add temporary credentials

api/data/data.go

@@ -0,0 +1,60 @@
+package data
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/atoz-technology/mantil-backend/internal/mantil"
+	"github.com/atoz-technology/mantil-backend/internal/stream"
+)
+
+type Data struct {
+}
+
+type DataRequest struct {
+	ProjectName string
+	Token       string
+}
+
+type DataResponse struct {
+	Project *mantil.Project
+}
+
+func (f *Data) Invoke(ctx context.Context, req *DataRequest) (*DataResponse, error) {
+	return f.Project(ctx, req)
+}
+
+func (f *Data) Project(ctx context.Context, req *DataRequest) (*DataResponse, error) {
+	if req.ProjectName == "" || req.Token == "" {
+		return nil, fmt.Errorf("bad request")
+	}
+
+	var p *mantil.Project
+	err := stream.LambdaLogStream(ctx, func() error {
+		var err error
+		p, err = mantil.LoadProject(req.ProjectName)
+		if err != nil {
+			log.Printf("%v", err)
+			return err
+		}
+
+		if p.Token != req.Token {
+			log.Printf("access denied - %s", p.Token)
+			return fmt.Errorf("access denied")
+		}
+		return nil
+	})
+	if err != nil {
+		log.Printf("%v", err)
+		return nil, err
+	}
+
+	return &DataResponse{
+		Project: p,
+	}, nil
+}
+
+func New() *Data {
+	return &Data{}
+}

api/security/security.go

@@ -3,9 +3,12 @@ package security
 import (
 	"context"
 	"fmt"
+	"log"
 
 	"github.com/atoz-technology/mantil-backend/internal/mantil"
 	"github.com/atoz-technology/mantil-backend/internal/security"
+	"github.com/atoz-technology/mantil-backend/internal/stream"
+	stsTypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 )
 
 type Security struct{}
@@ -22,24 +25,32 @@ type SecurityResponse struct {
 }
 
 func (f *Security) Invoke(ctx context.Context, req *SecurityRequest) (*SecurityResponse, error) {
-	return f.FederationToken(ctx, req)
+	return f.Credentials(ctx, req)
 }
 
-func (f *Security) FederationToken(ctx context.Context, req *SecurityRequest) (*SecurityResponse, error) {
+func (f *Security) Credentials(ctx context.Context, req *SecurityRequest) (*SecurityResponse, error) {
 	if req.ProjectName == "" || req.Token == "" {
 		return nil, fmt.Errorf("bad request")
 	}
 
 	p, err := mantil.LoadProject(req.ProjectName)
 	if err != nil {
+		log.Printf("%v", err)
 		return nil, err
 	}
 	if p.Token != req.Token {
+		log.Printf("access denied - %s - %s", p.Token, req.Token)
 		return nil, fmt.Errorf("access denied")
 	}
 
-	creds, err := security.FederationToken(p)
+	var creds *stsTypes.Credentials
+	err = stream.LambdaLogStream(ctx, func() error {
+		var err error
+		creds, err = security.Credentials(p)
+		return err
+	})
 	if err != nil {
+		log.Printf("%v", err)
 		return nil, err
 	}
 

config/mantil.local.json

@@ -1 +1 @@
-{"Bucket":"mantil-project-try-mantil-backend","GithubOrg":"atoz-technology"}
+{"Bucket": "mantil-project-try-mantil-backend", "Name":"mantil-backend","GithubOrg":"atoz-technology"}

functions/data/.gitignore

@@ -0,0 +1 @@
+data

functions/data/main.go

@@ -0,0 +1,11 @@
+package main
+
+import (
+	"github.com/atoz-technology/mantil-backend/api/data"
+	"github.com/atoz-technology/mantil.go"
+)
+
+func main() {
+	var api = data.New()
+	mantil.LambdaHandler(api)
+}

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/aws/aws-lambda-go v1.25.0 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.7.1
 	github.com/aws/aws-sdk-go-v2/config v1.5.0
+	github.com/aws/aws-sdk-go-v2/service/iam v1.7.0
 	github.com/aws/aws-sdk-go-v2/service/lambda v1.5.0
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.11.1
 	github.com/aws/aws-sdk-go-v2/service/sts v1.6.0

go.sum

@@ -20,6 +20,8 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDu
 github.com/aws/aws-sdk-go-v2/internal/ini v1.1.0/go.mod h1:qGQ/9IfkZonRNSNLE99/yBJ7EPA/h8jlWEqtJCcaj+Q=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1 h1:SDLwr1NKyowP7uqxuLNdvFZhjnoVWxNv456zAp+ZFjU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg=
+github.com/aws/aws-sdk-go-v2/service/iam v1.7.0 h1:DgL3Rifvc2EhkSbrq7dDdMNXPA4IXbXH6VR/pBLzACI=
+github.com/aws/aws-sdk-go-v2/service/iam v1.7.0/go.mod h1:SR0ZnnmMCxLVZpWlODnStM3b+mOZXiviPtX6aCJpukM=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.2.1 h1:s/uV8UyMB4UcO0ERHxG9BJhYJAD9MiY0QeYvJmlC7PE=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.2.1/go.mod h1:v33JQ57i2nekYTA70Mb+O18KeH4KqhdqxTJZNK1zdRE=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.0/go.mod h1:a7XLWNKuVgOxjssEF019IiHPv35k8KHBaWv/wJAfi2A=

internal/aws/aws.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go-v2/service/lambda"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	s3Types "github.com/aws/aws-sdk-go-v2/service/s3/types"
@@ -184,18 +185,19 @@ func (a *AWS) UpdateLambdaFunctionCodeFromS3(function, bucket, key string) error
 	return nil
 }
 
-func (a *AWS) GetProjectToken(name, policy string) (*stsTypes.Credentials, error) {
-	gfti := &sts.GetFederationTokenInput{
+func (a *AWS) RoleCredentials(name, role, policy string) (*stsTypes.Credentials, error) {
+	ari := &sts.AssumeRoleInput{
+		RoleArn:         aws.String(role),
+		RoleSessionName: aws.String(name),
 		DurationSeconds: aws.Int32(900),
-		Name:            aws.String(name),
 		Policy:          aws.String(policy),
 	}
 
-	gfto, err := a.stsClient.GetFederationToken(context.TODO(), gfti)
+	creds, err := a.stsClient.AssumeRole(context.TODO(), ari)
 	if err != nil {
-		return nil, fmt.Errorf("could not get project token - %v", err)
+		return nil, err
 	}
-	return gfto.Credentials, nil
+	return creds.Credentials, nil
 }
 
 func (a *AWS) UpdateLambdaFunctionCodeImage(function, image string) error {
@@ -218,3 +220,59 @@ func (a *AWS) AccountID() (string, error) {
 	}
 	return aws.ToString(gcio.Account), nil
 }
+
+const (
+	CliUserRoleAssumePolicy = `{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+                 "AWS": "arn:aws:iam::477361877445:role/try-mantil-team-mantil-backend-lambda"
+  	        },
+            "Effect": "Allow"
+        }
+    ]
+}
+`
+	CliUserPolicy = `{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Resource": "*",
+            "Action": "*"
+        }
+    ]
+}
+`
+)
+
+func (a *AWS) CreateCLIUserRole(name string) error {
+	iamClient := iam.NewFromConfig(a.config)
+
+	cri := &iam.CreateRoleInput{
+		RoleName:                 aws.String(name),
+		AssumeRolePolicyDocument: aws.String(CliUserRoleAssumePolicy),
+	}
+	r, err := iamClient.CreateRole(context.TODO(), cri)
+	if err != nil {
+		return err
+	}
+
+	cpi := &iam.CreatePolicyInput{
+		PolicyName:     aws.String(name),
+		PolicyDocument: aws.String(CliUserPolicy),
+	}
+	p, err := iamClient.CreatePolicy(context.TODO(), cpi)
+	if err != nil {
+		return err
+	}
+
+	arpi := &iam.AttachRolePolicyInput{
+		PolicyArn: p.Policy.Arn,
+		RoleName:  r.Role.RoleName,
+	}
+	_, err = iamClient.AttachRolePolicy(context.TODO(), arpi)
+	return err
+}

internal/initialize/initialize.go

@@ -2,6 +2,7 @@ package initialize
 
 import (
 	"fmt"
+	"log"
 
 	"github.com/atoz-technology/mantil-backend/internal/aws"
 	"github.com/atoz-technology/mantil-backend/internal/mantil"
@@ -29,6 +30,11 @@ func InitProject(projectName string) (string, error) {
 		return "", fmt.Errorf("project %s already exists", projectId)
 	}
 
+	if err := aws.CreateCLIUserRole(mantil.ProjectCliUserRoleName(projectName)); err != nil {
+		log.Printf("%v", err)
+		return "", err
+	}
+
 	err = aws.CreateS3Bucket(projectId, DefaultAWSRegion)
 	if err != nil {
 		return "", err

internal/mantil/project.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"github.com/atoz-technology/mantil-backend/internal/aws"
 )
@@ -60,6 +61,15 @@ func TryOrganization() Organization {
 	}
 }
 
+func ProjectCliUserRoleName(projectName string) string {
+	return fmt.Sprintf("%s-cli-user", ProjectResourceId(projectName))
+}
+
+func ProjectResourceId(projectName string) string {
+	org := TryOrganization()
+	return fmt.Sprintf("%s-%s", strings.Replace(org.DNSZone, ".", "-", -1), projectName)
+}
+
 func ProjectIdentifier(projectName string) string {
 	org := TryOrganization()
 	return fmt.Sprintf("mantil-project-%s-%s", org.Name, projectName)

internal/security/policy.go

@@ -1,33 +1,31 @@
 package security
 
-const FederationTokenPolicyTemplate = `
-{
+const CredentialsTemplate = `{
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Effect": "Allow",
             "Action": [
-        		"s3:GetObject",
-        		"s3:PutObject"
-      		],
+                "s3:PutObject"
+            ],
+            "Effect": "Allow",
             "Resource": "arn:aws:s3:::{{.Bucket}}/*"
         },
         {
-            "Effect": "Allow",
             "Action": [
                 "ecr:BatchCheckLayerAvailability",
                 "ecr:CompleteLayerUpload",
                 "ecr:InitiateLayerUpload",
                 "ecr:PutImage",
                 "ecr:UploadLayerPart"
             ],
+            "Effect": "Allow",
             "Resource": "arn:aws:ecr:{{.Region}}:{{.AccountID}}:repository/mantil-project-{{.OrganizationName}}-{{.Name}}"
         },
-		{
-	    	"Effect": "Allow",
+        {
             "Action": "ecr:GetAuthorizationToken",
+            "Effect": "Allow",
             "Resource": "*"
-		}
+        }
     ]
 }
 `

internal/security/security.go

@@ -2,14 +2,15 @@ package security
 
 import (
 	"bytes"
+	"fmt"
 	"html/template"
 
 	"github.com/atoz-technology/mantil-backend/internal/aws"
 	"github.com/atoz-technology/mantil-backend/internal/mantil"
 	stsTypes "github.com/aws/aws-sdk-go-v2/service/sts/types"
 )
 
-func FederationToken(project *mantil.Project) (*stsTypes.Credentials, error) {
+func Credentials(project *mantil.Project) (*stsTypes.Credentials, error) {
 	aws, err := aws.New()
 	if err != nil {
 		return nil, err
@@ -27,13 +28,14 @@ func FederationToken(project *mantil.Project) (*stsTypes.Credentials, error) {
 		AccountID:        accountID,
 	}
 
-	tpl := template.Must(template.New("").Parse(FederationTokenPolicyTemplate))
+	tpl := template.Must(template.New("").Parse(CredentialsTemplate))
 	buf := bytes.NewBuffer(nil)
 	if err := tpl.Execute(buf, ppt); err != nil {
 		return nil, err
 	}
 
-	creds, err := aws.GetProjectToken(project.Name, buf.String())
+	role := fmt.Sprintf("arn:aws:iam::%s:role/%s", accountID, mantil.ProjectCliUserRoleName(project.Name))
+	creds, err := aws.RoleCredentials(project.Name, role, buf.String())
 	if err != nil {
 		return nil, err
 	}