kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Verify the ARN's partition

This commit is contained in:
John Gardiner Myers 2020-08-09 11:39:18 -07:00
parent 9e99f76a6e
commit 5dcc95178f
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
upup/pkg/fi/cloudup/awsup/aws_verifier.go
View File

@ -46,6 +46,7 @@ type AWSVerifierOptions struct {
type awsVerifier struct {
accountId string
partition string
opt AWSVerifierOptions
ec2 *ec2.EC2
@ -68,6 +69,8 @@ func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
return nil, err
}
partition := strings.Split(aws.StringValue(identity.Arn), ":")[1]
metadata := ec2metadata.New(sess, config)
region, err := metadata.Region()
if err != nil {
@ -78,6 +81,7 @@ func NewAWSVerifier(opt *AWSVerifierOptions) (fi.Verifier, error) {
return &awsVerifier{
accountId: aws.StringValue(identity.Account),
partition: partition,
opt: *opt,
ec2: ec2Client,
sts: stsClient,
@ -185,7 +189,9 @@ func (a awsVerifier) VerifyToken(token string, body []byte) (*fi.VerifyResult, e
if parts[0] != "arn" {
return nil, fmt.Errorf("arn %q doesn't start with \"arn:\"", arn)
}
// parts[1] is partition
if parts[1] != a.partition {
return nil, fmt.Errorf("arn %q not in partion %q", arn, a.partition)
}
if parts[2] != "iam" && parts[2] != "sts" {
return nil, fmt.Errorf("arn %q has unrecognized service", arn)
}