in cmd/saml2alibabacloud/commands/exec.go [74:120]
func assumeRoleWithProfile(alibabacloudCreds *alibabacloudconfig.AliCloudCredentials, targetProfile string, sessionDuration int) (*alibabacloudconfig.AliCloudCredentials, error) {
// get target profile
sharedCreds := alibabacloudconfig.NewSharedCredentials(targetProfile)
// this checks if the credentials file has been created yet
// can only really be triggered if saml2alibabacloud exec is run on a new
// system prior to creating $HOME/.aliyun
exist, err := sharedCreds.CredsExists()
if err != nil {
return nil, errors.Wrap(err, "error loading target credentials")
}
if !exist {
log.Println("unable to load target credentials")
return nil, errors.New("unable to load target credentials")
}
targetCreds, err := sharedCreds.Load()
if err != nil {
return nil, errors.Wrap(err, "error loading target credentials")
}
// AlibabaCloud session config with verbose errors on chained credential errors
client, err := sts.NewClientWithStsToken("cn-hangzhou", alibabacloudCreds.AliCloudAccessKey, alibabacloudCreds.AliCloudSecretKey, alibabacloudCreds.AliCloudSecurityToken)
if err != nil {
return nil, err
}
client.AppendUserAgent("saml2alibabacloud", "0.0.6")
request := sts.CreateAssumeRoleRequest()
request.RoleSessionName = targetCreds.AliCloudSessionToken
request.RoleArn = targetCreds.PrincipalARN
request.DurationSeconds = requests.NewInteger(sessionDuration)
// use an STS client to perform the multiple role assumptions
response, err := client.AssumeRole(request)
if err != nil {
return nil, err
}
return &alibabacloudconfig.AliCloudCredentials{
AliCloudAccessKey: response.Credentials.AccessKeyId,
AliCloudSecretKey: response.Credentials.AccessKeySecret,
AliCloudSessionToken: targetCreds.AliCloudSessionToken,
AliCloudSecurityToken: response.Credentials.SecurityToken,
PrincipalARN: response.AssumedRoleUser.Arn,
}, nil
}