Merge pull request #138 from rgooch/release

Release
Cloud-Foundations · Oct 25, 2021 · b05c5b9 · b05c5b9
2 parents 2bf24f8 + 05ce7c6
commit b05c5b9
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ endif
 BINARY=keymaster
 
 # These are the values we want to pass for Version and BuildTime
-VERSION=1.9.1
+VERSION=1.9.2
 #BUILD_TIME=`date +%FT%T%z`
 
 # Setup the -ldflags option for go build here, interpolate the variable values

diff --git a/README.md b/README.md
@@ -98,7 +98,7 @@ patents and contracts.
 ## LICENSE
 Copyright 2016-2019 Symantec Corporation.
 
-Copyright 2019-2020 Cloud-Foundations.org
+Copyright 2019-2021 Cloud-Foundations.org
 
 Licensed under the Apache License, Version 2.0 (the “License”); you
 may not use this file except in compliance with the License.
@@ -110,3 +110,7 @@ License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR
 CONDITIONS OF ANY KIND, either express or implied. See the License for
 the specific language governing permissions and limitations under the
 License.
+
+## Versioning
+Keymaster versions follow the [Sementic Versioning](https://semver.org/)
+guidelines.
diff --git a/keymaster.spec b/keymaster.spec
@@ -1,5 +1,5 @@
 Name:           keymaster
-Version:        1.9.1
+Version:        1.9.2
 Release:        1%{?dist}
 Summary:        Short term access certificate generator and client
 

diff --git a/lib/client/aws_role/api.go b/lib/client/aws_role/api.go
@@ -1,3 +1,19 @@
+/*
+Package aws_role may be used by service code to obtain Keymaster-issued identity
+certificates. The identity certificate will contain the AWS IAM role that the
+service code is able to assume (i.e. EC2 instance profile, EKS IRSA, Lambda
+role). The full AWS Role ARN is stored in a certificate URI SAN extension and a
+simplified form of the ARN is stored in the certificate CN.
+
+The service code does not require any extra permissions. It uses the
+sts:GetCallerIdentity permission that is available to all AWS identities. Thus,
+no policy configuration is required.
+
+This code uses the AWS IAM credentials to request a pre-signed URL from the AWS
+Security Token Service (STS). This pre-signed URL is passed to Keymaster which
+can make a request using the URL to verify the identity of the caller. No
+credentials are sent.
+*/
 package aws_role
 
 import (