-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AWS Secret Engine Root Credential Rotation #5140
Add AWS Secret Engine Root Credential Rotation #5140
Conversation
This allows the AWS Secret Engine to rotate its credentials used to access AWS. This will only work when the AWS Secret Engine has been provided explicit IAM credentials via the config/root endpoint, and further, when the IAM credentials provided are the only access key on the IAM user associated wtih the access key (because AWS allows a maximum of 2 access keys per user). Fixes hashicorp#4385
Also fix a typo in the root credential rotation code
And wire the backend up in a bunch of places so the config can get the lock
Finished the TODOs, should be ready for review! :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! You might want to remove the WIP
from the PR description :-)
This isn't ready to merge yet. The addition of the client caching and locking significantly complicates things here, and I'm worried the simple solution is vulnerable to a deadlock, so need to think this through more thoroughly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I think this should be ready, except for the one question about an error vs. warning response.
_, err = client.DeleteAccessKey(&deleteAccessKeyInput) | ||
if err != nil { | ||
return nil, errwrap.Wrapf("error deleting old access key: {{err}}", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this just be a warning response instead of returning an err? In this event, the access key was successfully rotated, but it just failed to clean up.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).
TODO:
I'm a bit unclear about Seal Wrapping -- I think I don't need to do anything special here, and
SealWrapStorage
refers to paths in storage, but let me know if this assumption is wrong.Fixes #4385