-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make AWS auth roles "roundtrippable" so we can manage them with terraform. #3837
Comments
Hey @tomwilkie -- can you run an experiment? For a new cluster or role, try setting If this works for you, then it should be a simple fix and I'll try to get a PR in soon. |
In cases where there doesn't need to be a bound_iam_principal_arn, i.e., either auth_type is ec2 or there are other bindings with the iam auth_type, but it is specified explicitly anyway, Vault tried to parse it to resolve to internal unique IDs. This now checks to ensure that bound_iam_principal_arn is non-empty before attempting to resolve it. Fixes hashicorp#3837
* auth/aws: Fix error with empty bound_iam_principal_arn In cases where there doesn't need to be a bound_iam_principal_arn, i.e., either auth_type is ec2 or there are other bindings with the iam auth_type, but it is specified explicitly anyway, Vault tried to parse it to resolve to internal unique IDs. This now checks to ensure that bound_iam_principal_arn is non-empty before attempting to resolve it. Fixes #3837 * Fix extraneous newline
Hi @joelthompson, sorry for delay. Can confirm predict behaviour is correct. Thanks for the quick fix! |
Awesome, glad I could help :-) |
If I underspecify my AWS auth role in terraform as a vault_generic_secret like this:
I get the following plan-time diff when nothing has changed.:
If I instead fully specify the role like this:
I indeed get no plan diff on existing clusters, but I get the following error when I apply to a new cluster:
It seems to me we should support setting the various fields to empty to indicate they are no in use. WDYT?
The text was updated successfully, but these errors were encountered: