Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-12226: Add Static Roles to the AWS plugin #20536

Merged
merged 51 commits into from
May 24, 2023
Merged
Changes from 1 commit
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
d0641a9
* AWS static roles POC
maxcoulombe Feb 6, 2023
6b0c9fb
Merge branch 'main' into VAULT-12226-StaticAccountPOC
kpcraig Apr 7, 2023
bfd94c4
Merge branch 'main' into VAULT-12226-StaticAccountPOC
kpcraig Apr 19, 2023
cb9fb25
Fix re-queuing mechanism for clearing out stale static role credentia…
vinay-gopalan Apr 28, 2023
924da54
validate static role values, add a test, some placeholder description…
kpcraig Apr 28, 2023
1a71e9b
Test coverage for static roles (#20487)
kpcraig May 5, 2023
51223d3
add changelog
kpcraig May 9, 2023
6fb865a
add comments to tests
kpcraig May 9, 2023
ed5ffff
gomod update
kpcraig May 9, 2023
33f1646
tidy gomod
kpcraig May 9, 2023
e62eafd
Merge branch 'main' into VAULT-12226/aws-static-roles
kpcraig May 10, 2023
4927e77
add descriptions for the routes
kpcraig May 10, 2023
aa30783
website docs
kpcraig May 16, 2023
9b74c9e
remove now unnecessary placeholder init
kpcraig May 16, 2023
d3073f6
named returns and some comments on the rotation functions
kpcraig May 16, 2023
e47846f
separate queue empty vs other errors
kpcraig May 16, 2023
4fb9769
validate no cred rotation case
kpcraig May 16, 2023
72f4ed2
description editing
kpcraig May 16, 2023
251bf7a
more double quotes %q fixes
kpcraig May 16, 2023
4008ef9
missed an extra quote
kpcraig May 17, 2023
1e00c7c
change struct name to be analogous
kpcraig May 17, 2023
25f75fa
iterate over access keys instead of assuming 2
kpcraig May 17, 2023
fd9be36
very basic locking on storage access
kpcraig May 19, 2023
b9b43dd
Apply Doc suggestions
kpcraig May 19, 2023
2e339cd
fix mistake in key age loop
kpcraig May 19, 2023
f7d77f9
somewhat existent test for credential creation
kpcraig May 19, 2023
75158a4
fix formatting
kpcraig May 19, 2023
8aab96e
add tests to ensure we're deleting the oldest key
kpcraig May 22, 2023
b6a88b8
fix format
kpcraig May 22, 2023
6a3ff89
lock on both role and cred deletion
kpcraig May 22, 2023
da84326
Merge branch 'main' into VAULT-12226/aws-static-roles
kpcraig May 22, 2023
b7a646b
test polish
kpcraig May 22, 2023
b36c837
add queue verification to deletion test
kpcraig May 22, 2023
0df02de
update deletion logic and tests
kpcraig May 22, 2023
8fbf3ad
remove extraneous quotes
kpcraig May 23, 2023
1d1af14
add update user test case
kpcraig May 23, 2023
083e2a3
add separate update validation logic
kpcraig May 23, 2023
bfd0854
remove extra print
kpcraig May 23, 2023
c20a7ef
replace quote-percent-s with percent-q
kpcraig May 23, 2023
64ebc69
track ID since username can change
kpcraig May 23, 2023
198fa74
doc updates
kpcraig May 23, 2023
2c52b94
update backend to accept config; update periodic func to only run on …
kpcraig May 24, 2023
995188b
elevate mockIAM out of loop in rotation test
kpcraig May 24, 2023
c3703c1
fix local/leader check
kpcraig May 24, 2023
43f51b3
add static role information to the non-api docs
kpcraig May 24, 2023
e77d7f3
add commentary for why we're storing the user id
kpcraig May 24, 2023
64e699d
link directly to static role section of api
kpcraig May 24, 2023
e612ece
return client error instead of actual error for validation problems
kpcraig May 24, 2023
2b2938d
syntactic sugar for error list
kpcraig May 24, 2023
dd849d1
fix last minute bug with json decoding
kpcraig May 24, 2023
50ecb27
add iam unique user id verification to credential creation
kpcraig May 24, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Apply Doc suggestions
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
kpcraig and yhyakuna authored May 19, 2023
commit b9b43dd28edaf74cf8f4ceec2352eb35d7d516c0
11 changes: 7 additions & 4 deletions website/content/api-docs/secret/aws.mdx
Original file line number Diff line number Diff line change
@@ -588,13 +588,16 @@ $ curl \

## Create Static Role
kpcraig marked this conversation as resolved.
Show resolved Hide resolved
This endpoint creates or updates static role definitions. A static role is a 1-to-1 mapping
with an AWS IAM User, which will be adopted and managed by vault, including rotating it according
with an AWS IAM User, which will be adopted and managed by Vault, including rotating it according
to the configured `rotation_period`.

-> Vault will create a new credential upon configuration, and if the maximum number of access keys are already
in existence, Vault will rotate the oldest one. Vault must do this in order to know the credential.
<Note>

-> Each rotation, Vault will rotate the oldest existing credential.
Vault will create a new credential upon configuration, and if the maximum number of access keys already exist, Vault will rotate the oldest one. Vault must do this to know the credential.

At each rotation, Vault will rotate the oldest existing credential.

</Note>

| Method | Path |
| :----- | :------------------------ |