Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-12226: Add Static Roles to the AWS plugin #20536

Merged
merged 51 commits into from
May 24, 2023
Merged

VAULT-12226: Add Static Roles to the AWS plugin #20536

merged 51 commits into from
May 24, 2023

Conversation

kpcraig
Copy link
Contributor

@kpcraig kpcraig commented May 5, 2023
edited
Loading

This PR adds the ability for the aws engine to manage static roles, analogous to the way we do it in the various database plugins.

In this PR we provide two new endpoints at <aws>/static-roles and <aws>/static-creds.

At static-roles/<name>, we provide a read/write/delete set for specifying a new static role that points at an existing IAM User, which the aws engine will then adopt and manage. (I apologize for the slightly mismatched terminology here).

At static-creds/<name> we provide a read route that will return the current aws credential for the managed user.

Under the hood, we place newly created roles into a priority queue ordered by time left until rotation, and assign a backend PeriodicFunc to handle all roles past rotation time and requeue for the next rotation.

@kpcraig kpcraig added this to the 1.14 milestone May 9, 2023
@kpcraig kpcraig changed the title Add Static Roles to the AWS plugin VAULT-12226: Add Static Roles to the AWS plugin May 9, 2023
@kpcraig kpcraig marked this pull request as ready for review May 9, 2023 17:56
@kpcraig kpcraig requested a review from a team May 9, 2023 17:56
@calvn calvn requested a review from a team May 16, 2023 00:00
raymonstah
raymonstah reviewed May 16, 2023
View reviewed changes
builtin/logical/aws/path_static_roles.go Outdated Show resolved Hide resolved
builtin/logical/aws/rotation.go Outdated Show resolved Hide resolved
builtin/logical/aws/rotation.go Outdated Show resolved Hide resolved
builtin/logical/aws/rotation.go Outdated Show resolved Hide resolved
builtin/logical/aws/rotation_test.go Show resolved Hide resolved
@kpcraig kpcraig requested a review from yhyakuna as a code owner May 16, 2023 14:07
austingebauer
austingebauer approved these changes May 24, 2023
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM otherwise 🎉

yhyakuna
yhyakuna approved these changes May 24, 2023
View reviewed changes
Copy link
Contributor

@yhyakuna yhyakuna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed and approve the docs changes.

fairclothjm
fairclothjm approved these changes May 24, 2023
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Great work @kpcraig !

@kpcraig kpcraig merged commit cc8b856 into main May 24, 2023
@kpcraig kpcraig deleted the VAULT-12226/aws-static-roles branch May 24, 2023 18:55
@isometry isometry mentioned this pull request Jul 7, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robmonte robmonte robmonte left review comments

@calvn calvn calvn left review comments

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@austingebauer austingebauer austingebauer approved these changes

@fairclothjm fairclothjm fairclothjm approved these changes

@yhyakuna yhyakuna yhyakuna approved these changes

@raymonstah raymonstah raymonstah approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.
9 participants
@kpcraig @calvn @raymonstah @yhyakuna @fairclothjm @robmonte @austingebauer @vinay-gopalan @maxcoulombe