From c4cd3ed6fb75384a3750d512eeabd4a78161bada Mon Sep 17 00:00:00 2001
From: "tin.vo" <tin.vo@hashicorp.com>
Date: Mon, 27 Jan 2025 10:30:13 -0800
Subject: [PATCH 1/3] adding aws engines test

---
 .../test-run-enos-scenario-matrix.yml         |  2 +
 enos/enos-scenario-smoke.hcl                  | 14 ++--
 enos/enos-variables.hcl                       | 12 ++++
 .../modules/create/aws.tf                     | 67 +++++++++++++++++++
 .../modules/create/main.tf                    | 19 ++++++
 .../modules/read/aws.tf                       | 27 ++++++++
 .../scripts/aws-generate-roles.sh             | 38 +++++++++++
 .../scripts/aws-verify-roles.sh               | 46 +++++++++++++
 8 files changed, 220 insertions(+), 5 deletions(-)
 create mode 100644 enos/modules/verify_secrets_engines/modules/create/aws.tf
 create mode 100644 enos/modules/verify_secrets_engines/modules/read/aws.tf
 create mode 100755 enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
 create mode 100755 enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh

diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml
index ca5f71e0e71b..f8d6f9dcca33 100644
--- a/.github/workflows/test-run-enos-scenario-matrix.yml
+++ b/.github/workflows/test-run-enos-scenario-matrix.yml
@@ -185,6 +185,8 @@ jobs:
             echo "ENOS_DEBUG_DATA_ROOT_DIR=/tmp/enos-debug-data"
             echo "ENOS_VAR_artifactory_username=${{ steps.secrets.outputs.artifactory-user }}"
             echo "ENOS_VAR_artifactory_token=${{ steps.secrets.outputs.artifactory-token }}"
+            echo "ENOS_VAR_aws_access_key_id=${{ steps.secrets.outputs.aws-access-key-id }}"
+            echo "ENOS_VAR_aws_access_secret_key=${{ steps.secrets.outputs.aws-secret-access-key }}"
             echo "ENOS_VAR_aws_region=${{ matrix.attributes.aws_region }}"
             echo "ENOS_VAR_aws_ssh_keypair_name=${{ inputs.ssh-key-name }}"
             echo "ENOS_VAR_aws_ssh_private_key_path=./support/private_key.pem"
diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl
index 90507d7a9849..7f7a20161fc8 100644
--- a/enos/enos-scenario-smoke.hcl
+++ b/enos/enos-scenario-smoke.hcl
@@ -524,11 +524,14 @@ scenario "smoke" {
     ]
 
     variables {
-      hosts             = step.create_vault_cluster_targets.hosts
-      leader_host       = step.get_vault_cluster_ips.leader_host
-      vault_addr        = step.create_vault_cluster.api_addr_localhost
-      vault_install_dir = global.vault_install_dir[matrix.artifact_type]
-      vault_root_token  = step.create_vault_cluster.root_token
+      hosts                 = step.create_vault_cluster_targets.hosts
+      aws_test_region            = var.aws_region
+      aws_test_access_key_id     = var.aws_access_key_id
+      aws_test_access_secret_key = var.aws_access_secret_key
+      leader_host           = step.get_vault_cluster_ips.leader_host
+      vault_addr            = step.create_vault_cluster.api_addr_localhost
+      vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token      = step.create_vault_cluster.root_token
     }
   }
 
@@ -601,6 +604,7 @@ scenario "smoke" {
       hosts             = step.get_vault_cluster_ips.follower_hosts
       vault_addr        = step.create_vault_cluster.api_addr_localhost
       vault_install_dir = global.vault_install_dir[matrix.artifact_type]
+      vault_root_token  = step.create_vault_cluster.root_token
     }
   }
 
diff --git a/enos/enos-variables.hcl b/enos/enos-variables.hcl
index 91402071a979..e68a01110852 100644
--- a/enos/enos-variables.hcl
+++ b/enos/enos-variables.hcl
@@ -27,6 +27,18 @@ variable "artifactory_repo" {
   default     = "hashicorp-crt-stable-local*"
 }
 
+variable "aws_access_key_id" {
+  description = "The AWS access key id that will be used for testing"
+  type        = string
+  default     = null
+}
+
+variable "aws_access_secret_key" {
+  description = "The AWS secret access key that will be used for testing"
+  type        = string
+  default     = null
+}
+
 variable "aws_region" {
   description = "The AWS region where we'll create infrastructure"
   type        = string
diff --git a/enos/modules/verify_secrets_engines/modules/create/aws.tf b/enos/modules/verify_secrets_engines/modules/create/aws.tf
new file mode 100644
index 000000000000..7c0314802143
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/modules/create/aws.tf
@@ -0,0 +1,67 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+locals {
+  // Variables
+  aws_mount                  = "aws"     # aws engine
+  aws_role                   = "test-role"
+  aws_region            = var.aws_test_region
+  aws_access_key_id     = var.aws_test_access_key_id
+  aws_access_secret_key = var.aws_test_access_secret_key
+
+  // Output
+  aws_output = {
+    mount                  = local.aws_mount
+    role                   = local.aws_role
+    region                 = local.aws_region
+    test_access_key_id     = local.aws_access_key_id
+    test_access_secret_key = local.aws_access_secret_key
+  }
+}
+
+output "aws_engine" {
+  value = local.aws_output
+}
+
+# Enable aws secrets engine
+resource "enos_remote_exec" "secrets_enable_aws_secret" {
+  environment = {
+    ENGINE            = local.aws_mount
+    MOUNT             = local.aws_mount
+    VAULT_ADDR        = var.vault_addr
+    VAULT_TOKEN       = var.vault_root_token
+    VAULT_INSTALL_DIR = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/secrets-enable.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Enable kv secrets engine
+resource "enos_remote_exec" "aws_generate_creds" {
+  depends_on = [enos_remote_exec.secrets_enable_aws_secret]
+  for_each   = var.hosts
+  environment = {
+    AWS_REGION            = var.aws_test_region
+    AWS_ACCESS_KEY_ID     = var.aws_test_access_key_id
+    AWS_SECRET_ACCESS_KEY = var.aws_test_access_secret_key
+    AWS_ROLE              = local.aws_role
+    MOUNT                 = local.aws_mount
+    VAULT_ADDR            = var.vault_addr
+    VAULT_TOKEN           = var.vault_root_token
+    VAULT_INSTALL_DIR     = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/aws-generate-roles.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf
index 89ca1c80b406..c247f9264aa4 100644
--- a/enos/modules/verify_secrets_engines/modules/create/main.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/main.tf
@@ -9,6 +9,24 @@ terraform {
   }
 }
 
+variable "aws_test_region" {
+  type        = string
+  description = "AWS region for aws secrets engine"
+  default     = "us-east-1"
+}
+
+variable "aws_test_access_key_id" {
+  type        = string
+  description = "AWS access key for aws secrets engine"
+  default     = null
+}
+
+variable "aws_test_access_secret_key" {
+  type        = string
+  description = "AWS secret access key for aws secrets engine"
+  default     = null
+}
+
 variable "hosts" {
   type = map(object({
     ipv6       = string
@@ -49,5 +67,6 @@ output "state" {
     auth     = local.auth_output
     identity = local.identity_output
     kv       = local.kv_output
+    aws      = local.aws_output
   }
 }
diff --git a/enos/modules/verify_secrets_engines/modules/read/aws.tf b/enos/modules/verify_secrets_engines/modules/read/aws.tf
new file mode 100644
index 000000000000..f4c94ebed520
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/modules/read/aws.tf
@@ -0,0 +1,27 @@
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+# Verify PKI Certificate
+resource "enos_remote_exec" "aws_verify_roles" {
+  for_each = var.hosts
+
+  environment = {
+    AWS_REGION    = var.create_state.aws.region
+    AWS_ACCESS_KEY_ID     = var.create_state.aws.test_access_key_id
+    AWS_SECRET_ACCESS_KEY = var.create_state.aws.test_access_secret_key
+    AWS_ROLE              = var.create_state.aws.role
+    MOUNT                 = var.create_state.aws.mount
+    VAULT_ADDR            = var.vault_addr
+    VAULT_TOKEN           = var.vault_root_token
+    VAULT_INSTALL_DIR     = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/aws-verify-roles.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}
+
diff --git a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
new file mode 100755
index 000000000000..65f3c98f1691
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+## # -------PKI TESTING
+# MOUNT=aws
+# AWS_ROLE=test-role
+# VAULT_ADDR=http://127.0.0.1:8200
+# VAULT_INSTALL_DIR=/opt/homebrew/bin
+# VAULT_TOKEN=root
+# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
+echo "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|--------"
+[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
+[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
+[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
+[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set"
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+
+echo "Configuring Vault AWS"
+"$binpath" write "${MOUNT}/config/root" access_key="${AWS_ACCESS_KEY_ID}" secret_key="${AWS_SECRET_ACCESS_KEY}" region=${AWS_REGION} || fail "Cannot set vault AWS credentials"
+
+echo "Creating AWS Role"
+"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
diff --git a/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh
new file mode 100755
index 000000000000..61faeb4ae6ee
--- /dev/null
+++ b/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+## # -------PKI TESTING
+# MOUNT=aws
+# AWS_ROLE=test-role
+# VAULT_ADDR=http://127.0.0.1:8200
+# VAULT_INSTALL_DIR=/opt/homebrew/bin
+# VAULT_TOKEN=root
+# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
+echo "------------${AWS_REGION}-----------${AWS_ACCESS_KEY_ID}"
+
+[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
+[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
+[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
+[[ -z "$AWS_ROLE" ]] && fail "AWS_ROLE env variable has not been set"
+[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+
+echo "Verifying roles list"
+ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
+[[ -z "$ROLE" ]] && fail "No AWS roles created!"
+
+echo "Verifying Root Access Key"
+"$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key'
+ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
+echo "----------------${ROOT_ACCESS_KEY}---------${AWS_ACCESS_KEY_ID}"
+[[ "$ROOT_ACCESS_KEY" == "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
+
+# Read role
+"$binpath" read "${MOUNT}/sts/creds/${AWS_ROLE}"

From bf1cbcb347742cc7f82812047773bfbced1ce916 Mon Sep 17 00:00:00 2001
From: "tin.vo" <tin.vo@hashicorp.com>
Date: Mon, 10 Feb 2025 15:28:02 -0800
Subject: [PATCH 2/3] updating aws engine enos test

---
 enos/enos-scenario-smoke.hcl                  |  6 ++--
 .../modules/create/aws.tf                     | 28 ++++++++--------
 .../modules/create/main.tf                    |  6 ++--
 .../modules/read/aws.tf                       |  6 ++--
 .../scripts/aws-generate-roles.sh             | 32 +++++++++++++++++--
 .../scripts/aws-verify-roles.sh               |  4 +--
 6 files changed, 55 insertions(+), 27 deletions(-)

diff --git a/enos/enos-scenario-smoke.hcl b/enos/enos-scenario-smoke.hcl
index 7f7a20161fc8..96845e7a4737 100644
--- a/enos/enos-scenario-smoke.hcl
+++ b/enos/enos-scenario-smoke.hcl
@@ -525,9 +525,9 @@ scenario "smoke" {
 
     variables {
       hosts                 = step.create_vault_cluster_targets.hosts
-      aws_test_region            = var.aws_region
-      aws_test_access_key_id     = var.aws_access_key_id
-      aws_test_access_secret_key = var.aws_access_secret_key
+      aws_region            = var.aws_region
+      aws_access_key_id     = var.aws_access_key_id
+      aws_access_secret_key = var.aws_access_secret_key
       leader_host           = step.get_vault_cluster_ips.leader_host
       vault_addr            = step.create_vault_cluster.api_addr_localhost
       vault_install_dir     = global.vault_install_dir[matrix.artifact_type]
diff --git a/enos/modules/verify_secrets_engines/modules/create/aws.tf b/enos/modules/verify_secrets_engines/modules/create/aws.tf
index 7c0314802143..a24150fcf13a 100644
--- a/enos/modules/verify_secrets_engines/modules/create/aws.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/aws.tf
@@ -3,23 +3,23 @@
 
 locals {
   // Variables
-  aws_mount                  = "aws"     # aws engine
-  aws_role                   = "test-role"
-  aws_region            = var.aws_test_region
-  aws_access_key_id     = var.aws_test_access_key_id
-  aws_access_secret_key = var.aws_test_access_secret_key
+  aws_mount             = "aws"     # aws engine
+  aws_role              = "test-role"
+  aws_region            = var.aws_region
+  aws_access_key_id     = var.aws_access_key_id
+  aws_access_secret_key = var.aws_access_secret_key
 
   // Output
   aws_output = {
-    mount                  = local.aws_mount
-    role                   = local.aws_role
-    region                 = local.aws_region
-    test_access_key_id     = local.aws_access_key_id
-    test_access_secret_key = local.aws_access_secret_key
+    mount             = local.aws_mount
+    role              = local.aws_role
+    region            = local.aws_region
+    access_key_id     = local.aws_access_key_id
+    access_secret_key = local.aws_access_secret_key
   }
 }
 
-output "aws_engine" {
+output "aws" {
   value = local.aws_output
 }
 
@@ -47,9 +47,9 @@ resource "enos_remote_exec" "aws_generate_creds" {
   depends_on = [enos_remote_exec.secrets_enable_aws_secret]
   for_each   = var.hosts
   environment = {
-    AWS_REGION            = var.aws_test_region
-    AWS_ACCESS_KEY_ID     = var.aws_test_access_key_id
-    AWS_SECRET_ACCESS_KEY = var.aws_test_access_secret_key
+    AWS_REGION            = local.aws_region
+    AWS_ACCESS_KEY_ID     = local.aws_access_key_id
+    AWS_SECRET_ACCESS_KEY = local.aws_access_secret_key
     AWS_ROLE              = local.aws_role
     MOUNT                 = local.aws_mount
     VAULT_ADDR            = var.vault_addr
diff --git a/enos/modules/verify_secrets_engines/modules/create/main.tf b/enos/modules/verify_secrets_engines/modules/create/main.tf
index c247f9264aa4..5f33915dc109 100644
--- a/enos/modules/verify_secrets_engines/modules/create/main.tf
+++ b/enos/modules/verify_secrets_engines/modules/create/main.tf
@@ -9,19 +9,19 @@ terraform {
   }
 }
 
-variable "aws_test_region" {
+variable "aws_region" {
   type        = string
   description = "AWS region for aws secrets engine"
   default     = "us-east-1"
 }
 
-variable "aws_test_access_key_id" {
+variable "aws_access_key_id" {
   type        = string
   description = "AWS access key for aws secrets engine"
   default     = null
 }
 
-variable "aws_test_access_secret_key" {
+variable "aws_access_secret_key" {
   type        = string
   description = "AWS secret access key for aws secrets engine"
   default     = null
diff --git a/enos/modules/verify_secrets_engines/modules/read/aws.tf b/enos/modules/verify_secrets_engines/modules/read/aws.tf
index f4c94ebed520..3e92de67efd4 100644
--- a/enos/modules/verify_secrets_engines/modules/read/aws.tf
+++ b/enos/modules/verify_secrets_engines/modules/read/aws.tf
@@ -6,9 +6,9 @@ resource "enos_remote_exec" "aws_verify_roles" {
   for_each = var.hosts
 
   environment = {
-    AWS_REGION    = var.create_state.aws.region
-    AWS_ACCESS_KEY_ID     = var.create_state.aws.test_access_key_id
-    AWS_SECRET_ACCESS_KEY = var.create_state.aws.test_access_secret_key
+    AWS_REGION            = var.create_state.aws.region
+    AWS_ACCESS_KEY_ID     = var.create_state.aws.access_key_id
+    AWS_SECRET_ACCESS_KEY = var.create_state.aws.access_secret_key
     AWS_ROLE              = var.create_state.aws.role
     MOUNT                 = var.create_state.aws.mount
     VAULT_ADDR            = var.vault_addr
diff --git a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
index 65f3c98f1691..e8c265f608b7 100755
--- a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
+++ b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
@@ -11,12 +11,13 @@ fail() {
 
 ## # -------PKI TESTING
 # MOUNT=aws
+# AWS_REGION=us-east-1
 # AWS_ROLE=test-role
 # VAULT_ADDR=http://127.0.0.1:8200
 # VAULT_INSTALL_DIR=/opt/homebrew/bin
 # VAULT_TOKEN=root
 # vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
-echo "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|--------"
+echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|--------\n"
 [[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
 [[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
 [[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
@@ -35,4 +36,31 @@ echo "Configuring Vault AWS"
 "$binpath" write "${MOUNT}/config/root" access_key="${AWS_ACCESS_KEY_ID}" secret_key="${AWS_SECRET_ACCESS_KEY}" region=${AWS_REGION} || fail "Cannot set vault AWS credentials"
 
 echo "Creating AWS Role"
-"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
+#"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
+"$binpath" write "aws/roles/${AWS_ROLE}" \
+    credential_type=iam_user \
+    ttl="1h" max_ttl="24h" \
+    policy_document=-<<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "ec2:*",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+
+echo "Verifying roles list"
+ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
+[[ -z "$ROLE" ]] && fail "No AWS roles created!"
+
+echo "Verifying Root Access Key"
+"$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key'
+ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
+[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
+
+# Read role
+"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"
\ No newline at end of file
diff --git a/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh
index 61faeb4ae6ee..1046ea9dfe14 100755
--- a/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh
+++ b/enos/modules/verify_secrets_engines/scripts/aws-verify-roles.sh
@@ -40,7 +40,7 @@ echo "Verifying Root Access Key"
 "$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key'
 ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
 echo "----------------${ROOT_ACCESS_KEY}---------${AWS_ACCESS_KEY_ID}"
-[[ "$ROOT_ACCESS_KEY" == "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
+[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
 
 # Read role
-"$binpath" read "${MOUNT}/sts/creds/${AWS_ROLE}"
+"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"

From 23c1125f184ef23ee718edda72718a6292b7f751 Mon Sep 17 00:00:00 2001
From: "tin.vo" <tin.vo@hashicorp.com>
Date: Thu, 13 Feb 2025 13:49:15 -0800
Subject: [PATCH 3/3] updating script

---
 .../scripts/aws-generate-roles.sh             | 27 +++++++++----------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
index e8c265f608b7..472f68923e46 100755
--- a/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
+++ b/enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
@@ -9,15 +9,15 @@ fail() {
   exit 1
 }
 
-## # -------PKI TESTING
-# MOUNT=aws
-# AWS_REGION=us-east-1
-# AWS_ROLE=test-role
-# VAULT_ADDR=http://127.0.0.1:8200
-# VAULT_INSTALL_DIR=/opt/homebrew/bin
-# VAULT_TOKEN=root
-# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
-echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|--------\n"
+# # -------PKI TESTING
+ MOUNT=aws
+ AWS_REGION=us-east-1
+ AWS_ROLE=test-role
+ VAULT_ADDR=http://127.0.0.1:8200
+ VAULT_INSTALL_DIR=/opt/homebrew/bin
+ VAULT_TOKEN=root
+ vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1  || echo "AWS Engine already enabled!"
+echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|-------|${AWS_SECRET_ACCESS_KEY}|-----\n"
 [[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
 [[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
 [[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
@@ -35,11 +35,10 @@ export VAULT_FORMAT=json
 echo "Configuring Vault AWS"
 "$binpath" write "${MOUNT}/config/root" access_key="${AWS_ACCESS_KEY_ID}" secret_key="${AWS_SECRET_ACCESS_KEY}" region=${AWS_REGION} || fail "Cannot set vault AWS credentials"
 
-echo "Creating AWS Role"
+echo "Setup Vault/AWS role.."
 #"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
 "$binpath" write "aws/roles/${AWS_ROLE}" \
     credential_type=iam_user \
-    ttl="1h" max_ttl="24h" \
     policy_document=-<<EOF
 {
   "Version": "2012-10-17",
@@ -58,9 +57,9 @@ ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
 [[ -z "$ROLE" ]] && fail "No AWS roles created!"
 
 echo "Verifying Root Access Key"
-"$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key'
+"$binpath" read "${MOUNT}/config/root"
 ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
 [[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"
 
-# Read role
-"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"
\ No newline at end of file
+## Read role
+#"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"
\ No newline at end of file