fieldju · December 4, 2015 17:10
diff --git a/iamPoc.groovy b/iamPoc.groovy
 import com.amazonaws.Request
 import com.amazonaws.auth.AWS4Signer
 import com.amazonaws.auth.BasicSessionCredentials
 import com.amazonaws.http.HttpMethodName
 import com.amazonaws.internal.EC2MetadataClient
 import com.amazonaws.services.securitytoken.model.AssumeRoleRequest
 import com.amazonaws.services.securitytoken.model.transform.AssumeRoleRequestMarshaller
 import com.amazonaws.util.json.Jackson
 import groovyx.net.http.*

 import static groovyx.net.http.ContentType.*
 import static groovyx.net.http.Method.*

 @GrabResolver(name="jcenter", root="http://jcenter.bintray.com/", m2Compatible=true)
 @GrabResolver(name="codehaus", root="http://repository.codehaus.org/", m2Compatible=true)

 /**
 * The dependencies
 */
 @Grapes([
        @Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.7.1' ),
        @Grab(group='com.amazonaws', module='aws-java-sdk', version='1.10.38')
 ])

 String credentialsResponse = new EC2MetadataClient().getDefaultCredentials();

 String ACCESS_KEY_ID = "AccessKeyId";
 String SECRET_ACCESS_KEY = "SecretAccessKey";
 String TOKEN = "Token";

 node = Jackson.jsonNodeOf(credentialsResponse);
 accessKey = node.get(ACCESS_KEY_ID);
 secretKey = node.get(SECRET_ACCESS_KEY);
 token = node.get(TOKEN);

 def credentials = new BasicSessionCredentials(accessKey.asText(),
        secretKey.asText(), token.asText());

 def myRole = 'arn:aws:iam::000000000:role/vaultRoleThatMatchesAPolicy'

 AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
 assumeRoleRequest.setDurationSeconds(900)
 assumeRoleRequest.setRoleArn(myRole)
 assumeRoleRequest.setRoleSessionName('vault-role-check')

 Request<AssumeRoleRequest> request = new AssumeRoleRequestMarshaller().marshall(assumeRoleRequest)
 request.setEndpoint(new URI('https://sts.amazonaws.com'))
 request.setResourcePath('/')
 request.setHttpMethod(HttpMethodName.GET)

 AWS4Signer signer = new AWS4Signer()

 signer.sign(request, credentials)

 def query = [:]
 request.parameters.each { k, v ->
    query.put k, v
 }

 // the following is what would need to be passed to VAULT AWS IAM Back end 
 println query
 println request.headers


 // the following is essentially what the Vault AWS IAM Backend would do 
 new HTTPBuilder('https://sts.amazonaws.com').request(GET, XML) {
    uri.path = "/"
    uri.query = query
    headers = request.headers

    response.success = { resp, reader ->
        println "Status: ${resp.status} | Resp: ${reader}"
        // Vault would return the token here for the role in the response if it exists
    }

    response.failure = { resp, reader ->
        println "Status: ${resp.status} | Resp: ${reader}"
        // Vault would say no here
    }
 }
	import com.amazonaws.Request
	import com.amazonaws.auth.AWS4Signer
	import com.amazonaws.auth.BasicSessionCredentials
	import com.amazonaws.http.HttpMethodName
	import com.amazonaws.internal.EC2MetadataClient
	import com.amazonaws.services.securitytoken.model.AssumeRoleRequest
	import com.amazonaws.services.securitytoken.model.transform.AssumeRoleRequestMarshaller
	import com.amazonaws.util.json.Jackson
	import groovyx.net.http.*

	import static groovyx.net.http.ContentType.*
	import static groovyx.net.http.Method.*

	@GrabResolver(name="jcenter", root="http://jcenter.bintray.com/", m2Compatible=true)
	@GrabResolver(name="codehaus", root="http://repository.codehaus.org/", m2Compatible=true)

	/**
	* The dependencies
	*/
	@Grapes([
	@Grab(group='org.codehaus.groovy.modules.http-builder', module='http-builder', version='0.7.1' ),
	@Grab(group='com.amazonaws', module='aws-java-sdk', version='1.10.38')
	])

	String credentialsResponse = new EC2MetadataClient().getDefaultCredentials();

	String ACCESS_KEY_ID = "AccessKeyId";
	String SECRET_ACCESS_KEY = "SecretAccessKey";
	String TOKEN = "Token";

	node = Jackson.jsonNodeOf(credentialsResponse);
	accessKey = node.get(ACCESS_KEY_ID);
	secretKey = node.get(SECRET_ACCESS_KEY);
	token = node.get(TOKEN);

	def credentials = new BasicSessionCredentials(accessKey.asText(),
	secretKey.asText(), token.asText());

	def myRole = 'arn:aws:iam::000000000:role/vaultRoleThatMatchesAPolicy'

	AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
	assumeRoleRequest.setDurationSeconds(900)
	assumeRoleRequest.setRoleArn(myRole)
	assumeRoleRequest.setRoleSessionName('vault-role-check')

	Request<AssumeRoleRequest> request = new AssumeRoleRequestMarshaller().marshall(assumeRoleRequest)
	request.setEndpoint(new URI('https://sts.amazonaws.com'))
	request.setResourcePath('/')
	request.setHttpMethod(HttpMethodName.GET)

	AWS4Signer signer = new AWS4Signer()

	signer.sign(request, credentials)

	def query = [:]
	request.parameters.each { k, v ->
	query.put k, v
	}

	// the following is what would need to be passed to VAULT AWS IAM Back end
	println query
	println request.headers


	// the following is essentially what the Vault AWS IAM Backend would do
	new HTTPBuilder('https://sts.amazonaws.com').request(GET, XML) {
	uri.path = "/"
	uri.query = query
	headers = request.headers

	response.success = { resp, reader ->
	println "Status: ${resp.status} \| Resp: ${reader}"
	// Vault would return the token here for the role in the response if it exists
	}

	response.failure = { resp, reader ->
	println "Status: ${resp.status} \| Resp: ${reader}"
	// Vault would say no here
	}
	}