mirror of https://github.com/hashicorp/consul
Backport of Passes configured role name to Vault for AWS auth in Connect CA into release/1.16.x (#18099)
* backport of commitpull/18118/head4034bb2b3e
* backport of commit9c4c3c50f0
* backport of commit7282078993
--------- Co-authored-by: Tom Davies <thomas.23.davies@bt.com>
parent
9d6dff8b8d
commit
b26f7955b2
|
@ -0,0 +1,2 @@
|
||||||
|
```release-note:bug
|
||||||
|
ca: Fixed a bug where the Vault provider was not passing the configured role param for AWS auth
|
|
@ -72,6 +72,13 @@ func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthM
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("aws auth failed to generate login data: %w", err)
|
return nil, fmt.Errorf("aws auth failed to generate login data: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If a Vault role name is specified, we need to manually add this
|
||||||
|
role, ok := authMethod.Params["role"]
|
||||||
|
if ok {
|
||||||
|
loginData["role"] = role
|
||||||
|
}
|
||||||
|
|
||||||
return loginData, nil
|
return loginData, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -279,14 +279,21 @@ func TestVaultCAProvider_AWSCredentialsConfig(t *testing.T) {
|
||||||
func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
|
func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
|
||||||
cases := map[string]struct {
|
cases := map[string]struct {
|
||||||
expErr error
|
expErr error
|
||||||
|
authMethod structs.VaultAuthMethod
|
||||||
}{
|
}{
|
||||||
"valid login data": {},
|
"valid login data": {
|
||||||
|
authMethod: structs.VaultAuthMethod{},
|
||||||
|
},
|
||||||
|
"with role": {
|
||||||
|
expErr: nil,
|
||||||
|
authMethod: structs.VaultAuthMethod{Type: "aws", MountPath: "", Params: map[string]interface{}{"role": "test-role"}},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for name, c := range cases {
|
for name, c := range cases {
|
||||||
t.Run(name, func(t *testing.T) {
|
t.Run(name, func(t *testing.T) {
|
||||||
ldg := &AWSLoginDataGenerator{credentials: credentials.AnonymousCredentials}
|
ldg := &AWSLoginDataGenerator{credentials: credentials.AnonymousCredentials}
|
||||||
loginData, err := ldg.GenerateLoginData(&structs.VaultAuthMethod{})
|
loginData, err := ldg.GenerateLoginData(&c.authMethod)
|
||||||
if c.expErr != nil {
|
if c.expErr != nil {
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.Contains(t, err.Error(), c.expErr.Error())
|
require.Contains(t, err.Error(), c.expErr.Error())
|
||||||
|
@ -307,6 +314,10 @@ func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
|
||||||
require.True(t, exists, "missing expected key: %s", key)
|
require.True(t, exists, "missing expected key: %s", key)
|
||||||
require.NotEmpty(t, val, "expected non-empty value for key: %s", key)
|
require.NotEmpty(t, val, "expected non-empty value for key: %s", key)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.authMethod.Params["role"] != nil {
|
||||||
|
require.Equal(t, c.authMethod.Params["role"], loginData["role"])
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue