Skip to content

Commit

Permalink
Don't read AWS env vars (#5974)
Browse files Browse the repository at this point in the history 
* Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us

Fixes #5965
  • Loading branch information
@jefferai
jefferai authored Jan 4, 2019
1 parent 2dcd0ae commit 9af595e
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 37 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ CHANGES:
* secret/aws: Role now returns `credential_type` instead of `credential_types`
to match role input. If a legacy role that can supply more than one
credential type, they will be concatenated with a `,`.
* physical/dynamodb, autoseal/aws: Instead of Vault performing environment
variable handling, and overriding static (config file) values if found, we
use the default AWS SDK env handling behavior, which also looks for
deprecated values. If you were previously providing both config values and
environment values, please ensure the config values are unset if you want to
use environment values.

## 1.0.1 (December 14th, 2018)

Expand Down
23 changes: 5 additions & 18 deletions physical/dynamodb/dynamodb.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@ import (

log "github.com/hashicorp/go-hclog"

"github.com/armon/go-metrics"
metrics "github.com/armon/go-metrics"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/dynamodb"
"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
"github.com/hashicorp/errwrap"
cleanhttp "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-uuid"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/awsutil"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/physical"
Expand Down Expand Up @@ -155,19 +155,6 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
writeCapacity = DefaultDynamoDBWriteCapacity
}

accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
if accessKey == "" {
accessKey = conf["access_key"]
}
secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
if secretKey == "" {
secretKey = conf["secret_key"]
}
sessionToken := os.Getenv("AWS_SESSION_TOKEN")
if sessionToken == "" {
sessionToken = conf["session_token"]
}

endpoint := os.Getenv("AWS_DYNAMODB_ENDPOINT")
if endpoint == "" {
endpoint = conf["endpoint"]
Expand Down Expand Up @@ -197,9 +184,9 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
}

credsConfig := &awsutil.CredentialsConfig{
AccessKey: accessKey,
SecretKey: secretKey,
SessionToken: sessionToken,
AccessKey: conf["access_key"],
SecretKey: conf["secret_key"],
SessionToken: conf["session_token"],
}
creds, err := credsConfig.GenerateCredentialChain()
if err != nil {
Expand Down
30 changes: 11 additions & 19 deletions vault/seal/awskms/awskms.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,12 @@ const (
// AWSKMSSeal represents credentials and Key information for the KMS Key used to
// encryption and decryption
type AWSKMSSeal struct {
accessKey string
secretKey string
region string
keyID string
endpoint string
accessKey string
secretKey string
sessionToken string
region string
keyID string
endpoint string

currentKeyID *atomic.Value

Expand Down Expand Up @@ -99,20 +100,10 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err
k.region = "us-east-1"
}

// Check and set AWS access key and secret key
k.accessKey = os.Getenv("AWS_ACCESS_KEY_ID")
if k.accessKey == "" {
if accessKey, ok := config["access_key"]; ok {
k.accessKey = accessKey
}
}

k.secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
if k.secretKey == "" {
if secretKey, ok := config["secret_key"]; ok {
k.secretKey = secretKey
}
}
// Check and set AWS access key, secret key, and session token
k.accessKey = config["access_key"]
k.secretKey = config["secret_key"]
k.sessionToken = config["session_token"]

k.endpoint = os.Getenv("AWS_KMS_ENDPOINT")
if k.endpoint == "" {
Expand Down Expand Up @@ -281,6 +272,7 @@ func (k *AWSKMSSeal) getAWSKMSClient() (*kms.KMS, error) {

credsConfig.AccessKey = k.accessKey
credsConfig.SecretKey = k.secretKey
credsConfig.SessionToken = k.sessionToken
credsConfig.Region = k.region

credsConfig.HTTPClient = cleanhttp.DefaultClient()
Expand Down

0 comments on commit 9af595e

Please sign in to comment.