Add IAM EC2 auth #161
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -186,6 +186,66 @@ def aws_ec2(role, pkcs7, nonce = nil) | |
| return secret | ||
| end | ||
|
|
||
| # Authenticate via IAM EC2 method by providing a AWS CredentialProvider (either ECS, AssumeRole, etc.) | ||
| # If authentication is successful, the resulting token will be stored on the client and used | ||
| # for future requests. | ||
| # | ||
| # @example | ||
| # Vault.auth.aws_ecs_iam("dev-role-iam", Aws::AssumeRoleCredentials.new, "vault.example.com", "https://sts.us-east-2.amazonaws.com") #=> #<Vault::Secret lease_id=""> | ||
| # | ||
| # @param [String] role | ||
| # @param [CredentialProvider] credentials_provider | ||
| # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CredentialProvider.html | ||
| # @param [String] iam_auth_header_value optional | ||
| # As of Jan 2018, Vault will accept ANY or NO header, but this is subject to change and should not be relied upon | ||
|
There was a problem hiding this comment. Would be better to read: "Vault will accept ANY or NO header if none is configured by the Vault server admin" |
||
| # @param [String] sts_endpoint optional | ||
| # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html | ||
| # @return [Secret] | ||
| def aws_iam(role, credentials_provider, iam_auth_header_value = nil, sts_endpoint = 'https://sts.amazonaws.com') | ||
| require "aws-sigv4" | ||
| require "base64" | ||
|
|
||
| # STS in the China (Beijing) region (cn-north-1) is sts.cn-north-1.amazonaws.com.cn | ||
| # Take care changing below regex with that edge case in mind | ||
| valid_sts_endpoint = %r{https:\/\/sts.?(.*).amazonaws.com}.match(sts_endpoint) | ||
|
There was a problem hiding this comment. FWIW, the STS endpoint for STS in the China (Beijing) region (cn-north-1) is The endpoint for GovCloud is There was a problem hiding this comment. I think you need to escape the . to be correct: |
||
| raise "Unable to parse STS endpoint #{sts_endpoint}" unless valid_sts_endpoint | ||
| region = valid_sts_endpoint[1].empty? ? 'us-east-1' : valid_sts_endpoint[1] | ||
|
|
||
| request_body = 'Action=GetCallerIdentity&Version=2011-06-15' | ||
| request_method = 'POST' | ||
|
|
||
| vault_headers = { | ||
| 'User-Agent' => Vault::Client::USER_AGENT, | ||
| 'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8' | ||
| } | ||
|
|
||
| vault_headers['X-Vault-AWS-IAM-Server-ID'] = iam_auth_header_value if iam_auth_header_value | ||
|
|
||
| sig4_headers = Aws::Sigv4::Signer.new( | ||
| service: 'sts', | ||
| region: region, | ||
| credentials_provider: credentials_provider | ||
| ).sign_request( | ||
| http_method: request_method, | ||
| url: sts_endpoint, | ||
| headers: vault_headers, | ||
| body: request_body | ||
| ).headers | ||
|
|
||
| payload = { | ||
| role: role, | ||
| iam_http_request_method: request_method, | ||
| iam_request_url: Base64.strict_encode64(sts_endpoint), | ||
| iam_request_headers: Base64.strict_encode64(vault_headers.merge(sig4_headers).to_json), | ||
|
There was a problem hiding this comment. This is probably OK, but just want to call out that this format for encoding the headers is only compatible with Vault starting with v0.8.0. |
||
| iam_request_body: Base64.strict_encode64(request_body) | ||
| } | ||
|
|
||
| json = client.post('/v1/auth/aws/login', JSON.fast_generate(payload)) | ||
| secret = Secret.decode(json) | ||
| client.token = secret.auth.client_token | ||
| return secret | ||
| end | ||
|
|
||
| # Authenticate via a TLS authentication method. If authentication is | ||
| # successful, the resulting token will be stored on the client and used | ||
| # for future requests. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,5 @@ | ||
| require "spec_helper" | ||
| require "aws-sigv4" | ||
|
|
||
| module Vault | ||
| describe Auth do | ||
|
|
@@ -211,5 +212,39 @@ module Vault | |
| }.to_not change { subject.token } | ||
| end | ||
| end | ||
|
|
||
| describe "#aws_iam" do | ||
| before(:context) do | ||
| vault_test_client.sys.enable_auth("aws", "aws", nil) | ||
|
There was a problem hiding this comment. I think it would be good to also configure the header value here and then insert it, just to ensure it gets processed properly. |
||
| end | ||
|
|
||
| after(:context) do | ||
| vault_test_client.sys.disable_auth("aws") | ||
| end | ||
|
|
||
| let!(:old_token) { subject.token } | ||
| let(:credentials_provider) do | ||
| double( | ||
| credentials: | ||
| double(access_key_id: 'very', secret_access_key: 'secure', session_token: 'thing') | ||
| ) | ||
| end | ||
| let(:secret) { double(auth: double(client_token: 'a great token')) } | ||
|
|
||
| after do | ||
| subject.token = old_token | ||
| end | ||
|
|
||
| it "authenticates and saves the token on the client", vault: "> 0.7.3" do | ||
| expect(subject).to receive(:post).and_return 'huzzah!' | ||
| expect(Secret).to receive(:decode).and_return secret | ||
| expect(::Aws::Sigv4::Signer).to( | ||
| receive(:new).with( | ||
| service: 'sts', region: 'cn-north-1', credentials_provider: credentials_provider | ||
|
There was a problem hiding this comment. I think this expectation could obviate the need for the comment in e598ffc |
||
| ).and_call_original | ||
| ) | ||
| subject.auth.aws_iam('yabba', credentials_provider, 'canary_header', 'https://sts.cn-north-1.amazonaws.com.cn') | ||
| end | ||
| end | ||
| end | ||
| end | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to say something like "Authenticate via AWS IAM auth method" as this doesn't use the ec2 auth method at all.