From 0b22c0534afae2758a010943ef9bc527694ad61f Mon Sep 17 00:00:00 2001 From: Jacob Burroughs Date: Sat, 7 Dec 2019 17:54:42 -0600 Subject: [PATCH 1/2] Add aws metadata to identity alias This allows for writing identity token templates that include these attributes (And including these attributes in path templates) --- builtin/credential/aws/path_login.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 94e34d631f0c..6725617a8e03 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -839,6 +839,12 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request, }, Alias: &logical.Alias{ Name: identityAlias, + Metadata: map[string]string{ + "instance_id": identityDocParsed.InstanceID, + "region": identityDocParsed.Region, + "account_id": identityDocParsed.AccountID, + "ami_id": identityDocParsed.AmiID, + }, }, } roleEntry.PopulateTokenAuth(auth) @@ -1359,6 +1365,16 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request, DisplayName: entity.FriendlyName, Alias: &logical.Alias{ Name: identityAlias, + Metadata: map[string]string{ + "client_arn": callerID.Arn, + "canonical_arn": entity.canonicalArn(), + "client_user_id": callerUniqueId, + "auth_type": iamAuthType, + "inferred_entity_type": inferredEntityType, + "inferred_entity_id": inferredEntityID, + "inferred_aws_region": roleEntry.InferredAWSRegion, + "account_id": entity.AccountNumber, + }, }, } roleEntry.PopulateTokenAuth(auth) From c23a8dadbf76dd8670299dfb378b043bd08cf9ef Mon Sep 17 00:00:00 2001 From: Jacob Burroughs Date: Wed, 8 Jan 2020 20:08:29 -0600 Subject: [PATCH 2/2] Add alias metadata asserstion to IAM login check --- builtin/credential/aws/path_login_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go index effca6efdbc4..59d120d53d41 100644 --- a/builtin/credential/aws/path_login_test.go +++ b/builtin/credential/aws/path_login_test.go @@ -7,6 +7,7 @@ import ( "net/http" "net/http/httptest" "net/url" + "reflect" "strings" "testing" @@ -231,6 +232,18 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) { t.Fatal(err) } + expectedAliasMetadata := map[string]string{ + "account_id": "123456789012", + "auth_type": "iam", + "canonical_arn": "arn:aws:iam::123456789012:user/valid-role", + "client_arn": "arn:aws:iam::123456789012:user/valid-role", + "client_user_id": "ASOMETHINGSOMETHINGSOMETHING", + // Note there is no inferred entity, so these fields should be empty + "inferred_aws_region": "", + "inferred_entity_id": "", + "inferred_entity_type": "", + } + // expected errors for certain tests missingHeaderErr := errors.New("error validating X-Vault-AWS-IAM-Server-ID header: missing header \"X-Vault-AWS-IAM-Server-ID\"") parsingErr := errors.New("error making upstream request: error parsing STS response") @@ -325,6 +338,10 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) { } t.Errorf("un expected failed login:\nresp: %#v\n\nerr: %v", resp, err) } + + if !reflect.DeepEqual(expectedAliasMetadata, resp.Auth.Alias.Metadata) { + t.Errorf("expected metadata (%#v) to match (%#v)", expectedAliasMetadata, resp.Auth.Alias.Metadata) + } }) } }