Skip to content

Commit

Permalink
Add Canonical Arn to iam_alias documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@thegatsbylofiexperience
thegatsbylofiexperience committed Apr 26, 2024
1 parent 4e07472 commit d81f6bf
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 27 deletions.
11 changes: 6 additions & 5 deletions website/content/api-docs/auth/aws.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,16 +203,17 @@ This configures the way that Vault interacts with the
### Parameters

- `iam_alias` `(string: "role_id")` - How to generate the identity alias when
using the `iam` auth method. Valid choices are `role_id`, `unique_id`, and
`full_arn` When `role_id` is selected, the randomly generated ID of the Vault role
using the `iam` auth method. Valid choices are `role_id`, `unique_id`, `canonical_arn` and
`full_arn`. When `role_id` is selected, the randomly generated ID of the Vault role
is used. When `unique_id` is selected, the [IAM Unique
ID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers#identifiers-unique-ids)
of the IAM principal (either the user or role) is used as the identity alias
name. When `full_arn` is selected, the ARN returned by the
`sts:GetCallerIdentity` call is used as the alias name. This is either
name. When `canonical_arn` is selected, the role ARN returned by the `sts:GetCallerIdentity`call
will be used. This will be `arn:aws:iam::<account_id>:role/<role name>`. When `full_arn` is selected,
the ARN returned by the `sts:GetCallerIdentity` call is used as the alias name. This is either
`arn:aws:iam::<account_id>:user/<optional_path/><user_name>` or
`arn:aws:sts::<account_id>:assumed-role/<role_name_without_path>/<role_session_name>`.
**Note**: if you select `full_arn` and then delete and recreate the IAM role,
**Note**: if you select `canonical_arn` or `full_arn` and then delete and recreate the IAM role,
Vault won't be aware and any identity aliases set up for the role name will
still be valid.

Expand Down
2 changes: 1 addition & 1 deletion website/content/docs/concepts/identity.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ a particular auth mount point.
| ------------------- | --------------------------------------------------------------------------------------------------- |
| AliCloud | Principal ID |
| AppRole | Role ID |
| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Full ARN |
| AWS IAM | Configurable via `iam_alias` to one of: Role ID (default), IAM unique ID, Canonical ARN, Full ARN |
| AWS EC2 | Configurable via `ec2_alias` to one of: Role ID (default), EC2 instance ID, AMI ID |
| Azure | Subject (from JWT claim) |
| Cloud Foundry | App ID |
Expand Down
42 changes: 21 additions & 21 deletions website/content/partials/authn-names.mdx
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
In addition to custom authentication methods configured with secure plugins,
Vault supports many standardized authentication methods by default.

| AuthN method | Unique ID | Configured with |
|-------------------------------------------------------------------------|-----------------------------------------------------|---------------------|
| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable |
| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable |
| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Full ARN | `iam_alias` |
| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` |
| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable |
| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable |
| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable |
| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` |
| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` |
| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable |
| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` |
| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable |
| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable |
| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable |
| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable |
| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable |
| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable |
| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable |
| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable |
| AuthN method | Unique ID | Configured with |
|-------------------------------------------------------------------------|---------------------------------------------------------------------|---------------------|
| [AliCloud](/vault/docs/auth/alicloud) | Principal ID | Not configurable |
| [AppRole](/vault/api-docs/auth/approle#create-update-approle) | Role ID | Not configurable |
| [AWS IAM](/vault/docs/auth/aws#iam-auth-method) | Vault Role ID (default), IAM unique ID, Canonical ARN, Full ARN | `iam_alias` |
| [AWS EC2](/vault/docs/auth/aws#ec2-auth-method) | Vault Role ID (default), EC2 instance ID, AMI ID | `ec2_alias` |
| [Azure](/vault/api-docs/auth/azure#create-role) | Subject (from JWT claim) | Not configurable |
| [Cloud Foundry](/vault/docs/auth/cf) | App ID | Not configurable |
| [GitHub](/vault/docs/auth/github) | User login name associated with token | Not configurable |
| [Google Cloud](/vault/api-docs/auth/gcp#create-role) | Vault Role ID (default), Service account unique ID | `iam_alias` |
| [JWT/OIDC](/vault/api-docs/auth/jwt#create-role) | The presented claims (no default value) | `user_claim` |
| [Kerberos](/vault/docs/auth/kerberos) | Username | Not configurable |
| [Kubernetes](/vault/api-docs/auth/kubernetes#create-role) | Service account UID (default), Service account Name | `alias_name_source` |
| [LDAP](/vault/docs/auth/ldap) | Username | Not configurable |
| [OCI](/vault/api-docs/auth/oci#create-role) | Rolename | Not configurable |
| [Okta](/vault/api-docs/auth/okta#register-user) | Username | Not configurable |
| [RADIUS](/vault/docs/auth/radius) | Username | Not configurable |
| [SAML](/vault/docs/auth/saml) | Assertion Subject | Not configurable |
| [TLS Certificate](/vault/api-docs/auth/cert#create-ca-certificate-role) | Subject CommonName | Not configurable |
| [Token](/vault/docs/auth/token) | `entity_alias` | Not configurable |
| [Username/Password](/vault/api-docs/auth/userpass#create-update-user) | Username | Not configurable |

0 comments on commit d81f6bf

Please sign in to comment.