Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix AWS IRSA #21930

Closed
wants to merge 2 commits into from
Closed

Fix AWS IRSA #21930

wants to merge 2 commits into from

Conversation

bdwyertech
Copy link

@bdwyertech bdwyertech commented Jul 18, 2023
edited
Loading

Resolves: #21465 #21478

Related: hashicorp/go-secure-stdlib#80

The issue is because of how awsutil is used to derive credentials. The NewCredentialsConfig constructor method needs to be called instead of starting with an empty struct. The logic to determine which method to use to derive credentials has been moved from GenerateCredentialChain to NewCredentialsConfig. hashicorp/go-secure-stdlib@1a4b955

  1. The go-kms-wrapping library needs to be updated also to fix the KMS auto unseal.
    AWS - Use NewCredentialsConfig go-kms-wrapping#178

  2. Vault itself needs to be updated to call NewCredentialsConfig instead of sucking in an empty struct.

I have a test image up at ghcr.io/bdwyertech/vault:dev-ui-560d81d

@bdwyertech bdwyertech requested a review from a team July 18, 2023 23:27
@bdwyertech bdwyertech requested a review from a team as a code owner July 18, 2023 23:27
@bdwyertech bdwyertech requested a review from a team July 18, 2023 23:27
@bdwyertech bdwyertech requested review from a team as code owners July 18, 2023 23:27
@bdwyertech bdwyertech requested review from a team, modrake and randyhdev and removed request for a team July 18, 2023 23:27
@bdwyertech bdwyertech changed the base branch from main to release/1.14.x July 18, 2023 23:28
@bdwyertech bdwyertech mentioned this pull request Jul 18, 2023
Closed
@bdwyertech bdwyertech changed the title Fix AWS IRSA WIP: Fix AWS IRSA Jul 19, 2023
@bdwyertech bdwyertech changed the title WIP: Fix AWS IRSA Fix AWS IRSA Jul 19, 2023
@bdwyertech bdwyertech mentioned this pull request Jul 19, 2023
Open
@fairclothjm
Copy link
Contributor

@bdwyertech Hello, thanks for the contribution. I think a better resolution might be to revert the behavior of go-secure-stdlib's GenerateCredentialChain as per my PR. That way we shouldn't have to make any changes anywhere else.

@fairclothjm
Copy link
Contributor

@bdwyertech You should be able to build a Vault image to test my changes to go-secure-stdlib by running

go get github.com/hashicorp/go-secure-stdlib/awsutil@d18ccdf3e9fb
go mod tidy

@fairclothjm fairclothjm mentioned this pull request Jul 19, 2023
Merged
@fairclothjm
Copy link
Contributor

Closing in favor of #21951

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@modrake modrake Awaiting requested review from modrake

@randyhdev randyhdev Awaiting requested review from randyhdev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

v1.14.0 breaks AWS EKS IRSA credentials for DynamoDB backend
2 participants
@bdwyertech @fairclothjm