From c2f95099f203b76f56b0ec56bc93e08a076827e8 Mon Sep 17 00:00:00 2001 From: Tom Davies Date: Mon, 26 Jun 2023 21:00:07 +0000 Subject: [PATCH 1/3] backport of commit 4034bb2b3eba81ea13bf6d3a62d27094d96ffc24 --- agent/connect/ca/provider_vault_auth_aws.go | 10 ++++++++++ agent/connect/ca/provider_vault_auth_test.go | 17 ++++++++++++++--- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/agent/connect/ca/provider_vault_auth_aws.go b/agent/connect/ca/provider_vault_auth_aws.go index 6188b2cf2e2..c9efec4ed48 100644 --- a/agent/connect/ca/provider_vault_auth_aws.go +++ b/agent/connect/ca/provider_vault_auth_aws.go @@ -69,6 +69,16 @@ func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthM if err != nil { return nil, fmt.Errorf("aws auth failed to generate login data: %w", err) } + if loginData == nil { + return nil, fmt.Errorf("got nil response from GenerateLoginData") + } + + // If a Vault role name is specified, we need to manually add this + role, ok := authMethod.Params["role"] + if ok { + loginData["role"] = role + } + return loginData, nil } diff --git a/agent/connect/ca/provider_vault_auth_test.go b/agent/connect/ca/provider_vault_auth_test.go index e1398eeb3bb..d9971c6930b 100644 --- a/agent/connect/ca/provider_vault_auth_test.go +++ b/agent/connect/ca/provider_vault_auth_test.go @@ -269,15 +269,22 @@ func TestVaultCAProvider_AWSCredentialsConfig(t *testing.T) { func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) { cases := map[string]struct { - expErr error + expErr error + authMethod structs.VaultAuthMethod }{ - "valid login data": {}, + "valid login data": { + authMethod: structs.VaultAuthMethod{}, + }, + "with role": { + expErr: nil, + authMethod: structs.VaultAuthMethod{Type: "aws", MountPath: "", Params: map[string]interface{}{"role": "test-role"}}, + }, } for name, c := range cases { t.Run(name, func(t *testing.T) { ldg := &AWSLoginDataGenerator{credentials: credentials.AnonymousCredentials} - loginData, err := ldg.GenerateLoginData(&structs.VaultAuthMethod{}) + loginData, err := ldg.GenerateLoginData(&c.authMethod) if c.expErr != nil { require.Error(t, err) require.Contains(t, err.Error(), c.expErr.Error()) @@ -298,6 +305,10 @@ func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) { require.True(t, exists, "missing expected key: %s", key) require.NotEmpty(t, val, "expected non-empty value for key: %s", key) } + + if c.authMethod.Params["role"] != nil { + require.Equal(t, c.authMethod.Params["role"], loginData["role"]) + } }) } } From e7a76c9d1553ac580c3e40999b3dfad63d397ca0 Mon Sep 17 00:00:00 2001 From: Tom Davies Date: Tue, 11 Jul 2023 14:56:18 +0000 Subject: [PATCH 2/3] backport of commit 9c4c3c50f07d4072bb981c16cf993118fd7f6f1d --- .changelog/17885.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .changelog/17885.txt diff --git a/.changelog/17885.txt b/.changelog/17885.txt new file mode 100644 index 00000000000..2cd690488d9 --- /dev/null +++ b/.changelog/17885.txt @@ -0,0 +1,2 @@ +```release-note:bug +ca: Fixed a bug where the Vault provider was not passing the configured role param for AWS auth From ce8b68a197acf0c654def49c0672fc145a4ea4ab Mon Sep 17 00:00:00 2001 From: Tom Davies Date: Tue, 11 Jul 2023 15:35:33 +0000 Subject: [PATCH 3/3] backport of commit 7282078993aa51915afa801bdabded0f78397cb5 --- agent/connect/ca/provider_vault_auth_aws.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/agent/connect/ca/provider_vault_auth_aws.go b/agent/connect/ca/provider_vault_auth_aws.go index c9efec4ed48..0bb3c7d55d2 100644 --- a/agent/connect/ca/provider_vault_auth_aws.go +++ b/agent/connect/ca/provider_vault_auth_aws.go @@ -69,9 +69,6 @@ func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthM if err != nil { return nil, fmt.Errorf("aws auth failed to generate login data: %w", err) } - if loginData == nil { - return nil, fmt.Errorf("got nil response from GenerateLoginData") - } // If a Vault role name is specified, we need to manually add this role, ok := authMethod.Params["role"]