cerberus_client 1.5.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32da4fb6aa9706e174e9154fc9cb95277b7770cd
-  data.tar.gz: 14ff733b72332d7798f6af3d6ce25def20fcd930
+  metadata.gz: e2a7a6136f4da9d17b5b9d4622a9da222f194caf
+  data.tar.gz: 3711fd81590a62ae5cf734e29320344125a3f07a
 SHA512:
-  metadata.gz: 90c060df8f17ef79ebbb6e9bc694c4654af3fb3b6df0a49e26596381def2bb80621d334b87db21cde4d4320fc429646db9ec16b19a5fffbbb52c6ec75ab1106d
-  data.tar.gz: fe097090f4e863a0b1010fbc813fadbd847ce131445f51befadf23274df13cb866ecf5c9bc36afc653e3a382a2d7f9a0d0f4a2c5784294837422faee90a04cab
+  metadata.gz: 87b641d09dc280510f4f1cc739e306a615d91f4e4eeec221c2d4594e965331f5ef956ea3a4c8ce47118e242b671bbcb7ce6f845fd59bc07e993890fc985ff8f1
+  data.tar.gz: eafaa3f634a9adaeece7ef0a48e940a90901c53628da6384f2cec71799becfe877399088c0979617eb7e941f27f027fe5837eb8beae020157b6aa3d4092dca73

data/README.md

@@ -5,7 +5,7 @@
 [![Build](https://travis-ci.org/Nike-Inc/cerberus-ruby-client.svg?branch=master)](https://travis-ci.org/Nike-Inc/cerberus-ruby-client)
 
 
-This is a Ruby based client library for communicating with Vault via HTTP and enables authentication schemes specific
+This is a Ruby based client library for communicating with Ceberus via HTTP and enables authentication schemes specific
 to AWS and Cerberus.
 
 This client currently supports read-only operations (write operations are not yet implemented, feel free to open a
@@ -39,7 +39,11 @@ $ gem install cerberus_client
 Please start by reading the [Cerberus quick start guide](http://engineering.nike.com/cerberus/docs/user-guide/quick-start).
 
 ```ruby
-vaultClient = CerberusClient::getVaultClient()
+cerberus_client = CerberusClient::get_default_cerberus_client()
+```
+
+```ruby
+cerberus_client = CerberusClient::get_cerberus_client_for_assumed_role(Cerberus::DefaultUrlResolver.new, "arn:aws:iam::<account_id>:role/<role_name>", "us-west-2")
 ```
 
 There are two ways Cerberus clients are typically used:
@@ -49,7 +53,7 @@ There are two ways Cerberus clients are typically used:
 
 ### Local Development
 
-The example Ruby code above uses the DefaultUrlResolver to resolve the URL for Vault. For that to succeed, the
+The example Ruby code above uses the DefaultUrlResolver to resolve the URL for Cerberus. For that to succeed, the
 environment variable, CERBERUS_ADDR, must be set:
 ```bash
 export CERBERUS_ADDR=https://cerberus.example.com
@@ -60,12 +64,12 @@ export CERBERUS_ADDR=https://localhost:9001
 ```
 
 The example above also use the DefaultCredentialsProviderChain which is used to resolve the token needed to interact
-with Vault. This chain will first look to see if an environemnt variable has been set with a vault token, e.g.
+with Cerberus. This chain will first look to see if an environemnt variable has been set with a cerberus token, e.g.
 ```bash
 export CERBERUS_TOKEN=9cfced14-91ae-e3ad-5b9d-1cae6c82362d
 ```
 
-Increment the version and add `.rc.1` to the end in the `lib/cerberus_client/version.rb` file.
+Increment the version and add `.rc.1` to the end in the `lib/cerberus_utils/version.rb` file.
 
 Then build and install the gem locally:
 
@@ -86,7 +90,7 @@ Then open Interactive Ruby:
 % irb
 
 2.2.2 :001 > require 'cerberus_client'
-2.2.2 :001 > vaultClient = CerberusClient::getDefaultVaultClient()
+2.2.2 :001 > vaultClient = CerberusClient::get_default_vault_client()
 2.2.2 :001 > vaultClient.read("app/example/test")
 ```
 

data/cerberus_client.gemspec

@@ -1,16 +1,16 @@
 # coding: utf-8
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'cerberus_client/version'
+require 'cerberus_utils/version'
 
 Gem::Specification.new do |spec|
   spec.name          = "cerberus_client"
-  spec.version       = CerberusClient::VERSION
-  spec.authors       = ["Joe Teibel"]
-  spec.email         = ["joe.teibel@nike.com"]
+  spec.version       = CerberusUtils::VERSION
+  spec.authors       = ["Shaun Ford", "Joe Teibel"]
+  spec.email         = ["shaun.ford@nike.com"]
 
   spec.summary       = ["A Ruby Client for Cerberus, a secure property store for cloud applications"]
-  spec.description   = "This is a Ruby based client library for communicating with Vault via HTTP and enables authentication schemes specific to AWS and Cerberus. This client currently supports read-only operations (write operations are not yet implemented, feel free to open a pull request to implement write operations). To learn more about Cerberus, please visit the Cerberus website."
+  spec.description   = "This is a Ruby based client library for communicating with Cerberus via HTTP and enables authentication schemes specific to AWS and Cerberus. This client currently supports read-only operations (write operations are not yet implemented, feel free to open a pull request to implement write operations). To learn more about Cerberus, please visit the Cerberus website."
   spec.homepage      = "https://github.com/Nike-Inc/cerberus-ruby-client"
   spec.license       = "Apache License Version 2"
 

data/lib/cerberus/assumed_role_credentials_provider_chain.rb

@@ -1,8 +1,9 @@
 require_relative('../cerberus_client')
-require_relative('../cerberus_client/log')
+require_relative('../cerberus_utils/utils')
+require_relative('../cerberus_utils/log')
 require_relative('exception/no_value_error')
 require_relative('exception/no_valid_providers')
-require_relative('aws_role_credentials_provider')
+require_relative('aws_assumed_role_credentials_provider')
 require_relative('env_credentials_provider')
 
 module Cerberus
@@ -11,24 +12,23 @@ module Cerberus
   # Default credentials provider chain
   ##
   class AssumedRoleCredentialsProviderChain
-    def initialize(urlResolver, instanceMdSvcBaseUrl = nil, roleName, roleRegion, roleAccountId)
-      vaultBaseUrl = CerberusClient.getUrlFromResolver(urlResolver)
+    def initialize(url_resolver, iam_role_arn, region)
 
       # return default array of providers
       @providers = [Cerberus::EnvCredentialsProvider.new,
-                    Cerberus::AwsRoleCredentialsProvider.new(vaultBaseUrl, instanceMdSvcBaseUrl, roleName, roleRegion, roleAccountId)]
+                    Cerberus::AwsAssumeRoleCredentialsProvider.new(url_resolver, iam_role_arn, region)]
     end
 
 
     ##
     # Return the first provider in the default hierarchy that has a valid token
     ##
-    def getCredentialsProvider
+    def get_credentials_provider
       @providers.each { |p|
         begin
           # if token is assigned, that's the provider we want.
           # providers must throw NoValueError so that we can fall to the next provider if necessary
-          CerberusClient.getCredentialsFromProvider(p)
+          CerberusUtils::get_credentials_from_provider(p)
           return p
 
         rescue Cerberus::Exception::NoValueError
@@ -37,7 +37,7 @@ module Cerberus
       }
 
       # we should have found and returned a valid provider above, else there's a problem
-      CerberusClient::Log.instance.error("Could not find a valid provider")
+      CerberusUtils::Log.instance.error("Could not find a valid provider")
       raise Cerberus::Exception::NoValidProviders.new
     end
   end

data/lib/cerberus/aws_assumed_role_credentials_provider.rb

@@ -0,0 +1,144 @@
+module Cerberus
+
+  require_relative('../cerberus_utils/log')
+  require_relative('../cerberus_utils/http')
+  require_relative('../cerberus_utils/utils')
+  require_relative('../cerberus_client')
+  require_relative('exception/no_value_error')
+  require_relative('exception/http_error')
+  require_relative('cerberus_client_token')
+  require_relative('cerberus_auth_info')
+  require('aws-sdk')
+  require('net/http')
+  require('json')
+  require('base64')
+  require('securerandom')
+
+  ##
+  # The AWS IAM role credentials provider
+  # 
+  # Tries to authenticate with Cerberus using the given IAM role
+  ##
+  class AwsAssumeRoleCredentialsProvider
+
+    # relative URI to get encrypted auth data from Cerberus
+    ROLE_AUTH_REL_URI = "/v2/auth/iam-principal"
+    # reference into the decrypted auth data json we get from Cerberus
+    CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY = "client_token"
+    CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = "lease_duration"
+    CERBERUS_AUTH_DATA_POLICIES_KEY = "policies"
+
+    $stdout.sync = true 
+    LOGGER = CerberusUtils::Log.instance
+
+    ##
+    # Init AWS role provider - needs cerberus base url.  Instance metadata service url is optional to make unit tests
+    # easier and so we can provide a hook to set this via config as needed
+    ##
+    def initialize(cerberus_url_resolver, iam_role_arn, region)
+      @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver)
+      @client_token = nil
+      @cerberus_auth_info = get_assumed_role_info(iam_role_arn, region)
+
+      LOGGER.debug("AwsAssumeRoleCredentialsProvider initialized with cerberus base url #{@cerberus_base_url}")
+    end
+
+    ##
+    # Get credentials using AWS IAM role
+    ##
+    def get_client_token
+
+      if (@cerberus_auth_info.nil?)
+        LOGGER.warn("Instance metadata URL is nil for role provider!")
+        raise Cerberus::Exception::NoValueError
+      end
+
+      if (@client_token.nil?)
+        @client_token = get_credentials_from_cerberus
+      end
+
+      # using two if statements here just to make the logging easier..
+      # the above we expect on startup, expiration is an interesting event worth a debug log all its own
+      if (@client_token.expired?)
+        LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
+        @client_token = get_credentials_from_cerberus
+      end
+
+      return @client_token.authToken
+
+    end
+
+    private
+
+    ##
+    # Get an CerberusAuthInfo object from the provided data
+    ##
+    def get_assumed_role_info(iam_role_arn, region)
+
+      begin
+        num_chars = 10  # magic number - shouldn't be too long to avoide session name length limits
+        random_string = SecureRandom.hex(num_chars/2)  # hex method produces double the inputted num
+        assume_role_session_name = "cerb-assume-role-session-#{random_string}"
+
+        LOGGER.debug("role: #{iam_role_arn}")
+        LOGGER.debug("region: #{region}")
+        LOGGER.debug("session name: #{assume_role_session_name}")
+
+        role_creds = Aws::AssumeRoleCredentials.new(
+            client: Aws::STS::Client.new(region: region),
+            role_arn: iam_role_arn,
+            role_session_name: assume_role_session_name)
+
+        return CerberusAuthInfo.new(iam_role_arn, region, credentials: role_creds)
+      rescue
+        LOGGER.error("Failed to assume role: #{iam_role_arn}, region: #{region}")
+        return nil
+      end
+    end
+
+    ##
+    # Reach out to the Cerberus management service and get an auth token
+    ##
+    def get_credentials_from_cerberus
+      LOGGER.debug("Authenticating with assumed role...")
+      begin
+        authData = do_auth_with_cerberus(@cerberus_auth_info.iam_principal_arn, @cerberus_auth_info.region)
+
+        LOGGER.debug("Got auth data from Cerberus. Attempting to decrypt...")
+
+        # decrypt the data we got from cerberus to get the cerberus token
+        kms = Aws::KMS::Client.new(region: @cerberus_auth_info.region, credentials: @cerberus_auth_info.credentials[:credentials])
+
+        decryptedAuthDataJson = JSON.parse(kms.decrypt(ciphertext_blob: Base64.decode64(authData)).plaintext)
+
+        LOGGER.debug("Decrypt successful. Passing back Cerberus auth token.")
+        # pass back a credentials object that will allow us to reuse it until it expires
+        CerberusClientToken.new(decryptedAuthDataJson[CERBERUS_AUTH_DATA_CLIENT_TOKEN_KEY],
+                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_LEASE_DURATION_KEY],
+                                decryptedAuthDataJson[CERBERUS_AUTH_DATA_POLICIES_KEY])
+
+      rescue Cerberus::Exception::HttpError
+        # catch http errors here and assert no value
+        # this may not actually be the case, there are legitimate reasons HTTP can fail when it "should" work
+        # but this is handled by logging - a warning is set in the log in during the HTTP call
+        LOGGER.error("Failed to authenticate with assumed role: #{@cerberus_auth_info.iam_principal_arn},
+           region: #{@cerberus_auth_info.region}.")
+        raise Cerberus::Exception::NoValueError
+      end
+    end
+
+    ##
+    #
+    ##
+    def do_auth_with_cerberus(iam_principal_arn, region)
+      post_json_data = JSON.generate({:iam_principal_arn => iam_principal_arn, :region => region})
+      auth_url = URI(@cerberus_base_url + ROLE_AUTH_REL_URI)
+      use_ssl = ! @cerberus_base_url.include?("localhost")
+      auth_response = CerberusUtils::Http.new.make_http_call(auth_url, 'POST', use_ssl, post_json_data)
+      # if we got this far, we should have a valid response with encrypted data
+      # send back the encrypted data
+      JSON.parse(auth_response.body)['auth_data']
+    end
+
+  end
+end

data/lib/cerberus/aws_principal_credentials_provider.rb

@@ -1,34 +1,37 @@
 module Cerberus
 
-  require_relative('../cerberus_client/log')
-  require_relative('../cerberus_client/http')
+  require_relative('../cerberus_utils/log')
+  require_relative('../cerberus_utils/http')
+  require_relative('../cerberus_utils/utils')
   require_relative('../cerberus_client')
   require_relative('exception/no_value_error')
   require_relative('exception/http_error')
   require_relative('cerberus_client_token')
-  require_relative('aws_role_info')
+  require_relative('cerberus_auth_info')
   require('aws-sdk')
   require('net/http')
   require('json')
   require('base64')
 
   ##
-  # The AWS IAM role credentials provider
+  # The AWS IAM principal credentials provider
+  #
+  # Tries to authenticate with Cerberus using the IAM role of the EC2 instance
   ##
   class AwsPrincipalCredentialsProvider
 
     # AWS metadata instance URL
-    INSTANCE_METADATA_SVC_BASE_URL = "http://169.254.169.254/latest/meta-data"
+    AWS_EC2_METADATA_URL = "http://169.254.169.254/latest/meta-data"
     # relative URI to look up AZ in AWS metadata svc
     REGION_REL_URI = "/placement/availability-zone"
     # relative URI to look up IAM role in AWS metadata svc
-    IAM_ROLE_INFO_REL_URI = "/iam/info"
+    EC2_INSTNACE_PROFILE_REL_URI = "/iam/info"
     # reference into the metadata data json we get to look up IAM role
-    IAM_ROLE_ARN_KEY = 'InstanceProfileArn'
+    EC2_INSTANCE_PROFILE_ARN_KEY = 'InstanceProfileArn'
     # relative URI to look up IAM role in AWS metadata svc
     IAM_ROLE_NAME_REL_URI = "/iam/security-credentials/"
     # magic number is the index into a split role ARN to grab the acccount ID
-    ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM = 4
+    ROLE_ARN_ARRAY_INDEX_OF_ACCOUNT_NUM = 4
     # magic number is the index into a split role ARN to grab the role name
     ROLE_ARN_ARRAY_INDEX_OF_ROLENAME = 1
     # relative URI to get encrypted auth data from Cerberus
@@ -38,86 +41,106 @@ module Cerberus
     CERBERUS_AUTH_DATA_LEASE_DURATION_KEY = "lease_duration"
     CERBERUS_AUTH_DATA_POLICIES_KEY = "policies"
 
-    LOGGER = CerberusClient::Log.instance
+    $stdout.sync = true
+    LOGGER = CerberusUtils::Log.instance
 
     ##
-    # Init AWS principal provider - needs vault base url
+    # Init AWS principal provider - needs cerberus base url
     ##
-    def initialize(vaultBaseUrl)
-      @vaultBaseUrl = vaultBaseUrl
-      @clientToken = nil
-      @role = get_role_info
+    def initialize(cerberus_url_resolver, region = nil, instance_metadata_url = AWS_EC2_METADATA_URL)
+      @cerberus_base_url = CerberusUtils::get_url_from_resolver(cerberus_url_resolver)
+      @client_token = nil
+      @instance_metadata_url = instance_metadata_url
+      @cerberus_auth_info = get_cerberus_auth_info(instance_metadata_url, region)
 
-      LOGGER.debug("AwsPrincipalCredentialsProvider initialized with vault base url #{@vaultBaseUrl}")
+      LOGGER.debug("AwsPrincipalCredentialsProvider initialized with cerberus base url #{@cerberus_base_url}")
     end
 
     ##
     # Get credentials using AWS IAM role
     ##
-    def getClientToken
+    def get_client_token
 
-      if (@role.nil?)
+      if (@cerberus_auth_info.nil?)
         raise Cerberus::Exception::NoValueError
       end
 
-      if (@clientToken.nil?)
-        @clientToken = getCredentialsFromCerberus
+      if (@client_token.nil?)
+        @client_token = get_credentials_from_cerberus
       end
 
-      # using two if statements here just to make the logging easier..
-      # the above we expect on startup, expiration is an interesting event worth a debug log all its own
-      if (@clientToken.expired?)
-        LOGGER.debug("Existing ClientToken has expired - refreshing from Cerberus...")
-        @clientToken = getCredentialsFromCerberus
+      # using two if statements for nil v. expired makes logging easier..
+      # the above we expect on startup, expiration is worth its own logging
+      if (@client_token.expired?)
+        LOGGER.debug("Existing client token has expired - refreshing from Cerberus...")
+        @client_token = get_credentials_from_cerberus
       end
 
-      return @clientToken.authToken
+      return @client_token.authToken
 
     end
 
     private
 
     ##
-    # Uses provided data to determine how to construct the AwsRoleInfo use by this provider
+    # Uses provided data to determine how to construct the CerberusAuthInfo for use by this provider
     ##
-    def get_role_info
-      begin
-        return get_role_from_instance_metadata
-      rescue Cerberus::Exception::HttpError
-        return nil
+    def get_cerberus_auth_info(instance_metadata_url, region)
+      LOGGER.debug("Getting IAM role info...")
+
+      # if we have no metedata about how to auth, we do nothing
+      # this is used in unit testing primarily
+      if (instance_metadata_url.nil?)
+        LOGGER.warn("Instance metadata URL is nil for role provider!")
+        return nil;     
+      else
+        # collect instance metadata we need to auth with Cerberus
+        return get_role_from_ec2_metadata(region)
       end
     end
 
     ##
     # Use the instance metadata to extract the role information
+    #
+    # Gets the IAM role name and account ID in a weird way due to how the
+    # EC2 Metadata service disjointly provides the data
+    #
     # This function should only be called from an EC2 instance otherwise the http
     # call will fail.
     ##
-    def get_role_from_instance_metadata
-      role_arn = getIAMRoleARN
-      region = getRegionFromAZ(getAvailabilityZone)
-      account_id = getAccountIdFromRoleARN(role_arn)
-      role_name = getIAMRoleName
-
-      LOGGER.debug("roleARN #{role_arn}")
-      LOGGER.debug("region #{region}")
-      LOGGER.debug("accountId #{account_id}")
-      LOGGER.debug("roleName #{role_name}")
-
-      return AwsRoleInfo.new(role_name, region, account_id, nil)
+    def get_role_from_ec2_metadata(region)
+      begin
+        # instance_profile_arn = get_instance_profile_arn
+        # account_id = get_account_id_from_principal_arn(instance_profile_arn)
+        sts_client = Aws::STS::Client.new
+        account_id = sts_client.get_caller_identity().account
+        role_name = get_iam_role_name
+        aws_region = region.nil? ? get_region_from_az(get_availability_zone): region
+        
+        iam_role_arn = "arn:aws:iam::#{account_id}:role/#{role_name}"
+
+        LOGGER.debug("IAM Principal ARN: #{iam_role_arn}")
+        LOGGER.debug("AWS Region: #{aws_region}")
+
+        return CerberusAuthInfo.new(iam_role_arn, aws_region, nil)
+      rescue Cerberus::Exception::HttpError
+        LOGGER.error("Failed to get instance IAM role infor from metadata service")
+        return nil
+      end
     end
 
     ##
     # Reach out to the Cerberus management service and get an auth token
     ##
-    def getCredentialsFromCerberus
+    def get_credentials_from_cerberus
+      LOGGER.debug("Authenticating with instance IAM role...")
       begin
-        authData = doAuthWithCerberus(@role.account_id, @role.name, @role.region)
+        authData = authenticate_with_cerberus(@cerberus_auth_info.iam_principal_arn, @cerberus_auth_info.region)
 
         LOGGER.debug("Got auth data from Cerberus. Attempting to decrypt...")
 
-        # decrypt the data we got from cerberus to get the vault token
-        kms = Aws::KMS::Client.new(region: @role.region)
+        # decrypt the data we got from cerberus to get the cerberus token
+        kms = Aws::KMS::Client.new(region: @cerberus_auth_info.region)
 
         decryptedAuthDataJson = JSON.parse(kms.decrypt(ciphertext_blob: Base64.decode64(authData)).plaintext)
 
@@ -135,19 +158,11 @@ module Cerberus
       end
     end
 
-    ##
-    # Get the AWS account ID from the role ARN
-    # Expects formatting [some value]:[some value]:[some value]::[account id]
-    ##
-    def getAccountIdFromRoleARN(roleARN)
-      roleARN.split(':')[ROLE_ARN_ARRAY_INDEX_OF_ACCOUNTNUM]
-    end
-
     ##
     # Get the role name from EC@ Metadata
     ##
-    def getIAMRoleName
-      response = doHttpToMDService(IAM_ROLE_NAME_REL_URI)
+    def get_iam_role_name
+      response = call_ec2_metadata_service(IAM_ROLE_NAME_REL_URI)
       response.body
     end
 
@@ -155,23 +170,31 @@ module Cerberus
     # Read the IAM role ARN from the instance metadata
     # Will throw an HTTP exception if there is no IAM role associated with the instance
     ##
-    def getIAMRoleARN
-      response = doHttpToMDService(IAM_ROLE_INFO_REL_URI)
-      jsonResponseBody = JSON.parse(response.body)
-      jsonResponseBody[IAM_ROLE_ARN_KEY]
+    def get_instance_profile_arn
+      response = call_ec2_metadata_service(EC2_INSTNACE_PROFILE_REL_URI)
+      json_response_body = JSON.parse(response.body)
+      json_response_body[EC2_INSTANCE_PROFILE_ARN_KEY]
+    end
+
+    ##
+    # Get the AWS account ID from the role ARN
+    # Expects formatting [some value]:[some value]:[some value]::[account id]
+    ##
+    def get_account_id_from_principal_arn(principal_arn)
+      principal_arn.split(':')[ROLE_ARN_ARRAY_INDEX_OF_ACCOUNT_NUM]
     end
 
     ##
     # Get the region from AWS instance metadata
     ##
-    def getAvailabilityZone
-      doHttpToMDService(REGION_REL_URI).body
+    def get_availability_zone
+      call_ec2_metadata_service(REGION_REL_URI).body
     end
 
     ##
     # Get region from AZ
     ##
-    def getRegionFromAZ(az)
+    def get_region_from_az(az)
       az[0, az.length-1]
     end
 
@@ -179,22 +202,22 @@ module Cerberus
     # Call the instance metadata service with a relative URI and return the response if the call succeeds
     # else throw an IOError for non-2xx responses and RuntimeError for any exceptions down the stack
     ##
-    def doHttpToMDService(relUri)
-      url = URI(INSTANCE_METADATA_SVC_BASE_URL + relUri)
-      CerberusClient::Http.new.doHttp(url, 'GET', false)
+    def call_ec2_metadata_service(relative_uri)
+      url = URI(@instance_metadata_url + relative_uri)
+      CerberusUtils::Http.new.make_http_call(url, 'GET', false)
     end
 
     ##
     #
     ##
-    def doAuthWithCerberus(accountId, roleName, region)
-      postJsonData = JSON.generate({:iam_principal_arn => "arn:aws:iam::#{accountId}:role/#{roleName}", :region => region})
-      authUrl = URI(@vaultBaseUrl + ROLE_AUTH_REL_URI)
-      useSSL = ! ("#{@vaultBaseUrl}".include? "localhost")
-      authResponse = CerberusClient::Http.new.doHttp(authUrl, 'POST', useSSL, postJsonData)
+    def authenticate_with_cerberus(iam_principal_arn, region)
+      post_json_data = JSON.generate({:iam_principal_arn => iam_principal_arn, :region => region})
+      auth_url = URI(@cerberus_base_url + ROLE_AUTH_REL_URI)
+      use_ssl = ! @cerberus_base_url.include?("localhost")
+      auth_response = CerberusUtils::Http.new.make_http_call(auth_url, 'POST', use_ssl, post_json_data)
       # if we got this far, we should have a valid response with encrypted data
       # send back the encrypted data
-      JSON.parse(authResponse.body)['auth_data']
+      JSON.parse(auth_response.body)['auth_data']
     end
 
   end