Skip to content

Instantly share code, notes, and snippets.

@GromNaN
Last active March 18, 2021 00:34
Show Gist options
  • Save GromNaN/7477b475a23bd1be682ac98f6767d4bd to your computer and use it in GitHub Desktop.
Save GromNaN/7477b475a23bd1be682ac98f6767d4bd to your computer and use it in GitHub Desktop.
<?php
namespace Testing;
/**
* Authentication on a Vault server using AWS IAM
* https://www.vaultproject.io/api-docs/auth/aws#login
*/
use AsyncAws\Core\AwsClientFactory;
use AsyncAws\Core\Credentials\ChainProvider;
use AsyncAws\Core\Request;
use AsyncAws\Core\RequestContext;
use AsyncAws\Core\Signer\SignerV4;
use AsyncAws\Core\Stream\StreamFactory;
use Symfony\Component\HttpClient\HttpClient
$awsClient = new AwsClientFactory();
// Copied from AsyncAws\Core\Sts\Input\GetCallerIdentityRequest because request() method is internal.
$request = new Request(
'POST',
'/',
[],
['content-type' => 'application/x-www-form-urlencoded'],
StreamFactory::create('Action=GetCallerIdentity&Version=2011-06-15')
);
// STS Endpoint and region are configured inside the Vault server
$request->setEndpoint('https://sts.amazonaws.com/');
$signer = new SignerV4('sts', 'us-east-1');
$signer->sign(
$request,
ChainProvider::createDefaultChain()->getCredentials($awsClient->sts()->getConfiguration()),
new RequestContext()
);
$client = HttpClient::createForBaseUri('https://vault.example.com/', []);
$response = $client->request('POST', '/v1/auth/aws/login', [
'json' => [
'role' => 'dev',
'iam_http_request_method' => $request->getMethod(),
'iam_request_url' => base64_encode($request->getEndpoint()),
'iam_request_headers' => base64_encode(json_encode($request->getHeaders())),
'iam_request_body' => base64_encode($request->getBody()->stringify()),
],
]);
$token = $response->toArray()['auth']['client_token'];
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment