Skip to content

Commit

Permalink
backport of commit 5b845c8
Browse files Browse the repository at this point in the history
  • Loading branch information
@thegatsbylofiexperience
thegatsbylofiexperience authored Apr 29, 2024
1 parent 70cd973 commit 2be73f5
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 34 deletions.
15 changes: 8 additions & 7 deletions builtin/credential/aws/path_config_identity.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func (b *backend) pathConfigIdentity() *framework.Path {
"iam_alias": {
Type: framework.TypeString,
Default: identityAliasIAMUniqueID,
Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasRoleID),
Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, %q and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn, identityAliasRoleID),
},
iamAuthMetadataFields.FieldName: authmetadata.FieldSchema(iamAuthMetadataFields),
"ec2_alias": {
Expand Down Expand Up @@ -150,7 +150,7 @@ func pathConfigIdentityUpdate(ctx context.Context, req *logical.Request, data *f
iamAliasRaw, ok := data.GetOk("iam_alias")
if ok {
iamAlias := iamAliasRaw.(string)
allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn}
allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn}
if !strutil.StrListContains(allowedIAMAliasValues, iamAlias) {
return logical.ErrorResponse(fmt.Sprintf("iam_alias of %q not in set of allowed values: %v", iamAlias, allowedIAMAliasValues)), nil
}
Expand Down Expand Up @@ -194,11 +194,12 @@ type identityConfig struct {
}

const (
identityAliasIAMUniqueID = "unique_id"
identityAliasIAMFullArn = "full_arn"
identityAliasEC2InstanceID = "instance_id"
identityAliasEC2ImageID = "image_id"
identityAliasRoleID = "role_id"
identityAliasIAMUniqueID = "unique_id"
identityAliasIAMFullArn = "full_arn"
identityAliasIAMCanonicalArn = "canonical_arn"
identityAliasEC2InstanceID = "instance_id"
identityAliasEC2ImageID = "image_id"
identityAliasRoleID = "role_id"
)

const pathConfigIdentityHelpSyn = `
Expand Down
2 changes: 2 additions & 0 deletions builtin/credential/aws/path_login.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1397,6 +1397,8 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
identityAlias = callerUniqueId
case identityAliasIAMFullArn:
identityAlias = callerID.Arn
case identityAliasIAMCanonicalArn:
identityAlias = entity.canonicalArn()
}

// If we're just looking up for MFA, return the Alias info
Expand Down
11 changes: 6 additions & 5 deletions website/content/api-docs/auth/aws.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,16 +203,17 @@ This configures the way that Vault interacts with the
### Parameters

- `iam_alias` `(string: "role_id")` - How to generate the identity alias when
using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and
`full_arn` When `role_id` is selected, the randomly generated ID of the Vault role
using the `iam` auth method. Valid choices are `role_id`, `unique_id`, `canonical_arn` and
`full_arn`. When `role_id` is selected, the randomly generated ID of the Vault role
is used. When `unique_id` is selected, the [IAM Unique
ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
of the IAM principal (either the user or role) is used as the identity alias
name. When `full_arn` is selected, the ARN returned by the
`sts:GetCallerIdentity` call is used as the alias name. This is either
name. When `canonical_arn` is selected, the role ARN returned by the `sts:GetCallerIdentity`call
will be used. This will be `arn:aws:iam::<account_id>:role/<role name>`. When `full_arn` is selected,
the ARN returned by the `sts:GetCallerIdentity` call is used as the alias name. This is either
`arn:aws:iam::<account_id>:user/<optional_path/><user_name>` or
`arn:aws:sts::<account_id>:assumed-role/<role_name_without_path>/<role_session_name>`.
**Note**: if you select `full_arn` and then delete and recreate the IAM role,
**Note**: if you select `canonical_arn` or `full_arn` and then delete and recreate the IAM role,
Vault won't be aware and any identity aliases set up for the role name will
still be valid.

Expand Down
2 changes: 1 addition & 1 deletion website/content/docs/concepts/identity.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ a particular auth mount point.
| ------------------- | --------------------------------------------------------------------------------------------------- |
| AliCloud | Principal ID |
| AppRole | Role ID |
| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Full ARN |
| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Canonical ARN, Full ARN |
| AWS EC2 | Configurable via `ec2_alias` to one of: Role ID (default), EC2 instance ID, AMI ID |
| Azure | Subject (from JWT claim) |
| Cloud Foundry | App ID |
Expand Down
42 changes: 21 additions & 21 deletions website/content/partials/authn-names.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
In addition to custom authentication methods configured with secure plugins,
Vault supports many standardized authentication methods by default.

| AuthN method | Unique ID | Configured with |
|-------------------------------------------------------------------------|-----------------------------------------------------|---------------------|
| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable |
| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable |
| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Full ARN | `iam_alias` |
| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` |
| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable |
| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable |
| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable |
| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` |
| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` |
| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable |
| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` |
| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable |
| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable |
| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable |
| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable |
| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable |
| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable |
| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable |
| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable |
| AuthN method | Unique ID | Configured with |
|-------------------------------------------------------------------------|---------------------------------------------------------------------|---------------------|
| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable |
| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable |
| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Canonical ARN, Full ARN | `iam_alias` |
| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` |
| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable |
| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable |
| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable |
| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` |
| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` |
| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable |
| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` |
| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable |
| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable |
| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable |
| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable |
| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable |
| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable |
| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable |
| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable |

0 comments on commit 2be73f5

Please sign in to comment.