Skip to content

Commit

Permalink
provider/aws: add ses_smtp_password to iam_access_key
Browse files Browse the repository at this point in the history
AWS gives instructions for converting AWS credentials into SES SMTP
credentials here:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert

This implements their algorithm and yields the result as an attribute on
`iam_access_key`.
  • Loading branch information
phinze committed Sep 3, 2015
1 parent 7d14213 commit eb150ae
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 0 deletions.
27 changes: 27 additions & 0 deletions builtin/providers/aws/resource_aws_iam_access_key.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
package aws

import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"fmt"

"github.com/aws/aws-sdk-go/aws"
Expand Down Expand Up @@ -32,6 +35,10 @@ func resourceAwsIamAccessKey() *schema.Resource {
Type: schema.TypeString,
Computed: true,
},
"ses_smtp_password": &schema.Schema{
Type: schema.TypeString,
Computed: true,
},
},
}
}
Expand All @@ -55,6 +62,10 @@ func resourceAwsIamAccessKeyCreate(d *schema.ResourceData, meta interface{}) err
if err := d.Set("secret", createResp.AccessKey.SecretAccessKey); err != nil {
return err
}

d.Set("ses_smtp_password",
sesSmtpPasswordFromSecretKey(createResp.AccessKey.SecretAccessKey))

return resourceAwsIamAccessKeyReadResult(d, &iam.AccessKeyMetadata{
AccessKeyId: createResp.AccessKey.AccessKeyId,
CreateDate: createResp.AccessKey.CreateDate,
Expand Down Expand Up @@ -115,3 +126,19 @@ func resourceAwsIamAccessKeyDelete(d *schema.ResourceData, meta interface{}) err
}
return nil
}

func sesSmtpPasswordFromSecretKey(key *string) string {
if key == nil {
return ""
}
version := byte(0x02)
message := []byte("SendRawEmail")
hmacKey := []byte(*key)
h := hmac.New(sha256.New, hmacKey)
h.Write(message)
rawSig := h.Sum(nil)
versionedSig := make([]byte, 0, len(rawSig)+1)
versionedSig = append(versionedSig, version)
versionedSig = append(versionedSig, rawSig...)
return base64.StdEncoding.EncodeToString(versionedSig)
}
17 changes: 17 additions & 0 deletions builtin/providers/aws/resource_aws_iam_access_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,20 @@ resource "aws_iam_access_key" "a_key" {
user = "${aws_iam_user.a_user.name}"
}
`

func TestSesSmtpPasswordFromSecretKey(t *testing.T) {
cases := []struct {
Input string
Expected string
}{
{"some+secret+key", "AnkqhOiWEcszZZzTMCQbOY1sPGoLFgMH9zhp4eNgSjo4"},
{"another+secret+key", "Akwqr0Giwi8FsQFgW3DXWCC2DiiQ/jZjqLDWK8TeTBgL"},
}

for _, tc := range cases {
actual := sesSmtpPasswordFromSecretKey(&tc.Input)
if actual != tc.Expected {
t.Fatalf("%q: expected %q, got %q", tc.Input, tc.Expected, actual)
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -55,5 +55,8 @@ The following attributes are exported:
* `id` - The access key ID.
* `user` - The IAM user associated with this access key.
* `secret` - The secret access key. Note that this will be written to the state file.
* `ses_smtp_password` - The secret access key converted into an SES SMTP
password by applying [AWS's documented conversion
algorithm](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html#smtp-credentials-convert).
* `status` - "Active" or "Inactive". Keys are initially active, but can be made
inactive by other means.

0 comments on commit eb150ae

Please sign in to comment.