allow aws region in cli login

hashicorp · Feb 21, 2019 · 99bd2af · 99bd2af
1 parent 9ff93b6
commit 99bd2af
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go
@@ -20,12 +20,16 @@ type CLIHandler struct{}
 
 // Generates the necessary data to send to the Vault server for generating a token
 // This is useful for other API clients to use
-func GenerateLoginData(creds *credentials.Credentials, headerValue string) (map[string]interface{}, error) {
+func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) {
 	loginData := make(map[string]interface{})
 
 	// Use the credentials we've found to construct an STS session
+	cfg := aws.Config{Credentials: creds}
+	if region != "" {
+		cfg.Region = &region
+	}
 	stsSession, err := session.NewSessionWithOptions(session.Options{
-		Config: aws.Config{Credentials: creds},
+		Config: cfg,
 	})
 	if err != nil {
 		return nil, err
@@ -79,7 +83,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 		return nil, err
 	}
 
-	loginData, err := GenerateLoginData(creds, headerValue)
+	loginData, err := GenerateLoginData(creds, headerValue, m["region"])
 	if err != nil {
 		return nil, err
 	}

diff --git a/command/agent/auth/aws/aws.go b/command/agent/auth/aws/aws.go
@@ -238,7 +238,7 @@ func (a *awsMethod) Authenticate(ctx context.Context, client *api.Client) (retTo
 		defer a.credLock.Unlock()
 
 		var err error
-		data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue)
+		data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue, "")
 		if err != nil {
 			retErr = errwrap.Wrapf("error creating login value: {{err}}", err)
 			return

diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md
@@ -645,6 +645,11 @@ $ vault login -method=aws header_value=vault.example.com role=dev-role-iam \
         aws_security_token=<security_token>
 ```
 
+The region used defaults to `us-east-1`, but you can specify a custom region like so:
+```
+$ vault login -method=aws region=us-west-2 role=dev-role-iam
+```
+
 An example of how to generate the required request values for the `login` method
 can be found found in the [vault cli
 source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go).