From 99bd2afbb397f2dacb7c68fae8dd5264d6194c3e Mon Sep 17 00:00:00 2001
From: Becca Petrin <beccapetrin@posteo.net>
Date: Wed, 20 Feb 2019 16:43:21 -0800
Subject: [PATCH] allow aws region in cli login

---
 builtin/credential/aws/cli.go        | 10 +++++++---
 command/agent/auth/aws/aws.go        |  2 +-
 website/source/docs/auth/aws.html.md |  5 +++++
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go
index d26b0210a18d..3cf764858b52 100644
--- a/builtin/credential/aws/cli.go
+++ b/builtin/credential/aws/cli.go
@@ -20,12 +20,16 @@ type CLIHandler struct{}
 
 // Generates the necessary data to send to the Vault server for generating a token
 // This is useful for other API clients to use
-func GenerateLoginData(creds *credentials.Credentials, headerValue string) (map[string]interface{}, error) {
+func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) {
 	loginData := make(map[string]interface{})
 
 	// Use the credentials we've found to construct an STS session
+	cfg := aws.Config{Credentials: creds}
+	if region != "" {
+		cfg.Region = &region
+	}
 	stsSession, err := session.NewSessionWithOptions(session.Options{
-		Config: aws.Config{Credentials: creds},
+		Config: cfg,
 	})
 	if err != nil {
 		return nil, err
@@ -79,7 +83,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 		return nil, err
 	}
 
-	loginData, err := GenerateLoginData(creds, headerValue)
+	loginData, err := GenerateLoginData(creds, headerValue, m["region"])
 	if err != nil {
 		return nil, err
 	}
diff --git a/command/agent/auth/aws/aws.go b/command/agent/auth/aws/aws.go
index c92f7441838f..fdac099e99eb 100644
--- a/command/agent/auth/aws/aws.go
+++ b/command/agent/auth/aws/aws.go
@@ -238,7 +238,7 @@ func (a *awsMethod) Authenticate(ctx context.Context, client *api.Client) (retTo
 		defer a.credLock.Unlock()
 
 		var err error
-		data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue)
+		data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue, "")
 		if err != nil {
 			retErr = errwrap.Wrapf("error creating login value: {{err}}", err)
 			return
diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md
index f38f10646a8b..2afc6cd2849b 100644
--- a/website/source/docs/auth/aws.html.md
+++ b/website/source/docs/auth/aws.html.md
@@ -645,6 +645,11 @@ $ vault login -method=aws header_value=vault.example.com role=dev-role-iam \
         aws_security_token=<security_token>
 ```
 
+The region used defaults to `us-east-1`, but you can specify a custom region like so:
+```
+$ vault login -method=aws region=us-west-2 role=dev-role-iam
+```
+
 An example of how to generate the required request values for the `login` method
 can be found found in the [vault cli
 source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go).