From 394d08d1eb3464ca35216489bddc5c7fc3fa132c Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Sun, 19 Aug 2018 18:16:22 -0400 Subject: [PATCH 1/6] Allow specifying role-default TTLs in AWS secret engine --- builtin/logical/aws/backend_test.go | 3 +++ builtin/logical/aws/path_roles.go | 32 ++++++++++++++++++++------ builtin/logical/aws/path_roles_test.go | 1 + builtin/logical/aws/path_user.go | 12 +++++++++- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/builtin/logical/aws/backend_test.go b/builtin/logical/aws/backend_test.go index 85bc70af35f4..fd0dced2b507 100644 --- a/builtin/logical/aws/backend_test.go +++ b/builtin/logical/aws/backend_test.go @@ -527,6 +527,7 @@ func testAccStepReadPolicy(t *testing.T, name string, value string) logicaltest. "role_arns": []string(nil), "policy_document": value, "credential_types": []string{iamUserCred, federationTokenCred}, + "default_ttl": time.Duration(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) @@ -621,6 +622,7 @@ func TestBackend_iamUserManagedInlinePolicies(t *testing.T) { "policy_arns": []string{ec2PolicyArn, iamPolicyArn}, "credential_types": []string{iamUserCred}, "role_arns": []string(nil), + "default_ttl": time.Duration(0), } logicaltest.Test(t, logicaltest.TestCase{ AcceptanceTest: true, @@ -710,6 +712,7 @@ func testAccStepReadArnPolicy(t *testing.T, name string, value string) logicalte "role_arns": []string(nil), "policy_document": "", "credential_types": []string{iamUserCred}, + "default_ttl": time.Duration(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) diff --git a/builtin/logical/aws/path_roles.go b/builtin/logical/aws/path_roles.go index d8d128e1f188..bc25ae980601 100644 --- a/builtin/logical/aws/path_roles.go +++ b/builtin/logical/aws/path_roles.go @@ -7,6 +7,7 @@ import ( "errors" "fmt" "strings" + "time" "github.com/aws/aws-sdk-go/aws/arn" "github.com/hashicorp/vault/helper/consts" @@ -61,6 +62,11 @@ will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.`, }, + "default_ttl": &framework.FieldSchema{ + Type: framework.TypeDurationSecond, + Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred), + }, + "arn": &framework.FieldSchema{ Type: framework.TypeString, Description: `Deprecated; use role_arns or policy_arns instead. ARN Reference to a managed policy @@ -206,6 +212,16 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f roleEntry.PolicyDocument = compacted } + if defaultTTLRaw, ok := d.GetOk("default_ttl"); ok { + if legacyRole != "" { + return logical.ErrorResponse("cannot supply deprecated role or policy parameters with ttl"), nil + } + if !strutil.StrListContains(roleEntry.CredentialTypes, assumedRoleCred) && !strutil.StrListContains(roleEntry.CredentialTypes, federationTokenCred) { + return logical.ErrorResponse(fmt.Sprintf("default_ttl parameter only valid for %s and %s credential types", assumedRoleCred, federationTokenCred)), nil + } + roleEntry.DefaultTTL = time.Duration(defaultTTLRaw.(int)) * time.Second + } + if legacyRole != "" { roleEntry = upgradeLegacyPolicyEntry(legacyRole) if roleEntry.InvalidData != "" { @@ -374,13 +390,14 @@ func setAwsRole(ctx context.Context, s logical.Storage, roleName string, roleEnt } type awsRoleEntry struct { - CredentialTypes []string `json:"credential_types"` // Entries must all be in the set of ("iam_user", "assumed_role", "federation_token") - PolicyArns []string `json:"policy_arns"` // ARNs of managed policies to attach to an IAM user - RoleArns []string `json:"role_arns"` // ARNs of roles to assume for AssumedRole credentials - PolicyDocument string `json:"policy_document"` // JSON-serialized inline policy to attach to IAM users and/or to specify as the Policy parameter in AssumeRole calls - InvalidData string `json:"invalid_data,omitempty"` // Invalid role data. Exists to support converting the legacy role data into the new format - ProhibitFlexibleCredPath bool `json:"prohibit_flexible_cred_path,omitempty"` // Disallow accessing STS credentials via the creds path and vice verse - Version int `json:"version"` // Version number of the role format + CredentialTypes []string `json:"credential_types"` // Entries must all be in the set of ("iam_user", "assumed_role", "federation_token") + PolicyArns []string `json:"policy_arns"` // ARNs of managed policies to attach to an IAM user + RoleArns []string `json:"role_arns"` // ARNs of roles to assume for AssumedRole credentials + PolicyDocument string `json:"policy_document"` // JSON-serialized inline policy to attach to IAM users and/or to specify as the Policy parameter in AssumeRole calls + InvalidData string `json:"invalid_data,omitempty"` // Invalid role data. Exists to support converting the legacy role data into the new format + ProhibitFlexibleCredPath bool `json:"prohibit_flexible_cred_path,omitempty"` // Disallow accessing STS credentials via the creds path and vice verse + Version int `json:"version"` // Version number of the role format + DefaultTTL time.Duration `json:"default_ttl"` // Default TTL for STS credentials } func (r *awsRoleEntry) toResponseData() map[string]interface{} { @@ -389,6 +406,7 @@ func (r *awsRoleEntry) toResponseData() map[string]interface{} { "policy_arns": r.PolicyArns, "role_arns": r.RoleArns, "policy_document": r.PolicyDocument, + "default_ttl": r.DefaultTTL / time.Second, } if r.InvalidData != "" { respData["invalid_data"] = r.InvalidData diff --git a/builtin/logical/aws/path_roles_test.go b/builtin/logical/aws/path_roles_test.go index d3705c0bd97d..e6d86ad02ba2 100644 --- a/builtin/logical/aws/path_roles_test.go +++ b/builtin/logical/aws/path_roles_test.go @@ -23,6 +23,7 @@ func TestBackend_PathListRoles(t *testing.T) { roleData := map[string]interface{}{ "role_arns": []string{"arn:aws:iam::123456789012:role/path/RoleName"}, "credential_type": assumedRoleCred, + "default_ttl": 3600, } roleReq := &logical.Request{ diff --git a/builtin/logical/aws/path_user.go b/builtin/logical/aws/path_user.go index 0d541546f70f..544ad7dcdd7b 100644 --- a/builtin/logical/aws/path_user.go +++ b/builtin/logical/aws/path_user.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "strings" + "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/iam" @@ -56,7 +57,16 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr "Role '%s' not found", roleName)), nil } - ttl := int64(d.Get("ttl").(int)) + var ttl int64 + ttlRaw, ok := d.GetOk("ttl") + switch { + case ok: + ttl = int64(ttlRaw.(int)) + case role.DefaultTTL > 0: + ttl = int64(role.DefaultTTL / time.Second) + default: + ttl = int64(d.Get("ttl").(int)) + } roleArn := d.Get("role_arn").(string) var credentialType string From f6d6dd608a38f56de3318bd7bdcf8d098a234973 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Sun, 19 Aug 2018 20:43:16 -0400 Subject: [PATCH 2/6] Add an acceptance test --- builtin/logical/aws/backend_test.go | 42 +++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/builtin/logical/aws/backend_test.go b/builtin/logical/aws/backend_test.go index fd0dced2b507..ffcceb5de1bf 100644 --- a/builtin/logical/aws/backend_test.go +++ b/builtin/logical/aws/backend_test.go @@ -393,6 +393,23 @@ func testAccStepRead(t *testing.T, path, name string, credentialTests []credenti } } +func testAccStepReadTTL(name string, maximumTTL time.Duration) logicaltest.TestStep { + return logicaltest.TestStep{ + Operation: logical.ReadOperation, + Path: "creds/" + name, + Check: func(resp *logical.Response) error { + if resp.Secret == nil { + return fmt.Errorf("bad: nil Secret returned") + } + ttl := resp.Secret.TTL + if ttl > maximumTTL { + return fmt.Errorf("bad: ttl of %d greater than maximum of %d", ttl/time.Second, maximumTTL/time.Second) + } + return nil + }, + } +} + func describeInstancesTest(accessKey, secretKey, token string) error { creds := credentials.NewStaticCredentials(accessKey, secretKey, token) awsConfig := &aws.Config{ @@ -680,6 +697,31 @@ func TestBackend_AssumedRoleWithPolicyDoc(t *testing.T) { }) } +func TestBackend_RoleDefaultTTL(t *testing.T) { + minAwsAssumeRoleDuration := 900 + roleData := map[string]interface{}{ + "role_arns": []string{fmt.Sprintf("arn:aws:iam::%s:role/%s", os.Getenv("AWS_ACCOUNT_ID"), testRoleName)}, + "credential_type": assumedRoleCred, + "default_ttl": minAwsAssumeRoleDuration, + } + logicaltest.Test(t, logicaltest.TestCase{ + AcceptanceTest: true, + PreCheck: func() { + testAccPreCheck(t) + createRole(t) + log.Println("[WARN] Sleeping for 10 seconds waiting for AWS...") + time.Sleep(10 * time.Second) + }, + Backend: getBackend(t), + Steps: []logicaltest.TestStep{ + testAccStepConfig(t), + testAccStepWriteRole(t, "test", roleData), + testAccStepReadTTL("test", time.Duration(minAwsAssumeRoleDuration)*time.Second), // allow a little slack + }, + Teardown: deleteTestRole, + }) +} + func TestBackend_policyArnCrud(t *testing.T) { logicaltest.Test(t, logicaltest.TestCase{ AcceptanceTest: true, From 615c6507aa40794b90393a9f89540593ee8ebe87 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Sun, 19 Aug 2018 21:00:27 -0400 Subject: [PATCH 3/6] Add docs for AWS secret role-default TTLs --- website/source/api/secret/aws/index.html.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/website/source/api/secret/aws/index.html.md b/website/source/api/secret/aws/index.html.md index 8b4f97845396..e29d8ae95196 100644 --- a/website/source/api/secret/aws/index.html.md +++ b/website/source/api/secret/aws/index.html.md @@ -179,6 +179,11 @@ updated with the new attributes. user has. With `assumed_role` and `federation_token`, the policy document will act as a filter on what the credentials can do. +- `default_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not + specified when STS credentials are requested, and a default TTL is specified + on the role, then this default TTL will be used. Valid only when + `credential_type` is one of `assumed_role` or `federation_token`. + Legacy parameters: These parameters are supported for backwards compatibility only. They cannot be @@ -351,7 +356,9 @@ credentials retrieved through `/aws/creds` must be of the `iam_user` type. required otherwise. - `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when - `credential_type` is `assumed_role` or `federation_token`. AWS places limits + `credential_type` is `assumed_role` or `federation_token`. When not specified, + the `default_ttl` set for the role will be used. If that is also not set, then + the default value of `3600s` will be used. AWS places limits on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds` parameter for [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) From 525a59a7897273beb2132ea51ef5ac0174fbc488 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Mon, 20 Aug 2018 21:23:26 -0400 Subject: [PATCH 4/6] Rename default_ttl to default_sts_ttl --- builtin/logical/aws/backend_test.go | 10 +++++----- builtin/logical/aws/path_roles.go | 14 +++++++------- builtin/logical/aws/path_roles_test.go | 2 +- builtin/logical/aws/path_user.go | 4 ++-- website/source/api/secret/aws/index.html.md | 4 ++-- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/builtin/logical/aws/backend_test.go b/builtin/logical/aws/backend_test.go index ffcceb5de1bf..da7749161990 100644 --- a/builtin/logical/aws/backend_test.go +++ b/builtin/logical/aws/backend_test.go @@ -544,7 +544,7 @@ func testAccStepReadPolicy(t *testing.T, name string, value string) logicaltest. "role_arns": []string(nil), "policy_document": value, "credential_types": []string{iamUserCred, federationTokenCred}, - "default_ttl": time.Duration(0), + "default_sts_ttl": time.Duration(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) @@ -639,7 +639,7 @@ func TestBackend_iamUserManagedInlinePolicies(t *testing.T) { "policy_arns": []string{ec2PolicyArn, iamPolicyArn}, "credential_types": []string{iamUserCred}, "role_arns": []string(nil), - "default_ttl": time.Duration(0), + "default_sts_ttl": time.Duration(0), } logicaltest.Test(t, logicaltest.TestCase{ AcceptanceTest: true, @@ -697,12 +697,12 @@ func TestBackend_AssumedRoleWithPolicyDoc(t *testing.T) { }) } -func TestBackend_RoleDefaultTTL(t *testing.T) { +func TestBackend_RoleDefaultSTSTTL(t *testing.T) { minAwsAssumeRoleDuration := 900 roleData := map[string]interface{}{ "role_arns": []string{fmt.Sprintf("arn:aws:iam::%s:role/%s", os.Getenv("AWS_ACCOUNT_ID"), testRoleName)}, "credential_type": assumedRoleCred, - "default_ttl": minAwsAssumeRoleDuration, + "default_sts_ttl": minAwsAssumeRoleDuration, } logicaltest.Test(t, logicaltest.TestCase{ AcceptanceTest: true, @@ -754,7 +754,7 @@ func testAccStepReadArnPolicy(t *testing.T, name string, value string) logicalte "role_arns": []string(nil), "policy_document": "", "credential_types": []string{iamUserCred}, - "default_ttl": time.Duration(0), + "default_sts_ttl": time.Duration(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) diff --git a/builtin/logical/aws/path_roles.go b/builtin/logical/aws/path_roles.go index bc25ae980601..adeedac6d302 100644 --- a/builtin/logical/aws/path_roles.go +++ b/builtin/logical/aws/path_roles.go @@ -62,7 +62,7 @@ will be passed in as the Policy parameter to the AssumeRole or GetFederationToken API call, acting as a filter on permissions available.`, }, - "default_ttl": &framework.FieldSchema{ + "default_sts_ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred), }, @@ -212,14 +212,14 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f roleEntry.PolicyDocument = compacted } - if defaultTTLRaw, ok := d.GetOk("default_ttl"); ok { + if defaultSTSTTLRaw, ok := d.GetOk("default_sts_ttl"); ok { if legacyRole != "" { - return logical.ErrorResponse("cannot supply deprecated role or policy parameters with ttl"), nil + return logical.ErrorResponse("cannot supply deprecated role or policy parameters with default_sts_ttl"), nil } if !strutil.StrListContains(roleEntry.CredentialTypes, assumedRoleCred) && !strutil.StrListContains(roleEntry.CredentialTypes, federationTokenCred) { - return logical.ErrorResponse(fmt.Sprintf("default_ttl parameter only valid for %s and %s credential types", assumedRoleCred, federationTokenCred)), nil + return logical.ErrorResponse(fmt.Sprintf("default_sts_ttl parameter only valid for %s and %s credential types", assumedRoleCred, federationTokenCred)), nil } - roleEntry.DefaultTTL = time.Duration(defaultTTLRaw.(int)) * time.Second + roleEntry.DefaultSTSTTL = time.Duration(defaultSTSTTLRaw.(int)) * time.Second } if legacyRole != "" { @@ -397,7 +397,7 @@ type awsRoleEntry struct { InvalidData string `json:"invalid_data,omitempty"` // Invalid role data. Exists to support converting the legacy role data into the new format ProhibitFlexibleCredPath bool `json:"prohibit_flexible_cred_path,omitempty"` // Disallow accessing STS credentials via the creds path and vice verse Version int `json:"version"` // Version number of the role format - DefaultTTL time.Duration `json:"default_ttl"` // Default TTL for STS credentials + DefaultSTSTTL time.Duration `json:"default_sts_ttl"` // Default TTL for STS credentials } func (r *awsRoleEntry) toResponseData() map[string]interface{} { @@ -406,7 +406,7 @@ func (r *awsRoleEntry) toResponseData() map[string]interface{} { "policy_arns": r.PolicyArns, "role_arns": r.RoleArns, "policy_document": r.PolicyDocument, - "default_ttl": r.DefaultTTL / time.Second, + "default_sts_ttl": r.DefaultSTSTTL / time.Second, } if r.InvalidData != "" { respData["invalid_data"] = r.InvalidData diff --git a/builtin/logical/aws/path_roles_test.go b/builtin/logical/aws/path_roles_test.go index e6d86ad02ba2..b0d4bff38d7a 100644 --- a/builtin/logical/aws/path_roles_test.go +++ b/builtin/logical/aws/path_roles_test.go @@ -23,7 +23,7 @@ func TestBackend_PathListRoles(t *testing.T) { roleData := map[string]interface{}{ "role_arns": []string{"arn:aws:iam::123456789012:role/path/RoleName"}, "credential_type": assumedRoleCred, - "default_ttl": 3600, + "default_sts_ttl": 3600, } roleReq := &logical.Request{ diff --git a/builtin/logical/aws/path_user.go b/builtin/logical/aws/path_user.go index 544ad7dcdd7b..86b9c71ef6b8 100644 --- a/builtin/logical/aws/path_user.go +++ b/builtin/logical/aws/path_user.go @@ -62,8 +62,8 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr switch { case ok: ttl = int64(ttlRaw.(int)) - case role.DefaultTTL > 0: - ttl = int64(role.DefaultTTL / time.Second) + case role.DefaultSTSTTL > 0: + ttl = int64(role.DefaultSTSTTL / time.Second) default: ttl = int64(d.Get("ttl").(int)) } diff --git a/website/source/api/secret/aws/index.html.md b/website/source/api/secret/aws/index.html.md index e29d8ae95196..62a3f806e2e3 100644 --- a/website/source/api/secret/aws/index.html.md +++ b/website/source/api/secret/aws/index.html.md @@ -179,7 +179,7 @@ updated with the new attributes. user has. With `assumed_role` and `federation_token`, the policy document will act as a filter on what the credentials can do. -- `default_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not +- `default_sts_ttl` `(string)` - The default TTL for STS credentials. When a TTL is not specified when STS credentials are requested, and a default TTL is specified on the role, then this default TTL will be used. Valid only when `credential_type` is one of `assumed_role` or `federation_token`. @@ -357,7 +357,7 @@ credentials retrieved through `/aws/creds` must be of the `iam_user` type. - `ttl` `(string: "3600s")` – Specifies the TTL for the use of the STS token. This is specified as a string with a duration suffix. Valid only when `credential_type` is `assumed_role` or `federation_token`. When not specified, - the `default_ttl` set for the role will be used. If that is also not set, then + the `default_sts_ttl` set for the role will be used. If that is also not set, then the default value of `3600s` will be used. AWS places limits on the maximum TTL allowed. See the AWS documentation on the `DurationSeconds` parameter for From 419495b5dbd34aa9e604b24391be29cb0949fe9f Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Tue, 21 Aug 2018 20:02:55 -0400 Subject: [PATCH 5/6] Return default_ttl as int64 instead of time.Duration --- builtin/logical/aws/backend_test.go | 6 +++--- builtin/logical/aws/path_roles.go | 2 +- builtin/logical/aws/path_user.go | 3 +-- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/builtin/logical/aws/backend_test.go b/builtin/logical/aws/backend_test.go index da7749161990..bbc82d50da60 100644 --- a/builtin/logical/aws/backend_test.go +++ b/builtin/logical/aws/backend_test.go @@ -544,7 +544,7 @@ func testAccStepReadPolicy(t *testing.T, name string, value string) logicaltest. "role_arns": []string(nil), "policy_document": value, "credential_types": []string{iamUserCred, federationTokenCred}, - "default_sts_ttl": time.Duration(0), + "default_sts_ttl": int64(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) @@ -639,7 +639,7 @@ func TestBackend_iamUserManagedInlinePolicies(t *testing.T) { "policy_arns": []string{ec2PolicyArn, iamPolicyArn}, "credential_types": []string{iamUserCred}, "role_arns": []string(nil), - "default_sts_ttl": time.Duration(0), + "default_sts_ttl": int64(0), } logicaltest.Test(t, logicaltest.TestCase{ AcceptanceTest: true, @@ -754,7 +754,7 @@ func testAccStepReadArnPolicy(t *testing.T, name string, value string) logicalte "role_arns": []string(nil), "policy_document": "", "credential_types": []string{iamUserCred}, - "default_sts_ttl": time.Duration(0), + "default_sts_ttl": int64(0), } if !reflect.DeepEqual(resp.Data, expected) { return fmt.Errorf("bad: got: %#v\nexpected: %#v", resp.Data, expected) diff --git a/builtin/logical/aws/path_roles.go b/builtin/logical/aws/path_roles.go index adeedac6d302..3df316ad6902 100644 --- a/builtin/logical/aws/path_roles.go +++ b/builtin/logical/aws/path_roles.go @@ -406,7 +406,7 @@ func (r *awsRoleEntry) toResponseData() map[string]interface{} { "policy_arns": r.PolicyArns, "role_arns": r.RoleArns, "policy_document": r.PolicyDocument, - "default_sts_ttl": r.DefaultSTSTTL / time.Second, + "default_sts_ttl": int64(r.DefaultSTSTTL.Seconds()), } if r.InvalidData != "" { respData["invalid_data"] = r.InvalidData diff --git a/builtin/logical/aws/path_user.go b/builtin/logical/aws/path_user.go index 86b9c71ef6b8..b12289e3ae57 100644 --- a/builtin/logical/aws/path_user.go +++ b/builtin/logical/aws/path_user.go @@ -4,7 +4,6 @@ import ( "context" "fmt" "strings" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/iam" @@ -63,7 +62,7 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr case ok: ttl = int64(ttlRaw.(int)) case role.DefaultSTSTTL > 0: - ttl = int64(role.DefaultSTSTTL / time.Second) + ttl = int64(role.DefaultSTSTTL.Seconds()) default: ttl = int64(d.Get("ttl").(int)) } From fb55e16b6c4cafbd0e2c9ef5518da9cf1ec71841 Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Tue, 25 Sep 2018 20:37:27 -0400 Subject: [PATCH 6/6] Fix broken tests The merge of #5383 broke the tests due to some changes in the test style that didn't actually cause a git merge conflict. This updates the tests to the new style. --- builtin/logical/aws/backend_test.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/builtin/logical/aws/backend_test.go b/builtin/logical/aws/backend_test.go index 485373d18caf..f9c86d49c3f1 100644 --- a/builtin/logical/aws/backend_test.go +++ b/builtin/logical/aws/backend_test.go @@ -777,9 +777,16 @@ func TestBackend_AssumedRoleWithPolicyDoc(t *testing.T) { } func TestBackend_RoleDefaultSTSTTL(t *testing.T) { + t.Parallel() + roleName := generateUniqueName(t.Name()) minAwsAssumeRoleDuration := 900 + awsAccountID, err := getAccountID() + if err != nil { + t.Logf("Unable to retrive user via sts:GetCallerIdentity: %#v", err) + t.Skip("Could not determine AWS account ID from sts:GetCallerIdentity for acceptance tests, skipping") + } roleData := map[string]interface{}{ - "role_arns": []string{fmt.Sprintf("arn:aws:iam::%s:role/%s", os.Getenv("AWS_ACCOUNT_ID"), testRoleName)}, + "role_arns": []string{fmt.Sprintf("arn:aws:iam::%s:role/%s", awsAccountID, roleName)}, "credential_type": assumedRoleCred, "default_sts_ttl": minAwsAssumeRoleDuration, } @@ -787,7 +794,7 @@ func TestBackend_RoleDefaultSTSTTL(t *testing.T) { AcceptanceTest: true, PreCheck: func() { testAccPreCheck(t) - createRole(t) + createRole(t, roleName, awsAccountID) log.Println("[WARN] Sleeping for 10 seconds waiting for AWS...") time.Sleep(10 * time.Second) }, @@ -797,7 +804,9 @@ func TestBackend_RoleDefaultSTSTTL(t *testing.T) { testAccStepWriteRole(t, "test", roleData), testAccStepReadTTL("test", time.Duration(minAwsAssumeRoleDuration)*time.Second), // allow a little slack }, - Teardown: deleteTestRole, + Teardown: func() error { + return deleteTestRole(roleName) + }, }) }