Let AWS auth CLI helper only generate login data (#3015)

* Let AWS auth CLI helper only generate login data

This will be useful to other golang clients so they can manage the login
process themselves.

Also helps for #2855

* Respond to PR feedback

builtin/credential/aws/cli.go

@@ -16,43 +16,30 @@ import (
 
 type CLIHandler struct{}
 
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
-	mount, ok := m["mount"]
-	if !ok {
-		mount = "aws"
-	}
+// Generates the necessary data to send to the Vault server for generating a token
+// This is useful for other API clients to use
+func GenerateLoginData(accessKey, secretKey, sessionToken, headerValue string) (map[string]interface{}, error) {
+	loginData := make(map[string]interface{})
 
-	role, ok := m["role"]
-	if !ok {
-		role = ""
-	}
-
-	headerValue, ok := m["header_value"]
-	if !ok {
-		headerValue = ""
-	}
-
-	// Grab any supplied credentials off the command line
-	// Ensure we're able to fall back to the SDK default credential providers
 	credConfig := &awsutil.CredentialsConfig{
-		AccessKey:    m["aws_access_key_id"],
-		SecretKey:    m["aws_secret_access_key"],
-		SessionToken: m["aws_security_token"],
+		AccessKey:    accessKey,
+		SecretKey:    secretKey,
+		SessionToken: sessionToken,
 	}
 	creds, err := credConfig.GenerateCredentialChain()
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if creds == nil {
-		return "", fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata")
+		return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata")
 	}
 
 	// Use the credentials we've found to construct an STS session
 	stsSession, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{Credentials: creds},
 	})
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
 	var params *sts.GetCallerIdentityInput
@@ -68,26 +55,46 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	// Now extract out the relevant parts of the request
 	headersJson, err := json.Marshal(stsRequest.HTTPRequest.Header)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	requestBody, err := ioutil.ReadAll(stsRequest.HTTPRequest.Body)
 	if err != nil {
-		return "", err
+		return nil, err
+	}
+	loginData["iam_http_request_method"] = stsRequest.HTTPRequest.Method
+	loginData["iam_request_url"] = base64.StdEncoding.EncodeToString([]byte(stsRequest.HTTPRequest.URL.String()))
+	loginData["iam_request_headers"] = base64.StdEncoding.EncodeToString(headersJson)
+	loginData["iam_request_body"] = base64.StdEncoding.EncodeToString(requestBody)
+
+	return loginData, nil
+}
+
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+	mount, ok := m["mount"]
+	if !ok {
+		mount = "aws"
+	}
+
+	role, ok := m["role"]
+	if !ok {
+		role = ""
 	}
-	method := stsRequest.HTTPRequest.Method
-	targetUrl := base64.StdEncoding.EncodeToString([]byte(stsRequest.HTTPRequest.URL.String()))
-	headers := base64.StdEncoding.EncodeToString(headersJson)
-	body := base64.StdEncoding.EncodeToString(requestBody)
 
-	// And pass them on to the Vault server
+	headerValue, ok := m["header_value"]
+	if !ok {
+		headerValue = ""
+	}
+
+	loginData, err := GenerateLoginData(m["aws_access_key_id"], m["aws_secret_access_key"], m["aws_security_token"], headerValue)
+	if err != nil {
+		return "", err
+	}
+	if loginData == nil {
+		return "", fmt.Errorf("got nil response from GenerateLoginData")
+	}
+	loginData["role"] = role
 	path := fmt.Sprintf("auth/%s/login", mount)
-	secret, err := c.Logical().Write(path, map[string]interface{}{
-		"iam_http_request_method": method,
-		"iam_request_url":         targetUrl,
-		"iam_request_headers":     headers,
-		"iam_request_body":        body,
-		"role":                    role,
-	})
+	secret, err := c.Logical().Write(path, loginData)
 
 	if err != nil {
 		return "", err