-
Notifications
You must be signed in to change notification settings - Fork 53
/
Copy pathcredentials.go
172 lines (133 loc) · 4.64 KB
/
credentials.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
package credentials
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/newrelic/newrelic-lambda-extension/util"
"github.com/newrelic/newrelic-lambda-extension/config"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/secretsmanager"
"github.com/aws/aws-sdk-go/service/secretsmanager/secretsmanageriface"
"github.com/aws/aws-sdk-go/service/ssm"
"github.com/aws/aws-sdk-go/service/ssm/ssmiface"
)
type licenseKeySecret struct {
LicenseKey string
}
var (
sess = session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
secrets secretsmanageriface.SecretsManagerAPI
ssmClient ssmiface.SSMAPI
)
const defaultSecretId = "NEW_RELIC_LICENSE_KEY"
func init() {
secrets = secretsmanager.New(sess)
ssmClient = ssm.New(sess)
}
func getLicenseKeySecretId(conf *config.Configuration) string {
if conf.LicenseKeySecretId != "" {
return conf.LicenseKeySecretId
}
return defaultSecretId
}
func getLicenseKeySSMParameterName(conf *config.Configuration) string {
if conf.LicenseKeySSMParameterName != "" {
return conf.LicenseKeySSMParameterName
}
return defaultSecretId
}
func decodeLicenseKey(rawJson *string) (string, error) {
var secrets licenseKeySecret
err := json.Unmarshal([]byte(*rawJson), &secrets)
if err != nil {
return "", err
}
if secrets.LicenseKey == "" {
return "", fmt.Errorf("malformed license key secret; missing \"LicenseKey\" attribute")
}
return secrets.LicenseKey, nil
}
// IsSecretConfigured returns true if the Secrets Manager secret is configured, false
// otherwise
func IsSecretConfigured(ctx context.Context, conf *config.Configuration) bool {
secretId := getLicenseKeySecretId(conf)
secretValueInput := secretsmanager.GetSecretValueInput{SecretId: &secretId}
_, err := secrets.GetSecretValueWithContext(ctx, &secretValueInput)
if err != nil {
return false
}
return true
}
// IsSSMParameterConfigured returns true if the SSM parameter is configured, false
// otherwise.
func IsSSMParameterConfigured(ctx context.Context, conf *config.Configuration) bool {
parameterName := getLicenseKeySSMParameterName(conf)
_, err := tryLicenseKeyFromSSMParameter(ctx, parameterName)
if err != nil {
return false
}
return true
}
// GetNewRelicLicenseKey fetches the license key from AWS Secrets Manager or
// SSM Parameter Store, falling back to the NEW_RELIC_LICENSE_KEY environment
// variable if set.
func GetNewRelicLicenseKey(ctx context.Context, conf *config.Configuration) (string, error) {
if conf.LicenseKey != "" {
util.Logln("Using license key from environment variable")
return conf.LicenseKey, nil
}
secretId := conf.LicenseKeySecretId
if secretId != "" {
util.Logln("Fetching license key from secret id " + secretId)
return tryLicenseKeyFromSecret(ctx, secretId)
}
parameterName := conf.LicenseKeySSMParameterName
if parameterName != "" {
util.Logln("Fetching license key from parameter name " + conf.LicenseKeySSMParameterName)
return tryLicenseKeyFromSSMParameter(ctx, parameterName)
}
envLicenseKey, found := os.LookupEnv(defaultSecretId)
if found {
return envLicenseKey, nil
}
util.Debugln("No configured license key found, attempting fallbacks to default")
licenseKey, err := tryLicenseKeyFromSecret(ctx, defaultSecretId)
if err == nil {
return licenseKey, nil
}
licenseKey, err = tryLicenseKeyFromSSMParameter(ctx, defaultSecretId)
if err == nil {
return licenseKey, nil
}
return "", fmt.Errorf("No license key configured")
}
func tryLicenseKeyFromSecret(ctx context.Context, secretId string) (string, error) {
util.Debugf("fetching '%s' from Secrets Manager\n", secretId)
secretValueInput := secretsmanager.GetSecretValueInput{SecretId: &secretId}
secretValueOutput, err := secrets.GetSecretValueWithContext(ctx, &secretValueInput)
if err != nil {
return "", err
}
return decodeLicenseKey(secretValueOutput.SecretString)
}
func tryLicenseKeyFromSSMParameter(ctx context.Context, parameterName string) (string, error) {
util.Debugf("fetching '%s' from SSM Parameter Store\n", parameterName)
parameterValueInput := ssm.GetParameterInput{Name: ¶meterName, WithDecryption: aws.Bool(true)}
parameterValueOutput, err := ssmClient.GetParameterWithContext(ctx, ¶meterValueInput)
if err != nil {
return "", err
}
return *parameterValueOutput.Parameter.Value, nil
}
// OverrideSecretsManager overrides the default Secrets Manager implementation
func OverrideSecretsManager(override secretsmanageriface.SecretsManagerAPI) {
secrets = override
}
// OverrideSSM overrides the default SSM implementation
func OverrideSSM(override ssmiface.SSMAPI) {
ssmClient = override
}