More PR feedback

hashicorp · Mar 29, 2017 · 5c82f59 · 5c82f59
1 parent 4a98723
commit 5c82f59
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 49 deletions.
diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
@@ -1362,7 +1362,7 @@ func parseGetCallerIdentityResponse(response string) (GetCallerIdentityResponse,
 func roleAllowsAuthMethod(authMethod string, roleEntry *awsRoleEntry) bool {
 	allowedAuthMethod := false
 	for _, allowedAuthType := range roleEntry.AllowedAuthTypes {
-		if allowedAuthType == "iam" {
+		if allowedAuthType == authMethod {
 			allowedAuthMethod = true
 			break
 		}

diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws/path_role.go
@@ -282,6 +282,16 @@ func (b *backend) nonLockedAWSRole(s logical.Storage, roleName string) (*awsRole
 		}
 	}
 
+	// Check if there was no pre-existing AllowedAuthTypes set (from older versions)
+	if len(result.AllowedAuthTypes) == 0 {
+		// then default to the original behavior of ec2
+		result.AllowedAuthTypes = []string{"ec2"}
+		// and save the result
+		if err = b.nonLockedSetAWSRole(s, roleName, &result); err != nil {
+			return nil, fmt.Errorf("failed to save default allowed_auth_types")
+		}
+	}
+
 	return &result, nil
 }
 

diff --git a/website/source/docs/auth/aws-ec2.html.md b/website/source/docs/auth/aws-ec2.html.md
@@ -556,54 +556,11 @@ $ vault auth -method=aws header_value=vault.example.com role=dev-role-iam \
         aws_security_token=<security_token>
 ```
 
-For reference, the following Go program also demonstrates how to generate the
-required parameters (assuming you are using a default AWS credential provider),
-filling in the value for the header value as appropriate:
-
-```
-package main
-
-import (
-        "encoding/base64"
-        "encoding/json"
-        "fmt"
-        "io/ioutil"
-
-        "github.com/aws/aws-sdk-go/aws/session"
-        "github.com/aws/aws-sdk-go/service/sts"
-)
-
-func main() {
-        sess, err := session.NewSession()
-        if err != nil {
-                fmt.Println("failed to create session,", err)
-                return
-        }
-
-        svc := sts.New(sess)
-        var params *sts.GetCallerIdentityInput
-        stsRequest, _ := svc.GetCallerIdentityRequest(params)
-        stsRequest.HTTPRequest.Header.Add("X-Vault-AWSIAM-Server-ID", "vault.example.com")
-        stsRequest.Sign()
-
-        headersJson, err := json.Marshal(stsRequest.HTTPRequest.Header)
-        if err != nil {
-                fmt.Println(fmt.Errorf("Error:", err))
-                return
-        }
-        requestBody, err := ioutil.ReadAll(stsRequest.HTTPRequest.Body)
-        if err != nil {
-                fmt.Println(fmt.Errorf("Error:", err))
-                return
-        }
-        fmt.Println("request_method=" + stsRequest.HTTPRequest.Method)
-        fmt.Println("request_url=" + stsRequest.HTTPRequest.URL.String())
-        fmt.Println("request_headers=" + base64.StdEncoding.EncodeToString(headersJson))
-        fmt.Println("request_body=" + base64.StdEncoding.EncodeToString(requestBody))
-}
-
-```
-Using this, we can get the values to pass in to the `vault write` operation:
+An example of how to generate the required request values for the `login` method
+can be found found in the [vault cli
+source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go).
+Using an approach such as this, the request parameters can be generated and
+passed to the `login` method:
 
 ```
 $ vault write auth/aws/login role=dev-role-iam \