-
Notifications
You must be signed in to change notification settings - Fork 1
/
cloudid.js
95 lines (78 loc) · 2.91 KB
/
cloudid.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
const AWS = require('aws-sdk')
const aws4 = require('aws4')
const axios = require('axios')
const { GoogleAuth } = require('google-auth-library');
async function getCloudId(acc_type, param) {
if (acc_type === "aws_iam") {
return getAWsCloudId()
} else if (acc_type === "azure_ad") {
return getAzureCloudID(param)
} else if (acc_type === "gcp") {
return getGcpCloudID(param)
} else if (acc_type === "access_key") {
return ""
} else {
throw new Error("Invalid access type")
}
}
async function getAzureCloudID(object_id) {
const headers = { 'user-agent': 'AKEYLESS', 'Metadata': 'true' }
const params = { 'api-version': '2018-02-01', 'resource': 'https://management.azure.com/', 'object_id': object_id }
const res = await axios.get('http://169.254.169.254/metadata/identity/oauth2/token', { params, headers })
return Buffer.from(res.data.access_token).toString('base64')
}
async function getGcpCloudID(audience) {
if (!audience) {
audience = "akeyless.io"
}
const googleAuth = new GoogleAuth();
const client = await googleAuth.getClient();
const token = await client.fetchIdToken(audience);
const res = Buffer.from(token).toString('base64')
return res
}
function getAWsCloudId() {
return new Promise((resolve, reject) => {
AWS.config.getCredentials(function (err) {
if (err) {
reject(err)
} else {
const result = stsGetCallerIdentity(AWS.config.credentials)
resolve(result)
}
})
})
}
function stsGetCallerIdentity(creds) {
const opts3 = { method: 'POST', service: 'sts', body: 'Action=GetCallerIdentity&Version=2011-06-15', region: 'us-east-1' }
opts3.headers = {
"Content-Length": opts3.body.length,
"Content-Type": 'application/x-www-form-urlencoded; charset=utf-8',
}
aws4.sign(opts3, creds)
const h = {
'Authorization': [opts3.headers['Authorization']],
'Content-Length': [opts3.body.length.toString()],
'Host': [opts3.headers['Host']],
'Content-Type': [opts3.headers['Content-Type']],
'X-Amz-Date': [opts3.headers['X-Amz-Date']],
}
if (creds.sessionToken) {
h['X-Amz-Security-Token'] = [creds.sessionToken];
}
const myheaders = JSON.stringify(h);
const obj = {
'sts_request_method': 'POST',
'sts_request_url': Buffer.from('https://sts.amazonaws.com/').toString('base64'),
'sts_request_body': Buffer.from('Action=GetCallerIdentity&Version=2011-06-15').toString('base64'),
'sts_request_headers': Buffer.from(myheaders).toString('base64')
};
const awsData = JSON.stringify(obj)
return Buffer.from(awsData).toString('base64')
}
module.exports = {
getAWsCloudId: getAWsCloudId,
getAzureCloudID: getAzureCloudID,
getGcpCloudID: getGcpCloudID,
getCloudId: getCloudId,
}