2.0 70 | 71 | docker_manifests: 72 | - name_template: docker.io/mvisonneau/vac:latest 73 | image_templates: 74 | - docker.io/mvisonneau/vac:latest-amd64 75 | - docker.io/mvisonneau/vac:latest-arm64 76 | 77 | - name_template: ghcr.io/mvisonneau/vac:latest 78 | image_templates: 79 | - ghcr.io/mvisonneau/vac:latest-amd64 80 | - ghcr.io/mvisonneau/vac:latest-arm64 81 | 82 | - name_template: quay.io/mvisonneau/vac:latest 83 | image_templates: 84 | - quay.io/mvisonneau/vac:latest-amd64 85 | - quay.io/mvisonneau/vac:latest-arm64 86 | 87 | signs: 88 | - artifacts: checksum 89 | args: 90 | [ 91 | '-u', 92 | 'C09CA9F71C5C988E65E3E5FCADEA38EDC46F25BE', 93 | '--output', 94 | '${signature}', 95 | '--detach-sign', 96 | '${artifact}', 97 | ] 98 | 99 | checksum: 100 | name_template: '{{ .ProjectName }}_edge_sha512sums.txt' 101 | algorithm: sha512 102 | 103 | changelog: 104 | skip: true 105 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | before: 2 | hooks: 3 | - go mod download 4 | 5 | builds: 6 | - main: ./cmd/vac 7 | env: 8 | - CGO_ENABLED=0 9 | goos: 10 | - darwin 11 | - linux 12 | - windows 13 | goarch: 14 | - 386 15 | - amd64 16 | - arm64 17 | flags: 18 | - -trimpath 19 | ignore: 20 | - goos: darwin 21 | goarch: 386 22 | - goos: windows 23 | goarch: arm64 24 | 25 | archives: 26 | - name_template: '{{ .ProjectName }}_{{ .Tag }}_{{ .Os }}_{{ .Arch }}' 27 | format_overrides: 28 | - goos: windows 29 | format: zip 30 | 31 | nfpms: 32 | - maintainer: &author Maxime VISONNEAU 33 | description: &description VAC - Vault AWS Credentials Manager 34 | license: &license Apache-2.0 35 | homepage: &homepage https://github.com/mvisonneau/vac 36 | vendor: *author 37 | file_name_template: '{{ .ProjectName }}_{{ .Tag }}_{{ .Os }}_{{ .Arch }}' 38 | formats: 39 | - deb 40 | - rpm 41 | 42 | brews: 43 | - description: *description 44 | homepage: *homepage 45 | folder: Formula 46 | tap: 47 | owner: mvisonneau 48 | name: homebrew-tap 49 | 50 | scoop: 51 | description: *description 52 | homepage: *homepage 53 | license: *license 54 | bucket: 55 | owner: mvisonneau 56 | name: scoops 57 | 58 | dockers: 59 | - image_templates: 60 | - 'docker.io/mvisonneau/vac:{{ .Tag }}-amd64' 61 | - 'ghcr.io/mvisonneau/vac:{{ .Tag }}-amd64' 62 | - 'quay.io/mvisonneau/vac:{{ .Tag }}-amd64' 63 | ids: [vac] 64 | goarch: amd64 65 | use: buildx 66 | build_flag_templates: 67 | - --platform=linux/amd64 68 | - --label=org.opencontainers.image.title={{ .ProjectName }} 69 | - --label=org.opencontainers.image.description={{ .ProjectName }} 70 | - --label=org.opencontainers.image.url=https://github.com/mvisonneau/vac 71 | - --label=org.opencontainers.image.source=https://github.com/mvisonneau/vac 72 | - --label=org.opencontainers.image.version={{ .Version }} 73 | - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }} 74 | - --label=org.opencontainers.image.revision={{ .FullCommit }} 75 | - --label=org.opencontainers.image.licenses=Apache-2.0 76 | 77 | - image_templates: 78 | - 'docker.io/mvisonneau/vac:{{ .Tag }}-arm64' 79 | - 'ghcr.io/mvisonneau/vac:{{ .Tag }}-arm64' 80 | - 'quay.io/mvisonneau/vac:{{ .Tag }}-arm64' 81 | ids: [vac] 82 | goarch: arm64 83 | use: buildx 84 | build_flag_templates: 85 | - --platform=linux/arm64 86 | - --label=org.opencontainers.image.title={{ .ProjectName }} 87 | - --label=org.opencontainers.image.description={{ .ProjectName }} 88 | - --label=org.opencontainers.image.url=https://github.com/mvisonneau/vac 89 | - --label=org.opencontainers.image.source=https://github.com/mvisonneau/vac 90 | - --label=org.opencontainers.image.version={{ .Version }} 91 | - --label=org.opencontainers.image.created={{ time "2006-01-02T15:04:05Z07:00" }} 92 | - --label=org.opencontainers.image.revision={{ .FullCommit }} 93 | - --label=org.opencontainers.image.licenses=Apache-2.0 94 | 95 | docker_manifests: 96 | - name_template: docker.io/mvisonneau/vac:{{ .Tag }} 97 | image_templates: 98 | - docker.io/mvisonneau/vac:{{ .Tag }}-amd64 99 | - docker.io/mvisonneau/vac:{{ .Tag }}-arm64 100 | 101 | - name_template: ghcr.io/mvisonneau/vac:{{ .Tag }} 102 | image_templates: 103 | - ghcr.io/mvisonneau/vac:{{ .Tag }}-amd64 104 | - ghcr.io/mvisonneau/vac:{{ .Tag }}-arm64 105 | 106 | - name_template: quay.io/mvisonneau/vac:{{ .Tag }} 107 | image_templates: 108 | - quay.io/mvisonneau/vac:{{ .Tag }}-amd64 109 | - quay.io/mvisonneau/vac:{{ .Tag }}-arm64 110 | 111 | checksum: 112 | name_template: '{{ .ProjectName }}_{{ .Tag }}_sha512sums.txt' 113 | algorithm: sha512 114 | 115 | signs: 116 | - artifacts: checksum 117 | args: 118 | [ 119 | '-u', 120 | 'C09CA9F71C5C988E65E3E5FCADEA38EDC46F25BE', 121 | '--output', 122 | '${signature}', 123 | '--detach-sign', 124 | '${artifact}', 125 | ] 126 | 127 | changelog: 128 | skip: true 129 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) 6 | and this project adheres to [0ver](https://0ver.org) (more or less). 7 | 8 | ## [Unreleased] 9 | 10 | ### Changed 11 | 12 | - Golang updated to `1.20` 13 | - Bumped all dependencies 14 | - internal/cli: enhanced flags implementation 15 | 16 | ## [v0.0.8] - 2021-11-15 17 | 18 | ### Added 19 | 20 | - Support for tokens containing a trailing `\n` 21 | 22 | ### Changed 23 | 24 | - Golang updated to `1.19` 25 | - Bumped all dependencies 26 | 27 | ## [v0.0.7] - 2021-02-11 28 | 29 | ### Added 30 | 31 | - Released container images over `quay.io` 32 | ### Changed 33 | 34 | - Bumped all dependencies 35 | 36 | ## [v0.0.6] - 2021-08-19 37 | 38 | ### Changed 39 | 40 | - Generate pre-releases on default branch pushes 41 | - Bumped go from **1.15** to **1.17** 42 | - Updated all dependencies to their latest versions 43 | - Release npm/deb packages correctly 44 | - Add support for Apple M1 silicon 45 | 46 | ## [v0.0.5] - 2020-12-17 47 | 48 | ### Added 49 | 50 | - Release GitHub container registry based images: [ghcr.io/mvisonneau/vac](https://github.com/users/mvisonneau/packages/container/package/vac) 51 | - Release `arm64v8` based container images as part of docker manifests in both **docker.io** and **ghcr.io** 52 | - GPG sign released artifacts checksums 53 | 54 | ### Changed 55 | 56 | - Prefix new releases with `^v` to make `pkg.go.dev` happy 57 | - Updated all dependencies 58 | - Migrated CI from Drone to GitHub actions 59 | 60 | ## [0.0.4] - 2020-10-22 61 | 62 | ### Changed 63 | 64 | - Refactored codebase following golang standard structure 65 | - Bumped all dependencies to their latest version 66 | - Bumped to go `1.15` 67 | 68 | ## [0.0.3] - 2020-09-03 69 | 70 | ### Added 71 | 72 | - securego/gosec tests 73 | 74 | ### Changed 75 | 76 | - Bumped golang to 1.15 77 | - Bumped goreleaser to 0.142.0 78 | - Bumped urfave/cli to v2 79 | 80 | ### Removed 81 | 82 | - Dropped support for darwin/386 83 | 84 | ## [0.0.2] - 2020-06-29 85 | 86 | ### Added 87 | 88 | - New `ttl`, `min-ttl` and `force-generate` flags on the **get** function to manipulate credentials lengths 89 | - New `status` function to disclose some info about the current context, cached credentials and Vault server connectivity 90 | 91 | ### Changed 92 | 93 | - Removed some typos in the CLI flags definition 94 | - Removed unused parameter RenewBefore on the AWSCredential objects 95 | - Added some tests 96 | 97 | ## [0.0.1] - 2020-06-26 98 | 99 | ### Added 100 | 101 | - Working state of the app 102 | - Makefile 103 | - LICENSE 104 | - README 105 | 106 | [Unreleased]: https://github.com/mvisonneau/vac/compare/v0.0.8...HEAD 107 | [v0.0.8]: https://github.com/mvisonneau/vac/tree/v0.0.8 108 | [v0.0.7]: https://github.com/mvisonneau/vac/tree/v0.0.7 109 | [v0.0.6]: https://github.com/mvisonneau/vac/tree/v0.0.6 110 | [v0.0.5]: https://github.com/mvisonneau/vac/tree/v0.0.5 111 | [0.0.4]: https://github.com/mvisonneau/vac/tree/0.0.4 112 | [0.0.3]: https://github.com/mvisonneau/vac/tree/0.0.3 113 | [0.0.2]: https://github.com/mvisonneau/vac/tree/0.0.2 114 | [0.0.1]: https://github.com/mvisonneau/vac/tree/0.0.1 115 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ## 2 | # BUILD CONTAINER 3 | ## 4 | 5 | FROM alpine:3.21@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c as certs 6 | 7 | RUN \ 8 | apk add --no-cache ca-certificates 9 | 10 | ## 11 | # RELEASE CONTAINER 12 | ## 13 | 14 | FROM busybox:1.37-glibc@sha256:75ad89b4d27ba9abc38d495d4a89969b97ad47fd25b2f8eb959901dad09289f7 15 | 16 | WORKDIR / 17 | 18 | COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 19 | COPY vac /usr/local/bin/ 20 | 21 | # Run as nobody user 22 | USER 65534 23 | 24 | EXPOSE 8080 25 | 26 | ENTRYPOINT ["/usr/local/bin/vac"] 27 | CMD [""] 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | https://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | Copyright 2020 - Maxime VISONNEAU 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | https://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | NAME := vac 2 | COVERAGE_FILE := coverage.out 3 | REPOSITORY := mvisonneau/$(NAME) 4 | .DEFAULT_GOAL := help 5 | 6 | .PHONY: fmt 7 | fmt: ## Format source code 8 | go run mvdan.cc/gofumpt@v0.6.0 -w $(shell git ls-files **/*.go) 9 | go run github.com/daixiang0/gci@v0.13.4 write -s standard -s default -s "prefix(github.com/mvisonneau)" . 10 | 11 | .PHONY: lint 12 | lint: ## Run all lint related tests upon the codebase 13 | go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.57.2 run -v --fast 14 | 15 | .PHONY: test 16 | test: ## Run the tests against the codebase 17 | @rm -rf $(COVERAGE_FILE) 18 | go test -v -count=1 -race ./... -coverprofile=$(COVERAGE_FILE) 19 | @go tool cover -func $(COVERAGE_FILE) | awk '/^total/ {print "coverage: " $$3}' 20 | 21 | .PHONY: coverage 22 | coverage: ## Prints coverage report 23 | go tool cover -func $(COVERAGE_FILE) 24 | 25 | .PHONY: install 26 | install: ## Build and install locally the binary (dev purpose) 27 | go install ./cmd/$(NAME) 28 | 29 | .PHONY: build 30 | build: ## Build the binaries using local GOOS 31 | go build ./cmd/$(NAME) 32 | 33 | .PHONY: release 34 | release: ## Build & release the binaries (stable) 35 | git tag -d edge 36 | go run github.com/goreleaser/goreleaser@v1.25.1 release --clean 37 | 38 | .PHONY: prerelease 39 | prerelease: ## Build & prerelease the binaries (edge) 40 | @\ 41 | REPOSITORY=$(REPOSITORY) \ 42 | NAME=$(NAME) \ 43 | GITHUB_TOKEN=$(GITHUB_TOKEN) \ 44 | .github/prerelease.sh 45 | 46 | .PHONY: clean 47 | clean: ## Remove binary if it exists 48 | rm -f $(NAME) 49 | 50 | .PHONY: all 51 | all: lint test build coverage ## Test, builds and ship package for all supported platforms 52 | 53 | .PHONY: help 54 | help: ## Displays this help 55 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 56 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # vac | AWS credentials management leveraging Vault 2 | 3 | [![PkgGoDev](https://pkg.go.dev/badge/github.com/mvisonneau/vac)](https://pkg.go.dev/mod/github.com/mvisonneau/vac) 4 | [![Go Report Card](https://goreportcard.com/badge/github.com/mvisonneau/vac)](https://goreportcard.com/report/github.com/mvisonneau/vac) 5 | [![test](https://github.com/mvisonneau/vac/actions/workflows/test.yml/badge.svg)](https://github.com/mvisonneau/vac/actions/workflows/test.yml) 6 | [![Coverage Status](https://coveralls.io/repos/github/mvisonneau/vac/badge.svg?branch=main)](https://coveralls.io/github/mvisonneau/vac?branch=main) 7 | [![release](https://github.com/mvisonneau/vac/actions/workflows/release.yml/badge.svg)](https://github.com/mvisonneau/vac/actions/workflows/release.yml) 8 | 9 | `vac` is a wrapper to manage AWS credentials dynamically using [Hashicorp Vault](https://www.vaultproject.io/). 10 | 11 | It is heavily inspired from [jantman/vault-aws-creds](https://github.com/jantman/vault-aws-creds) and [ahmetb/kubectx](https://github.com/ahmetb/kubectx). 12 | 13 | Written in golang, it can work on most common platforms (Linux, MacOS, Windows). 14 | 15 | It leverages the [external process sourcing](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html) capabilities of the AWS CLI config definition. 16 | 17 | [![asciicast](https://asciinema.org/a/343653.svg)](https://asciinema.org/a/343653?t=60) 18 | 19 | ## Install 20 | 21 | Have a look onto the [latest release page](https://github.com/mvisonneau/vac/releases/latest) and pick your flavor. 22 | 23 | Checksums are signed with the [following GPG key](https://keybase.io/mvisonneau/pgp_keys.asc): `C09C A9F7 1C5C 988E 65E3  E5FC ADEA 38ED C46F 25BE` 24 | 25 | ### Go 26 | 27 | ```bash 28 | ~$ go install github.com/mvisonneau/vac/cmd/vac@latest 29 | ``` 30 | 31 | ### Homebrew 32 | 33 | ```bash 34 | ~$ brew install mvisonneau/tap/vac 35 | ``` 36 | 37 | ### Docker 38 | 39 | ```bash 40 | ~$ docker run -it --rm docker.io/mvisonneau/vac 41 | ~$ docker run -it --rm ghcr.io/mvisonneau/vac 42 | ~$ docker run -it --rm quay.io/mvisonneau/vac 43 | ``` 44 | 45 | ### Scoop 46 | 47 | ```bash 48 | ~$ scoop bucket add https://github.com/mvisonneau/scoops 49 | ~$ scoop install vac 50 | ``` 51 | 52 | ### asdf 53 | 54 | ```bash 55 | ~$ asdf plugin add vac https://github.com/bodgit/asdf-vac.git 56 | ~$ asdf install vac latest 57 | ~$ asdf global vac latest 58 | ``` 59 | 60 | ### Binaries, DEB and RPM packages 61 | 62 | Have a look onto the [latest release page](https://github.com/mvisonneau/vac/releases/latest) to pick your flavor and version. Here is an helper to fetch the most recent one: 63 | 64 | ```bash 65 | ~$ export VAC_VERSION=$(curl -s "https://api.github.com/repos/mvisonneau/vac/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/') 66 | ``` 67 | 68 | ```bash 69 | # Binary (eg: linux/amd64) 70 | ~$ wget https://github.com/mvisonneau/vac/releases/download/${VAC_VERSION}/vac_${VAC_VERSION}_linux_amd64.tar.gz 71 | ~$ tar zxvf vac_${VAC_VERSION}_linux_amd64.tar.gz -C /usr/local/bin 72 | 73 | # DEB package (eg: linux/386) 74 | ~$ wget https://github.com/mvisonneau/vac/releases/download/${VAC_VERSION}/vac_${VAC_VERSION}_linux_386.deb 75 | ~$ dpkg -i vac_${VAC_VERSION}_linux_386.deb 76 | 77 | # RPM package (eg: linux/arm64) 78 | ~$ wget https://github.com/mvisonneau/vac/releases/download/${VAC_VERSION}/vac_${VAC_VERSION}_linux_arm64.rpm 79 | ~$ rpm -ivh vac_${VAC_VERSION}_linux_arm64.rpm 80 | ``` 81 | 82 | ## Quickstart 83 | 84 | - Once you have [installed it](#install), create a new profile in your `~/.aws/credentials` file: 85 | 86 | ```bash 87 | ~$ cat - <> ~/.aws/credentials 88 | 89 | [vac] 90 | credential_process = $(which vac) get 91 | EOF 92 | ``` 93 | 94 | - You will need to set the following env variable to use this profile 95 | 96 | ```bash 97 | ~$ export AWS_PROFILE=vac 98 | ``` 99 | 100 | (you can omit this part by using it as your default profile instead) 101 | 102 | - Finally assuming that you have sorted out your Vault accesses already, you need to chose which engine/role to use: 103 | 104 | ```bash 105 | ~$ vac 106 | [follow prompt] 107 | ``` 108 | 109 | ## Advanced usage 110 | 111 | ```bash 112 | ~$ vac --help 113 | NAME: 114 | vac - Manage AWS credentials dynamically using Vault 115 | 116 | USAGE: 117 | vac [global options] command [command options] [arguments...] 118 | 119 | COMMANDS: 120 | get get the creds in credential_process format (json) 121 | status returns some info about the current context, cached credentials and Vault server connectivity 122 | help, h Shows a list of commands or help for one command 123 | 124 | GLOBAL OPTIONS: 125 | --engine path, -e path engine path [$VAC_ENGINE] 126 | --role name, -r name role name [$VAC_ROLE] 127 | --state path, -s path state path (default: "~/.vac_state") [$VAC_STATE_PATH] 128 | --log-level level log level (debug,info,warn,fatal,panic) (default: "info") [$VAC_LOG_LEVEL] 129 | --log-format format log format (json,text) (default: "text") [$VAC_LOG_FORMAT] 130 | --help, -h show help 131 | ``` 132 | 133 | ### Static configuration 134 | 135 | You are forced to use the fuzzyfinding capabilities. This is particularily useful in a non-TTY usage scenario. eg: 136 | 137 | ```toml 138 | # ~/.aws/credentials 139 | [default] 140 | credential_process = /usr/local/bin/vac get 141 | [dev-admin] 142 | credential_process = /usr/local/bin/vac -e dev -r admin get 143 | [staging-admin] 144 | credential_process = /usr/local/bin/vac -e staging -r admin get 145 | ``` 146 | 147 | You can also dynamically switch your context without a prompt by doing the following: 148 | 149 | ```bash 150 | # only prompt for chosing a role in the "dev" engine 151 | ~$ vac -e dev 152 | 153 | # no prompt, automatically switch to "admin" role in the "dev" engine 154 | ~$ vac -e dev -r admin 155 | ``` 156 | 157 | ### TTL and cache bypass 158 | 159 | The `get` command can take various flags in order to manage the credentials TTLs but also when to refresh them: 160 | 161 | ```bash 162 | ~$ vac get --help 163 | NAME: 164 | vac get - get the creds in credential_process format (json) 165 | 166 | USAGE: 167 | vac get [command options] [arguments...] 168 | 169 | OPTIONS: 170 | --min-ttl duration min-ttl duration (default: 0s) [$VAC_MIN_TTL] 171 | --ttl duration, -t duration ttl duration (default: 0s) [$VAC_TTL] 172 | --force-generate, -f bypass currently cached creds and generate new ones [$VAC_FORCE_GENERATE] 173 | ``` 174 | 175 | #### Examples 176 | 177 | ```bash 178 | # Generate credentials valid for 1h 179 | ~$ vac get --ttl 1h 180 | 181 | # Generate credentials valid for 1h but replace them if existing ones expire in less than 30m 182 | ~$ vac get --ttl 1h --min-ttl 30m 183 | 184 | # Generate credentials valid for 2h, indepently if some valid ones are still present in the cache 185 | ~$ vac get --ttl 2 -f 186 | ``` 187 | 188 | you can of course define them in your `~/.aws/credentials` profiles as well 189 | 190 | ```bash 191 | ~$ cat - <> ~/.aws/credentials 192 | [vac-4h] 193 | credential_process = $(which vac) get --ttl 4h 194 | [vac-no-cache] 195 | credential_process = $(which vac) get -f 196 | EOF 197 | ``` 198 | 199 | ### Get information about current configuration 200 | 201 | You can use the `status` command in order to retrieve some info about: 202 | 203 | - Current context (selected engine/role) 204 | - Cached credentials 205 | - Vault server connectivity details 206 | 207 | ``` 208 | ~$ vac status 209 | +----------------+---------------------+ 210 | | LOCAL STATE | | 211 | +----------------+---------------------+ 212 | | Current Engine | dev | 213 | | Current Role | admin | 214 | +----------------+---------------------+ 215 | +-----------+--------+---------------+ 216 | | ENGINE | ROLE | EXPIRATION | 217 | +-----------+--------+---------------+ 218 | | dev | admin | in 2 hours | 219 | | prod | admin | 2 days ago | 220 | | staging | admin | 2 days ago | 221 | +-----------+--------+---------------+ 222 | +-------------+--------------------------------------+ 223 | | VAULT | | 224 | +-------------+--------------------------------------+ 225 | | ClusterID | 0e6b2fcd-e84b-a7cd-f84d-6b31947a8d73 | 226 | | ClusterName | vault-cluster-90f72c95 | 227 | | Initialized | true | 228 | | Sealed | false | 229 | | Version | 1.5.3 | 230 | +-------------+--------------------------------------+ 231 | ``` 232 | 233 | ## Required Vault policies 234 | 235 | To be able to use all the lookup features, you will need some 236 | 237 | ```hcl 238 | # List available AWS engines 239 | path "sys/mounts" { 240 | capabilities = ["read"] 241 | } 242 | 243 | # List all the roles for each 244 | # path "/roles" { 245 | # capabilities = ["list"] 246 | # } 247 | # eg: 248 | path "dev/roles" { 249 | capabilities = ["list"] 250 | } 251 | 252 | path "staging/roles" { 253 | capabilities = ["list"] 254 | } 255 | 256 | # Assume the role 257 | # path "/sts/" { 258 | # capabilities = ["update"] 259 | # } 260 | # eg: 261 | 262 | path "dev/sts/admin" { 263 | capabilities = ["update"] 264 | } 265 | 266 | path "staging/sts/admin" { 267 | capabilities = ["update"] 268 | } 269 | ``` 270 | 271 | ## Limitations 272 | 273 | - It currently **only supports** authenticating using STS [assumed_role](https://www.vaultproject.io/docs/secrets/aws#sts-assumerole) or [federation_tokens](https://www.vaultproject.io/docs/secrets/aws#sts-federation-tokens) methods. 274 | - It will list all available engines and roles according to the defined policies. This result may not be relevant to what an user can actually assume. 275 | 276 | ## Contribute 277 | 278 | Contributions are more than welcome! Feel free to submit a [PR](https://github.com/mvisonneau/vac/pulls). 279 | -------------------------------------------------------------------------------- /cmd/vac/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "os" 5 | 6 | "github.com/mvisonneau/vac/internal/cli" 7 | ) 8 | 9 | var version = "" 10 | 11 | func main() { 12 | cli.Run(version, os.Args) 13 | } 14 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/mvisonneau/vac 2 | 3 | go 1.23 4 | 5 | require ( 6 | github.com/gofrs/flock v0.12.1 7 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 8 | github.com/hashicorp/vault/api v1.16.0 9 | github.com/ktr0731/go-fuzzyfinder v0.8.0 10 | github.com/mitchellh/go-homedir v1.1.0 11 | github.com/mvisonneau/go-helpers v0.0.1 12 | github.com/olekukonko/tablewriter v0.0.5 13 | github.com/pkg/errors v0.9.1 14 | github.com/sirupsen/logrus v1.9.3 15 | github.com/stretchr/testify v1.10.0 16 | github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 17 | github.com/urfave/cli/v2 v2.27.6 18 | github.com/xeonx/timeago v1.0.0-rc5 19 | ) 20 | 21 | require ( 22 | github.com/cenkalti/backoff/v4 v4.3.0 // indirect 23 | github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect 24 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 25 | github.com/gdamore/encoding v1.0.1 // indirect 26 | github.com/gdamore/tcell/v2 v2.7.4 // indirect 27 | github.com/go-jose/go-jose/v4 v4.0.5 // indirect 28 | github.com/go-test/deep v1.1.0 // indirect 29 | github.com/hashicorp/errwrap v1.1.0 // indirect 30 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 31 | github.com/hashicorp/go-multierror v1.1.1 // indirect 32 | github.com/hashicorp/go-retryablehttp v0.7.7 // indirect 33 | github.com/hashicorp/go-rootcerts v1.0.2 // indirect 34 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect 35 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect 36 | github.com/hashicorp/go-sockaddr v1.0.6 // indirect 37 | github.com/hashicorp/hcl v1.0.1-vault-5 // indirect 38 | github.com/kr/text v0.2.0 // indirect 39 | github.com/ktr0731/go-ansisgr v0.1.0 // indirect 40 | github.com/lucasb-eyer/go-colorful v1.2.0 // indirect 41 | github.com/mattn/go-runewidth v0.0.16 // indirect 42 | github.com/mitchellh/mapstructure v1.5.0 // indirect 43 | github.com/nsf/termbox-go v1.1.1 // indirect 44 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 45 | github.com/rivo/uniseg v0.4.7 // indirect 46 | github.com/rogpeppe/go-internal v1.13.1 // indirect 47 | github.com/russross/blackfriday/v2 v2.1.0 // indirect 48 | github.com/ryanuber/go-glob v1.0.0 // indirect 49 | github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect 50 | golang.org/x/crypto v0.32.0 // indirect 51 | golang.org/x/net v0.34.0 // indirect 52 | golang.org/x/sys v0.29.0 // indirect 53 | golang.org/x/term v0.28.0 // indirect 54 | golang.org/x/text v0.21.0 // indirect 55 | golang.org/x/time v0.5.0 // indirect 56 | gopkg.in/yaml.v3 v3.0.1 // indirect 57 | ) 58 | 59 | replace github.com/ktr0731/go-fuzzyfinder => github.com/mvisonneau/go-fuzzyfinder v0.8.1-0.20240927094255-d19e2c0fdc28 60 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= 2 | github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= 3 | github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= 4 | github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= 5 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 6 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 7 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 8 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= 9 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 10 | github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= 11 | github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= 12 | github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg= 13 | github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uhw= 14 | github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo= 15 | github.com/gdamore/tcell/v2 v2.6.0/go.mod h1:be9omFATkdr0D9qewWW3d+MEvl5dha+Etb5y65J2H8Y= 16 | github.com/gdamore/tcell/v2 v2.7.4 h1:sg6/UnTM9jGpZU+oFYAsDahfchWAFW8Xx2yFinNSAYU= 17 | github.com/gdamore/tcell/v2 v2.7.4/go.mod h1:dSXtXTSK0VsW1biw65DZLZ2NKr7j0qP/0J7ONmsraWg= 18 | github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE= 19 | github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA= 20 | github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= 21 | github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= 22 | github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E= 23 | github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0= 24 | github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= 25 | github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= 26 | github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= 27 | github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= 28 | github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 29 | github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= 30 | github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= 31 | github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= 32 | github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= 33 | github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= 34 | github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= 35 | github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= 36 | github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= 37 | github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= 38 | github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= 39 | github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= 40 | github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= 41 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3 h1:kH3Rhiht36xhAfhuHyWJDgdXXEx9IIZhDGRk24CDhzg= 42 | github.com/hashicorp/go-secure-stdlib/mlock v0.1.3/go.mod h1:ov1Q0oEDjC3+A4BwsG2YdKltrmEw8sf9Pau4V9JQ4Vo= 43 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 h1:iBt4Ew4XEGLfh6/bPk4rSYmuZJGizr6/x/AEizP0CQc= 44 | github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8/go.mod h1:aiJI+PIApBRQG7FZTEBx5GiiX+HbOHilUdNxUZi4eV0= 45 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= 46 | github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= 47 | github.com/hashicorp/go-sockaddr v1.0.6 h1:RSG8rKU28VTUTvEKghe5gIhIQpv8evvNpnDEyqO4u9I= 48 | github.com/hashicorp/go-sockaddr v1.0.6/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI= 49 | github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= 50 | github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= 51 | github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5LhwQN4= 52 | github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA= 53 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 54 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 55 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 56 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 57 | github.com/ktr0731/go-ansisgr v0.1.0 h1:fbuupput8739hQbEmZn1cEKjqQFwtCCZNznnF6ANo5w= 58 | github.com/ktr0731/go-ansisgr v0.1.0/go.mod h1:G9lxwgBwH0iey0Dw5YQd7n6PmQTwTuTM/X5Sgm/UrzE= 59 | github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= 60 | github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= 61 | github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= 62 | github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= 63 | github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= 64 | github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= 65 | github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= 66 | github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 67 | github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 68 | github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= 69 | github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= 70 | github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= 71 | github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= 72 | github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= 73 | github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= 74 | github.com/mvisonneau/go-fuzzyfinder v0.8.1-0.20240927094255-d19e2c0fdc28 h1:8k0Ktp/P9mhF4Bnr0rJNjXdaHv4dYhpthOfHLLxJ95U= 75 | github.com/mvisonneau/go-fuzzyfinder v0.8.1-0.20240927094255-d19e2c0fdc28/go.mod h1:yYP1wcX0ep5B7nLvMJQpQDkNSz9XZNrFrfcFtXZQg4w= 76 | github.com/mvisonneau/go-helpers v0.0.1 h1:jp/eaRBixQeCwILkqSDlNIAtRjBdRR3AENTxx5Ts04Y= 77 | github.com/mvisonneau/go-helpers v0.0.1/go.mod h1:9gxWJlesYQqoVW4jj+okotqvG5CB8BfLD06UbyyfKZA= 78 | github.com/nsf/termbox-go v1.1.1 h1:nksUPLCb73Q++DwbYUBEglYBRPZyoXJdrj5L+TkjyZY= 79 | github.com/nsf/termbox-go v1.1.1/go.mod h1:T0cTdVuOwf7pHQNtfhnEbzHbcNyCEcVU4YPpouCbVxo= 80 | github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= 81 | github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= 82 | github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= 83 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 84 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 85 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= 86 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 87 | github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= 88 | github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= 89 | github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= 90 | github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= 91 | github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= 92 | github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= 93 | github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= 94 | github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= 95 | github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= 96 | github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= 97 | github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= 98 | github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= 99 | github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= 100 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 101 | github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= 102 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 103 | github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 104 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= 105 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 106 | github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI= 107 | github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= 108 | github.com/urfave/cli/v2 v2.27.6 h1:VdRdS98FNhKZ8/Az8B7MTyGQmpIr36O1EHybx/LaZ4g= 109 | github.com/urfave/cli/v2 v2.27.6/go.mod h1:3Sevf16NykTbInEnD0yKkjDAeZDS0A6bzhBH5hrMvTQ= 110 | github.com/xeonx/timeago v1.0.0-rc5 h1:pwcQGpaH3eLfPtXeyPA4DmHWjoQt0Ea7/++FwpxqLxg= 111 | github.com/xeonx/timeago v1.0.0-rc5/go.mod h1:qDLrYEFynLO7y5Ho7w3GwgtYgpy5UfhcXIIQvMKVDkA= 112 | github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGCjxCBTO/36wtF6j2nSip77qHd4x4= 113 | github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM= 114 | github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 115 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 116 | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 117 | golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc= 118 | golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= 119 | golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 120 | golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= 121 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 122 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 123 | golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 124 | golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 125 | golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0= 126 | golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k= 127 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 128 | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 129 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 130 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 131 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 132 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 133 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 134 | golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 135 | golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 136 | golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 137 | golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 138 | golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 139 | golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 140 | golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= 141 | golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= 142 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 143 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 144 | golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= 145 | golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= 146 | golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg= 147 | golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= 148 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 149 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 150 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 151 | golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 152 | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= 153 | golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= 154 | golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= 155 | golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= 156 | golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= 157 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 158 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 159 | golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 160 | golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= 161 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 162 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 163 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 164 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 165 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 166 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 167 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 168 | -------------------------------------------------------------------------------- /internal/cli/cli.go: -------------------------------------------------------------------------------- 1 | package cli 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "time" 7 | 8 | cli "github.com/urfave/cli/v2" 9 | 10 | "github.com/mvisonneau/vac/internal/cli/flags" 11 | "github.com/mvisonneau/vac/internal/cmd" 12 | ) 13 | 14 | // Run handles the instanciation of the CLI application 15 | func Run(version string, args []string) { 16 | err := NewApp(version, time.Now()).Run(args) 17 | if err != nil { 18 | fmt.Println(err) 19 | os.Exit(1) 20 | } 21 | } 22 | 23 | // NewApp configures the CLI application 24 | func NewApp(version string, start time.Time) (app *cli.App) { 25 | app = cli.NewApp() 26 | app.Name = "vac" 27 | app.Version = version 28 | app.Usage = "Manage AWS credentials dynamically using Vault" 29 | app.EnableBashCompletion = true 30 | 31 | app.Flags = cli.FlagsByName{ 32 | flags.Engine, 33 | flags.LogFormat, 34 | flags.LogLevel, 35 | flags.Role, 36 | flags.State, 37 | } 38 | 39 | app.Action = cmd.ExecWrapper(cmd.Switch) 40 | 41 | app.Commands = cli.CommandsByName{ 42 | { 43 | Name: "get", 44 | Usage: "get the creds in credential_process format (json)", 45 | Action: cmd.ExecWrapper(cmd.Get), 46 | Flags: cli.FlagsByName{ 47 | flags.ForceGenerate, 48 | flags.MinTTL, 49 | flags.TTL, 50 | }, 51 | }, 52 | { 53 | Name: "status", 54 | Usage: "returns some info about the current context, cached credentials and Vault server connectivity", 55 | Action: cmd.ExecWrapper(cmd.Status), 56 | }, 57 | } 58 | 59 | app.Metadata = map[string]interface{}{ 60 | "startTime": start, 61 | } 62 | 63 | return 64 | } 65 | -------------------------------------------------------------------------------- /internal/cli/cli_test.go: -------------------------------------------------------------------------------- 1 | package cli 2 | 3 | import ( 4 | "testing" 5 | "time" 6 | 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestRun(t *testing.T) { 11 | assert.NotPanics(t, func() { Run("0.0.0", []string{"vac", "--version"}) }) 12 | } 13 | 14 | func TestNewApp(t *testing.T) { 15 | app := NewApp("0.0.0", time.Now()) 16 | assert.Equal(t, "vac", app.Name) 17 | assert.Equal(t, "0.0.0", app.Version) 18 | } 19 | -------------------------------------------------------------------------------- /internal/cli/flags/flags.go: -------------------------------------------------------------------------------- 1 | package flags 2 | 3 | import "github.com/urfave/cli/v2" 4 | 5 | var ( 6 | Engine = &cli.StringFlag{ 7 | Name: "engine", 8 | Aliases: []string{"e"}, 9 | EnvVars: []string{"VAC_ENGINE"}, 10 | Usage: "engine `path`", 11 | } 12 | 13 | ForceGenerate = &cli.BoolFlag{ 14 | Name: "force-generate", 15 | Aliases: []string{"f"}, 16 | EnvVars: []string{"VAC_FORCE_GENERATE"}, 17 | Usage: "bypass currently cached creds and generate new ones", 18 | } 19 | 20 | LogFormat = &cli.StringFlag{ 21 | Name: "log-format", 22 | EnvVars: []string{"VAC_LOG_FORMAT"}, 23 | Usage: "log `format` (json,text)", 24 | Value: "text", 25 | } 26 | 27 | LogLevel = &cli.StringFlag{ 28 | Name: "log-level", 29 | EnvVars: []string{"VAC_LOG_LEVEL"}, 30 | Usage: "log `level` (debug,info,warn,fatal,panic)", 31 | Value: "info", 32 | } 33 | 34 | MinTTL = &cli.DurationFlag{ 35 | Name: "min-ttl", 36 | EnvVars: []string{"VAC_MIN_TTL"}, 37 | Usage: "min-ttl `duration`", 38 | Value: 0, 39 | } 40 | 41 | Role = &cli.StringFlag{ 42 | Name: "role", 43 | Aliases: []string{"r"}, 44 | EnvVars: []string{"VAC_ROLE"}, 45 | Usage: "role `name`", 46 | } 47 | 48 | State = &cli.StringFlag{ 49 | Name: "state", 50 | Aliases: []string{"s"}, 51 | EnvVars: []string{"VAC_STATE_PATH"}, 52 | Usage: "state `path`", 53 | Value: "~/.vac_state", 54 | } 55 | 56 | TTL = &cli.DurationFlag{ 57 | Name: "ttl", 58 | Aliases: []string{"t"}, 59 | EnvVars: []string{"VAC_TTL"}, 60 | Usage: "ttl `duration`", 61 | Value: 0, 62 | } 63 | ) 64 | -------------------------------------------------------------------------------- /internal/cmd/get.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "time" 7 | 8 | log "github.com/sirupsen/logrus" 9 | cli "github.com/urfave/cli/v2" 10 | 11 | "github.com/mvisonneau/vac/internal/cli/flags" 12 | "github.com/mvisonneau/vac/pkg/client" 13 | "github.com/mvisonneau/vac/pkg/state" 14 | ) 15 | 16 | // Output .. 17 | type Output struct { 18 | Version int 19 | AccessKeyID string `json:"AccessKeyId"` 20 | SecretAccessKey string 21 | SessionToken string 22 | Expiration time.Time 23 | } 24 | 25 | // GetConfig .. 26 | type GetConfig struct { 27 | *Config 28 | TTL time.Duration 29 | MinTTL time.Duration 30 | ForceGenerate bool 31 | } 32 | 33 | // Get the credentials from Vault or statefile 34 | func Get(ctx *cli.Context) (int, error) { 35 | globalCfg, err := configure(ctx) 36 | if err != nil { 37 | return 1, err 38 | } 39 | 40 | cfg := &GetConfig{ 41 | Config: globalCfg, 42 | TTL: flags.TTL.Get(ctx), 43 | MinTTL: flags.MinTTL.Get(ctx), 44 | ForceGenerate: flags.ForceGenerate.Get(ctx), 45 | } 46 | 47 | if cfg.TTL > 0 && cfg.MinTTL > cfg.TTL { 48 | return 1, fmt.Errorf("'min-ttl' cannot be longer than 'ttl'") 49 | } 50 | 51 | vac, err := client.New() 52 | if err != nil { 53 | return 1, err 54 | } 55 | 56 | locked, unlock, err := fileLock(cfg.LockPath) 57 | if err != nil { 58 | return 1, err 59 | } 60 | if locked { 61 | defer unlock() 62 | } 63 | 64 | s, err := state.Read(cfg.StatePath) 65 | if err != nil { 66 | return 1, err 67 | } 68 | 69 | // Check if a engine is currently selected 70 | if (s.Current.Engine == "" && cfg.Engine == "") || 71 | (s.Current.Role == "" && cfg.Role == "") { 72 | if code, err := Switch(ctx); code != 0 { 73 | return code, err 74 | } 75 | // Reload the state 76 | s, err = state.Read(cfg.StatePath) 77 | if err != nil { 78 | return 1, err 79 | } 80 | } 81 | 82 | var engine, role string 83 | if cfg.Engine != "" { 84 | engine = cfg.Engine 85 | } else { 86 | engine = s.Current.Engine 87 | } 88 | 89 | if cfg.Role != "" { 90 | role = cfg.Role 91 | } else { 92 | role = s.Current.Role 93 | } 94 | 95 | creds := s.GetAWSCredentials(engine, role) 96 | if shouldRegenerateCreds(creds, cfg.MinTTL, cfg.ForceGenerate) { 97 | creds, err = vac.GenerateAWSCredentials(engine, role, cfg.TTL) 98 | if err != nil { 99 | return 1, err 100 | } 101 | 102 | s.SetAWSCredentials(engine, role, creds) 103 | if err = state.Write(s, cfg.StatePath); err != nil { 104 | return 1, err 105 | } 106 | } 107 | 108 | o := Output{ 109 | Version: 1, 110 | AccessKeyID: creds.AccessKeyID, 111 | SecretAccessKey: creds.SecretAccessKey, 112 | SessionToken: creds.SecurityToken, 113 | Expiration: creds.Metadata.ExpireAt, 114 | } 115 | 116 | outputBytes, err := json.Marshal(o) 117 | if err != nil { 118 | return 1, err 119 | } 120 | 121 | fmt.Println(string(outputBytes)) 122 | return 0, nil 123 | } 124 | 125 | func shouldRegenerateCreds(creds *client.AWSCredentials, minTTL time.Duration, forceGenerate bool) bool { 126 | if creds == nil { 127 | log.Debug("no cached credentials found, generating new ones") 128 | return true 129 | } 130 | 131 | if time.Now().After(creds.Metadata.ExpireAt) { 132 | log.Debug("cached credentials expired, generating new ones") 133 | return true 134 | } 135 | 136 | if minTTL > 0 && time.Now().Add(minTTL).After(creds.Metadata.ExpireAt) { 137 | log.Debug("cached credentials expiring before the defined minimum TTL, generating new ones") 138 | return true 139 | } 140 | 141 | if forceGenerate { 142 | log.Debug("valid creds found but force-generate flag is set, generating new ones") 143 | return true 144 | } 145 | 146 | log.Debug("using cached credentials") 147 | return false 148 | } 149 | -------------------------------------------------------------------------------- /internal/cmd/get_test.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | // TODO: Implement 4 | -------------------------------------------------------------------------------- /internal/cmd/status.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "os" 5 | "strconv" 6 | "time" 7 | 8 | "github.com/olekukonko/tablewriter" 9 | cli "github.com/urfave/cli/v2" 10 | "github.com/xeonx/timeago" 11 | 12 | "github.com/mvisonneau/vac/pkg/client" 13 | "github.com/mvisonneau/vac/pkg/state" 14 | ) 15 | 16 | // Status .. 17 | func Status(ctx *cli.Context) (int, error) { 18 | cfg, err := configure(ctx) 19 | if err != nil { 20 | return 1, err 21 | } 22 | 23 | vac, err := client.New() 24 | if err != nil { 25 | return 1, err 26 | } 27 | 28 | locked, unlock, err := fileLock(cfg.LockPath) 29 | if err != nil { 30 | return 1, err 31 | } 32 | if locked { 33 | defer unlock() 34 | } 35 | 36 | s, err := state.Read(cfg.StatePath) 37 | if err != nil { 38 | return 1, err 39 | } 40 | 41 | stateOutput := [][]string{ 42 | {"Current Engine", s.Current.Engine}, 43 | {"Current Role", s.Current.Role}, 44 | } 45 | 46 | stateTable := tablewriter.NewWriter(os.Stdout) 47 | stateTable.SetHeader([]string{"LOCAL STATE"}) 48 | stateTable.AppendBulk(stateOutput) 49 | stateTable.Render() 50 | 51 | // Credentials info 52 | credsTable := tablewriter.NewWriter(os.Stdout) 53 | credsTable.SetHeader([]string{"ENGINE", "ROLE", "EXPIRATION"}) 54 | 55 | for _, engine := range s.GetCachedEngines() { 56 | for _, role := range s.GetCachedEngineRoles(engine) { 57 | creds := s.AWSCredentials[engine][role] 58 | var color int 59 | if creds.Metadata.ExpireAt.After(time.Now().Add(time.Minute * 5)) { 60 | color = tablewriter.FgGreenColor 61 | } else if creds.Metadata.ExpireAt.After(time.Now()) { 62 | color = tablewriter.FgYellowColor 63 | } else { 64 | color = tablewriter.FgRedColor 65 | } 66 | 67 | credsTable.Rich( 68 | []string{ 69 | engine, 70 | role, 71 | timeago.English.Format(creds.Metadata.ExpireAt), 72 | }, 73 | []tablewriter.Colors{ 74 | {}, 75 | {}, 76 | {color}, 77 | }, 78 | ) 79 | } 80 | } 81 | 82 | if credsTable.NumLines() > 0 { 83 | credsTable.Render() 84 | } 85 | 86 | // Vault status 87 | health, err := vac.Sys().Health() 88 | if err != nil { 89 | return 1, err 90 | } 91 | 92 | vaultOutput := [][]string{ 93 | {"ClusterID", health.ClusterID}, 94 | {"ClusterName", health.ClusterName}, 95 | {"Initialized", strconv.FormatBool(health.Initialized)}, 96 | {"Sealed", strconv.FormatBool(health.Sealed)}, 97 | {"Version", health.Version}, 98 | } 99 | 100 | vaultTable := tablewriter.NewWriter(os.Stdout) 101 | vaultTable.SetHeader([]string{"VAULT"}) 102 | vaultTable.AppendBulk(vaultOutput) 103 | vaultTable.Render() 104 | 105 | return 0, nil 106 | } 107 | -------------------------------------------------------------------------------- /internal/cmd/status_test.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | // TODO: Implement 4 | -------------------------------------------------------------------------------- /internal/cmd/switch.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/ktr0731/go-fuzzyfinder" 5 | log "github.com/sirupsen/logrus" 6 | cli "github.com/urfave/cli/v2" 7 | 8 | "github.com/mvisonneau/vac/pkg/client" 9 | "github.com/mvisonneau/vac/pkg/state" 10 | ) 11 | 12 | // Switch .. 13 | func Switch(ctx *cli.Context) (int, error) { 14 | cfg, err := configure(ctx) 15 | if err != nil { 16 | return 1, err 17 | } 18 | 19 | vac, err := client.New() 20 | if err != nil { 21 | return 1, err 22 | } 23 | 24 | locked, unlock, err := fileLock(cfg.LockPath) 25 | if err != nil { 26 | return 1, err 27 | } 28 | if locked { 29 | defer unlock() 30 | } 31 | 32 | s, err := state.Read(cfg.StatePath) 33 | if err != nil { 34 | return 1, err 35 | } 36 | 37 | if cfg.Engine == "" { 38 | awsSecretEngines, err := vac.ListAWSSecretEngines() 39 | if err != nil { 40 | log.Fatal(err) 41 | } 42 | 43 | selectedAWSSecretEngineID, err := fuzzyfinder.Find( 44 | awsSecretEngines, 45 | func(i int) string { 46 | return awsSecretEngines[i] 47 | }, 48 | fuzzyfinder.WithDefaultIndex(indexOf(s.Current.Engine, awsSecretEngines)), 49 | ) 50 | if err != nil { 51 | return 1, err 52 | } 53 | s.SetCurrentEngine(awsSecretEngines[selectedAWSSecretEngineID]) 54 | } else { 55 | s.SetCurrentEngine(cfg.Engine) 56 | } 57 | 58 | if cfg.Role == "" { 59 | roles, err := vac.ListAWSSecretEngineRoles(s.Current.Engine) 60 | if err != nil { 61 | return 1, err 62 | } 63 | 64 | selectedRoleID, err := fuzzyfinder.Find( 65 | roles, 66 | func(i int) string { 67 | return roles[i] 68 | }, 69 | fuzzyfinder.WithDefaultIndex(indexOf(s.Current.Role, roles)), 70 | ) 71 | if err != nil { 72 | return 1, err 73 | } 74 | s.SetCurrentRole(roles[selectedRoleID]) 75 | } else { 76 | s.SetCurrentRole(cfg.Role) 77 | } 78 | 79 | // Write state on disk 80 | if err = state.Write(s, cfg.StatePath); err != nil { 81 | return 1, err 82 | } 83 | 84 | log.WithFields(log.Fields{ 85 | "engine": s.Current.Engine, 86 | "role": s.Current.Role, 87 | }).Debugf("updated current engine & role in statefile") 88 | 89 | return 0, nil 90 | } 91 | 92 | func indexOf(element string, data []string) int { 93 | for k, v := range data { 94 | if element == v { 95 | return k 96 | } 97 | } 98 | return -1 99 | } 100 | -------------------------------------------------------------------------------- /internal/cmd/switch_test.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | // TODO: Implement 4 | -------------------------------------------------------------------------------- /internal/cmd/utils.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "context" 5 | "fmt" 6 | "time" 7 | 8 | "github.com/gofrs/flock" 9 | "github.com/mitchellh/go-homedir" 10 | "github.com/pkg/errors" 11 | log "github.com/sirupsen/logrus" 12 | cli "github.com/urfave/cli/v2" 13 | 14 | "github.com/mvisonneau/go-helpers/logger" 15 | "github.com/mvisonneau/vac/internal/cli/flags" 16 | ) 17 | 18 | var start time.Time 19 | 20 | // Config .. 21 | type Config struct { 22 | Engine string 23 | Role string 24 | StatePath string 25 | LockPath string 26 | } 27 | 28 | func configure(ctx *cli.Context) (*Config, error) { 29 | start = ctx.App.Metadata["startTime"].(time.Time) 30 | 31 | if err := logger.Configure(logger.Config{ 32 | Format: flags.LogFormat.Get(ctx), 33 | Level: flags.LogLevel.Get(ctx), 34 | }); err != nil { 35 | return nil, errors.Wrap(err, "configuring logger") 36 | } 37 | 38 | statePath, err := homedir.Expand(flags.State.Get(ctx)) 39 | if err != nil { 40 | return nil, errors.Wrap(err, "expanding cache path value (go-homedir)") 41 | } 42 | 43 | return &Config{ 44 | Engine: flags.Engine.Get(ctx), 45 | Role: flags.Role.Get(ctx), 46 | StatePath: statePath, 47 | LockPath: fmt.Sprintf("%s.lock", statePath), 48 | }, nil 49 | } 50 | 51 | func exit(exitCode int, err error) cli.ExitCoder { 52 | defer log.WithFields( 53 | log.Fields{ 54 | "execution-time": time.Since(start), 55 | }, 56 | ).Debug("exited..") 57 | 58 | if err != nil { 59 | log.Error(err.Error()) 60 | } 61 | 62 | return cli.NewExitError("", exitCode) 63 | } 64 | 65 | func fileLock(filePath string) (bool, func() error, error) { 66 | lock := flock.New(filePath) 67 | ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) 68 | defer cancel() 69 | locked, err := lock.TryLockContext(ctx, time.Second) 70 | 71 | return locked, lock.Unlock, err 72 | } 73 | -------------------------------------------------------------------------------- /internal/cmd/utils_linux.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "fmt" 5 | 6 | "github.com/hashicorp/go-secure-stdlib/mlock" 7 | log "github.com/sirupsen/logrus" 8 | "github.com/syndtr/gocapability/capability" 9 | cli "github.com/urfave/cli/v2" 10 | ) 11 | 12 | // ExecWrapper mlocks the process memory (if supported) before our `run` functions, 13 | // and gracefully logs and exits afterwards. 14 | func ExecWrapper(f func(ctx *cli.Context) (int, error)) cli.ActionFunc { 15 | return func(ctx *cli.Context) error { 16 | caps, err := capability.NewPid2(0) 17 | if err != nil { 18 | return exit(1, fmt.Errorf("error getting capabilities: %w", err)) 19 | } 20 | 21 | if err = caps.Load(); err != nil { 22 | return exit(1, fmt.Errorf("error loading capabilities: %w", err)) 23 | } 24 | 25 | if caps.Get(capability.EFFECTIVE, capability.CAP_IPC_LOCK) { // mlock.Supported() is assumed 26 | if err = mlock.LockMemory(); err != nil { 27 | return exit(1, fmt.Errorf("error locking vac memory: %w", err)) 28 | } 29 | } else { 30 | log.Warn("unable to lock memory, missing CAP_IPC_LOCK capability") 31 | } 32 | 33 | return exit(f(ctx)) 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /internal/cmd/utils_other.go: -------------------------------------------------------------------------------- 1 | //go:build !linux 2 | // +build !linux 3 | 4 | package cmd 5 | 6 | import ( 7 | "fmt" 8 | 9 | "github.com/hashicorp/go-secure-stdlib/mlock" 10 | cli "github.com/urfave/cli/v2" 11 | ) 12 | 13 | // ExecWrapper mlocks the process memory (if supported) before our `run` functions, 14 | // and gracefully logs and exits afterwards. 15 | func ExecWrapper(f func(ctx *cli.Context) (int, error)) cli.ActionFunc { 16 | return func(ctx *cli.Context) error { 17 | if mlock.Supported() { 18 | if err := mlock.LockMemory(); err != nil { 19 | return exit(1, fmt.Errorf("error locking vac memory: %w", err)) 20 | } 21 | } 22 | 23 | return exit(f(ctx)) 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /internal/cmd/utils_test.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "math/rand" 7 | "os" 8 | "path/filepath" 9 | "testing" 10 | "time" 11 | 12 | "github.com/stretchr/testify/assert" 13 | cli "github.com/urfave/cli/v2" 14 | ) 15 | 16 | func NewTestContext() (ctx *cli.Context, flags, globalFlags *flag.FlagSet) { 17 | app := cli.NewApp() 18 | app.Name = "vac" 19 | 20 | app.Metadata = map[string]interface{}{ 21 | "startTime": time.Now(), 22 | } 23 | 24 | globalFlags = flag.NewFlagSet("test", flag.ContinueOnError) 25 | globalCtx := cli.NewContext(app, globalFlags, nil) 26 | 27 | flags = flag.NewFlagSet("test", flag.ContinueOnError) 28 | ctx = cli.NewContext(app, flags, globalCtx) 29 | 30 | globalFlags.String("log-level", "fatal", "") 31 | globalFlags.String("log-format", "text", "") 32 | 33 | return 34 | } 35 | 36 | func TestExit(t *testing.T) { 37 | err := exit(20, fmt.Errorf("test")) 38 | assert.Equal(t, "", err.Error()) 39 | assert.Equal(t, 20, err.ExitCode()) 40 | } 41 | 42 | const charSet = "abcdefghijklmnopqrstuvwxyz" 43 | 44 | func randString(strlen int) string { 45 | result := make([]byte, strlen) 46 | for i := 0; i < strlen; i++ { 47 | result[i] = charSet[rand.Intn(len(charSet))] //nolint:gosec 48 | } 49 | return string(result) 50 | } 51 | 52 | func TestFileLock(t *testing.T) { 53 | fp := filepath.Join(os.TempDir(), randString(8)) 54 | ok, unlock, err := fileLock(fp) 55 | assert.Nil(t, err) 56 | assert.True(t, ok) 57 | assert.FileExists(t, fp) 58 | defer os.Remove(fp) 59 | defer unlock() 60 | } 61 | -------------------------------------------------------------------------------- /pkg/client/client.go: -------------------------------------------------------------------------------- 1 | package client 2 | 3 | import ( 4 | vault "github.com/hashicorp/vault/api" 5 | "github.com/pkg/errors" 6 | ) 7 | 8 | // Client .. 9 | type Client struct { 10 | *vault.Client 11 | } 12 | 13 | // New .. 14 | func New() (*Client, error) { 15 | vault, err := getVaultClient() 16 | if err != nil { 17 | return nil, errors.Wrap(err, "initializing vault client") 18 | } 19 | return &Client{vault}, nil 20 | } 21 | -------------------------------------------------------------------------------- /pkg/client/client_test.go: -------------------------------------------------------------------------------- 1 | package client 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | 7 | "github.com/stretchr/testify/assert" 8 | ) 9 | 10 | func TestNew(t *testing.T) { 11 | // Without initialization error 12 | os.Setenv("VAULT_ADDR", "http://localhost:8200") 13 | os.Setenv("VAULT_TOKEN", "s.xxxxxx") 14 | c, err := New() 15 | assert.Nil(t, err) 16 | assert.IsType(t, &Client{}, c) 17 | assert.NotNil(t, c) 18 | 19 | // With an initialization error 20 | os.Unsetenv("VAULT_ADDR") 21 | c, err = New() 22 | assert.Error(t, err, "initializing vault client: VAULT_ADDR env is not defined") 23 | assert.IsType(t, &Client{}, c) 24 | assert.Nil(t, c) 25 | } 26 | -------------------------------------------------------------------------------- /pkg/client/vault.go: -------------------------------------------------------------------------------- 1 | package client 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "os" 7 | "path/filepath" 8 | "strings" 9 | "time" 10 | 11 | vault "github.com/hashicorp/vault/api" 12 | "github.com/mitchellh/go-homedir" 13 | ) 14 | 15 | // AWSCredentials .. 16 | type AWSCredentials struct { 17 | Metadata struct { 18 | CreatedAt time.Time `json:"created_at"` 19 | ExpireAt time.Time `json:"expire_at"` 20 | } `json:"metadata"` 21 | AccessKeyID string `json:"access_key_id"` 22 | SecretAccessKey string `json:"secret_access_key"` 23 | SecurityToken string `json:"security_token"` 24 | } 25 | 26 | // getVaultClient : Get a Vault client using Vault official params 27 | func getVaultClient() (*vault.Client, error) { 28 | c, err := vault.NewClient(nil) 29 | if err != nil { 30 | return nil, fmt.Errorf("Error creating Vault client: %s", err.Error()) 31 | } 32 | 33 | if len(os.Getenv("VAULT_ADDR")) == 0 { 34 | return nil, fmt.Errorf("VAULT_ADDR env is not defined") 35 | } 36 | 37 | if err := c.SetAddress(os.Getenv("VAULT_ADDR")); err != nil { 38 | return nil, fmt.Errorf("error settings vault client addr: %w", err) 39 | } 40 | 41 | token := os.Getenv("VAULT_TOKEN") 42 | if len(token) == 0 { 43 | home, _ := homedir.Dir() 44 | f, err := ioutil.ReadFile(filepath.Clean(home + "/.vault-token")) 45 | if err != nil { 46 | return nil, fmt.Errorf("Vault token is not defined (VAULT_TOKEN or ~/.vault-token)") 47 | } 48 | 49 | // The vault client does not handle a trailing newline, so we ensure it 50 | // has been removed 51 | token = strings.TrimSuffix(string(f), "\n") 52 | } 53 | 54 | c.SetToken(token) 55 | 56 | return c, nil 57 | } 58 | 59 | // ListAWSSecretEngines .. 60 | func (c *Client) ListAWSSecretEngines() (engines []string, err error) { 61 | mounts, err := c.Sys().ListMounts() 62 | if err != nil { 63 | return 64 | } 65 | 66 | for mountName, mountSpec := range mounts { 67 | if mountSpec.Type == "aws" { 68 | engines = append(engines, strings.TrimSuffix(mountName, "/")) 69 | } 70 | } 71 | return 72 | } 73 | 74 | // ListAWSSecretEngineRoles .. 75 | func (c *Client) ListAWSSecretEngineRoles(awsSecretEngine string) (roles []string, err error) { 76 | var foundRoles *vault.Secret 77 | foundRoles, err = c.Logical().List(fmt.Sprintf("/%s/roles", awsSecretEngine)) 78 | if err != nil { 79 | return 80 | } 81 | 82 | if foundRoles != nil && foundRoles.Data != nil { 83 | if _, ok := foundRoles.Data["keys"]; ok { 84 | for _, role := range foundRoles.Data["keys"].([]interface{}) { 85 | roles = append(roles, role.(string)) 86 | } 87 | } 88 | } 89 | 90 | return 91 | } 92 | 93 | // GenerateAWSCredentials .. 94 | func (c *Client) GenerateAWSCredentials(secretEngineName, secretEngineRole string, ttl time.Duration) (creds *AWSCredentials, err error) { 95 | var output *vault.Secret 96 | payload := make(map[string]interface{}) 97 | if ttl > 0 { 98 | payload["ttl"] = ttl.Seconds() 99 | } 100 | output, err = c.Logical().Write(fmt.Sprintf("/%s/sts/%s", secretEngineName, secretEngineRole), payload) 101 | if err != nil { 102 | return 103 | } 104 | 105 | creds = &AWSCredentials{} 106 | creds.Metadata.CreatedAt = time.Now() 107 | 108 | if leaseDuration, err := time.ParseDuration(fmt.Sprintf("%ds", output.LeaseDuration)); err == nil { 109 | creds.Metadata.ExpireAt = creds.Metadata.CreatedAt.Add(leaseDuration) 110 | } else { 111 | return creds, err 112 | } 113 | 114 | if output != nil && output.Data != nil { 115 | if _, ok := output.Data["access_key"]; ok { 116 | creds.AccessKeyID = output.Data["access_key"].(string) 117 | } 118 | 119 | if _, ok := output.Data["secret_key"]; ok { 120 | creds.SecretAccessKey = output.Data["secret_key"].(string) 121 | } 122 | 123 | if _, ok := output.Data["security_token"]; ok { 124 | creds.SecurityToken = output.Data["security_token"].(string) 125 | } 126 | } 127 | 128 | return 129 | } 130 | -------------------------------------------------------------------------------- /pkg/client/vault_test.go: -------------------------------------------------------------------------------- 1 | package client 2 | 3 | import ( 4 | "os" 5 | "testing" 6 | 7 | vault "github.com/hashicorp/vault/api" 8 | "github.com/stretchr/testify/assert" 9 | ) 10 | 11 | func TestGetVaultClient(t *testing.T) { 12 | // With sufficient configuration 13 | os.Setenv("VAULT_ADDR", "http://localhost:8200") 14 | os.Setenv("VAULT_TOKEN", "s.xxxxxx") 15 | c, err := getVaultClient() 16 | assert.Nil(t, err) 17 | assert.IsType(t, &vault.Client{}, c) 18 | assert.NotNil(t, c) 19 | 20 | // Without VAULT_ADDR defined 21 | os.Unsetenv("VAULT_ADDR") 22 | c, err = getVaultClient() 23 | assert.Error(t, err, "initializing vault client: VAULT_ADDR env is not defined") 24 | assert.IsType(t, &vault.Client{}, c) 25 | assert.Nil(t, c) 26 | } 27 | -------------------------------------------------------------------------------- /pkg/state/state.go: -------------------------------------------------------------------------------- 1 | package state 2 | 3 | import ( 4 | "encoding/json" 5 | "fmt" 6 | "io/ioutil" 7 | "os" 8 | "path/filepath" 9 | "sort" 10 | 11 | "github.com/pkg/errors" 12 | 13 | "github.com/mvisonneau/vac/pkg/client" 14 | ) 15 | 16 | // State .. 17 | type State struct { 18 | Current struct { 19 | Engine string `json:"engine,omitempty"` 20 | Role string `json:"role,omitempty"` 21 | } `json:"current,omitempty"` 22 | AWSCredentials map[string]map[string]*client.AWSCredentials `json:"creds,omitempty"` 23 | } 24 | 25 | // Read .. 26 | func Read(filePath string) (*State, error) { 27 | _, err := os.Stat(filePath) 28 | if os.IsNotExist(err) { 29 | return &State{}, nil 30 | } 31 | 32 | s := &State{} 33 | byteValue, err := ioutil.ReadFile(filepath.Clean(filePath)) 34 | if err != nil { 35 | return &State{}, errors.Wrapf(err, "opening state file '%s'", filePath) 36 | } 37 | if err := json.Unmarshal(byteValue, s); err != nil { 38 | return nil, fmt.Errorf("error parsing vac state file: %w", err) 39 | } 40 | return s, nil 41 | } 42 | 43 | // Write .. 44 | func Write(c *State, filePath string) error { 45 | marshalledContent, err := json.MarshalIndent(*c, "", " ") 46 | if err != nil { 47 | return errors.Wrap(err, "marshalling state into json") 48 | } 49 | return ioutil.WriteFile(filePath, marshalledContent, 0o600) 50 | } 51 | 52 | // SetCurrentEngine .. 53 | func (s *State) SetCurrentEngine(engine string) { 54 | s.Current.Engine = engine 55 | } 56 | 57 | // SetCurrentRole .. 58 | func (s *State) SetCurrentRole(role string) { 59 | s.Current.Role = role 60 | } 61 | 62 | // SetCurrentAWSCredentials .. 63 | func (s *State) SetCurrentAWSCredentials(creds *client.AWSCredentials) { 64 | s.SetAWSCredentials(s.Current.Engine, s.Current.Role, creds) 65 | } 66 | 67 | // SetAWSCredentials .. 68 | func (s *State) SetAWSCredentials(engine, role string, creds *client.AWSCredentials) { 69 | if s.AWSCredentials == nil { 70 | s.AWSCredentials = make(map[string]map[string]*client.AWSCredentials) 71 | } 72 | if _, ok := s.AWSCredentials[engine]; !ok { 73 | s.AWSCredentials[engine] = make(map[string]*client.AWSCredentials) 74 | } 75 | s.AWSCredentials[engine][role] = creds 76 | } 77 | 78 | // GetCurrentAWSCredentials .. 79 | func (s *State) GetCurrentAWSCredentials() *client.AWSCredentials { 80 | return s.GetAWSCredentials(s.Current.Engine, s.Current.Role) 81 | } 82 | 83 | // GetAWSCredentials .. 84 | func (s *State) GetAWSCredentials(engine, role string) *client.AWSCredentials { 85 | if s.AWSCredentials != nil { 86 | if _, ok := s.AWSCredentials[engine]; ok { 87 | if creds, ok := s.AWSCredentials[engine][role]; ok { 88 | return creds 89 | } 90 | } 91 | } 92 | return nil 93 | } 94 | 95 | // GetCachedEngines .. 96 | func (s *State) GetCachedEngines() []string { 97 | keys := make([]string, 0, len(s.AWSCredentials)) 98 | for k := range s.AWSCredentials { 99 | keys = append(keys, k) 100 | } 101 | sort.Strings(keys) 102 | return keys 103 | } 104 | 105 | // GetCachedEngineRoles .. 106 | func (s *State) GetCachedEngineRoles(engine string) []string { 107 | keys := make([]string, 0, len(s.AWSCredentials[engine])) 108 | for k := range s.AWSCredentials[engine] { 109 | keys = append(keys, k) 110 | } 111 | sort.Strings(keys) 112 | return keys 113 | } 114 | -------------------------------------------------------------------------------- /pkg/state/state_test.go: -------------------------------------------------------------------------------- 1 | package state 2 | 3 | // TODO: Implement.. 4 | -------------------------------------------------------------------------------- /renovate.json5: -------------------------------------------------------------------------------- 1 | { 2 | $schema: "https://docs.renovatebot.com/renovate-schema.json", 3 | extends: ["config:best-practices"], 4 | 5 | postUpdateOptions: [ 6 | "gomodTidy", // Run go mod tidy after Go module updates. 7 | ], 8 | 9 | packageRules: [ 10 | // Group all patch updates into a single PR, potentially set automerging on at some point 11 | { 12 | groupName: "all patch and minor", 13 | matchPackageNames: ["*"], 14 | matchUpdateTypes: ["minor", "patch", "digest"], 15 | automerge: true, 16 | }, 17 | 18 | // Disable forked packages 19 | { 20 | matchPackageNames: ["github.com/mvisonneau/go-fuzzyfinder"], 21 | enabled: false 22 | } 23 | ], 24 | } 25 | --------------------------------------------------------------------------------