Add nonce support

docs/content/functions/data.md

@@ -194,6 +194,11 @@ to wait for AWS to respond before skipping the attempt.
 If set, the `VAULT_AUTH_AWS_ROLE` environment variable will be used to specify the role to authenticate
 using. If not set the AMI ID of the EC2 instance will be used by Vault.
 
+If you want to allow multiple authentications using AWS EC2 auth (i.e. run gomplate multiple times) you
+will need to pass the same nonce each time. This can be sent using `VAULT_AUTH_AWS_NONCE`. If not set once
+will automatically be generated by AWS. The nonce used can be stored by setting `VAULT_AUTH_AWS_NONCE_OUTPUT`
+to a filename. If the file doesn't exist it is created with 0600 permission.
+
 ## `datasourceExists`
 
 Tests whether or not a given datasource was defined on the commandline (with the

vault/auth.go

@@ -159,13 +159,19 @@ func (v *Vault) UserPassLogin() string {
 func (v *Vault) EC2Login() string {
 	role := env.Getenv("VAULT_AUTH_AWS_ROLE")
 	mount := env.Getenv("VAULT_AUTH_AWS_MOUNT", "aws")
+	nonce := env.Getenv("VAULT_AUTH_AWS_NONCE")
+	output := env.Getenv("VAULT_AUTH_AWS_NONCE_OUTPUT")
 
 	vars := map[string]interface{}{}
 
 	if role != "" {
 		vars["role"] = role
 	}
 
+	if nonce != "" {
+		vars["nonce"] = nonce
+	}
+
 	opts := aws.ClientOptions{
 		Timeout: time.Duration(conv.MustAtoi(os.Getenv("AWS_TIMEOUT"))) * time.Millisecond,
 	}
@@ -187,6 +193,24 @@ func (v *Vault) EC2Login() string {
 		logFatal("Empty response from AWS EC2 logon")
 	}
 
+	if output != "" {
+		if val, ok := secret.Auth.Metadata["nonce"]; ok {
+			nonce = val
+		}
+		fs := vfs.OS()
+		f, err := fs.OpenFile(output, os.O_WRONLY, os.FileMode(0600))
+		if err != nil {
+			logFatal("Error opening nonce output file")
+		}
+		n, err := f.Write([]byte(nonce + "\n"))
+		if err != nil {
+			logFatal("Error writing nonce output file")
+		}
+		if n == 0 {
+			logFatal("No bytes written to nonce output file")
+		}
+	}
+
 	return secret.Auth.ClientToken
 }