Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added AWS enpoint handling #3416

Merged
merged 4 commits into from
Nov 6, 2017
Merged

added AWS enpoint handling #3416

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
57cf97d
added AWS enpoint handling
Oct 4, 2017
c8c9de2
added separate STS/IAM endpoints
Oct 4, 2017
7762720
added clientType to getRootConfig
Oct 6, 2017
db38462
added docs
Oct 24, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions builtin/logical/aws/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ func getRootConfig(s logical.Storage) (*aws.Config, error) {
credsConfig.AccessKey = config.AccessKey
credsConfig.SecretKey = config.SecretKey
credsConfig.Region = config.Region
credsConfig.IAMEndpoint = config.IAMEndpoint
credsConfig.STSEndpoint = config.STSEndpoint
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only place credsConfig.IAMEndpoint and credsConfig.STSEndpoint are referenced. I don't think you need them in the CredentialsConfig struct at all because, below, you're putting the endpoint directly in the aws.Config object.

}

if credsConfig.Region == "" {
Expand All @@ -51,6 +53,8 @@ func getRootConfig(s logical.Storage) (*aws.Config, error) {
return &aws.Config{
Credentials: creds,
Region: aws.String(credsConfig.Region),
IAMEndpoint: aws.String(credsConfig.IAMEndpoint),
STSEndpoint: aws.String(credsConfig.STSEndpoint),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty sure the issue is because you're using the upstream aws.Config object and it only has an Endpoint member. Consider passing a clientType parameter to getRootConfig and if clientType is iam then you set Endpoint to credsConfig.IAMEndpoint and if it's sts then you set Endpoint to credsConfig.STSEndpoint. Largely the same code lives in the auth backend:

vault/builtin/credential/aws/client.go

Lines 24 to 68 in 1c4baa5

func (b *backend) getRawClientConfig(s logical.Storage, region, clientType string) (*aws.Config, error) {
credsConfig := &awsutil.CredentialsConfig{
Region: region,
}
// Read the configured secret key and access key
config, err := b.nonLockedClientConfigEntry(s)
if err != nil {
return nil, err
}
endpoint := aws.String("")
if config != nil {
// Override the default endpoint with the configured endpoint.
switch {
case clientType == "ec2" && config.Endpoint != "":
endpoint = aws.String(config.Endpoint)
case clientType == "iam" && config.IAMEndpoint != "":
endpoint = aws.String(config.IAMEndpoint)
case clientType == "sts" && config.STSEndpoint != "":
endpoint = aws.String(config.STSEndpoint)
}
credsConfig.AccessKey = config.AccessKey
credsConfig.SecretKey = config.SecretKey
}
credsConfig.HTTPClient = cleanhttp.DefaultClient()
creds, err := credsConfig.GenerateCredentialChain()
if err != nil {
return nil, err
}
if creds == nil {
return nil, fmt.Errorf("could not compile valid credential providers from static config, environment, shared, or instance metadata")
}
// Create a config that can be used to make the API calls.
return &aws.Config{
Credentials: creds,
Region: aws.String(region),
HTTPClient: cleanhttp.DefaultClient(),
Endpoint: endpoint,
}, nil
}

HTTPClient: cleanhttp.DefaultClient(),
}, nil
}
Expand All @@ -60,7 +64,13 @@ func clientIAM(s logical.Storage) (*iam.IAM, error) {
if err != nil {
return nil, err
}

client := iam.New(session.New(awsConfig))

if *awsConfig.IAMEndpoint != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then this becomes *awsConfig.Endpoint

client = iam.New(session.New(awsConfig.WithEndpoint(*awsConfig.IAMEndpoint)))
}

if client == nil {
return nil, fmt.Errorf("could not obtain iam client")
}
Expand All @@ -73,6 +83,9 @@ func clientSTS(s logical.Storage) (*sts.STS, error) {
return nil, err
}
client := sts.New(session.New(awsConfig))
if *awsConfig.STSEndpoint != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same

client = sts.New(session.New(awsConfig.WithEndpoint(*awsConfig.STSEndpoint)))
}
if client == nil {
return nil, fmt.Errorf("could not obtain sts client")
}
Expand Down
26 changes: 20 additions & 6 deletions builtin/logical/aws/path_config_root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ func pathConfigRoot() *framework.Path {
Type: framework.TypeString,
Description: "Region for API calls.",
},
"iamendpoint": &framework.FieldSchema{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The auth backend already has iam_endpoint and sts_endpoint; it'd be good to underscore-separate this here.

Type: framework.TypeString,
Description: "Endpoint to custom IAM server URL",
},
"stsendpoint": &framework.FieldSchema{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ditto

Type: framework.TypeString,
Description: "Endpoint to custom STS server URL",
},
},

Callbacks: map[logical.Operation]framework.OperationFunc{
Expand All @@ -37,11 +45,15 @@ func pathConfigRoot() *framework.Path {
func pathConfigRootWrite(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
region := data.Get("region").(string)
iamendpoint := data.Get("iamendpoint").(string)
stsendpoint := data.Get("stsendpoint").(string)

entry, err := logical.StorageEntryJSON("config/root", rootConfig{
AccessKey: data.Get("access_key").(string),
SecretKey: data.Get("secret_key").(string),
Region: region,
AccessKey: data.Get("access_key").(string),
SecretKey: data.Get("secret_key").(string),
IAMEndpoint: iamendpoint,
STSEndpoint: stsendpoint,
Region: region,
})
if err != nil {
return nil, err
Expand All @@ -55,9 +67,11 @@ func pathConfigRootWrite(
}

type rootConfig struct {
AccessKey string `json:"access_key"`
SecretKey string `json:"secret_key"`
Region string `json:"region"`
AccessKey string `json:"access_key"`
SecretKey string `json:"secret_key"`
IAMEndpoint string `json:"iamendpoint"`
STSEndpoint string `json:"stsendpoint"`
Region string `json:"region"`
}

const pathConfigRootHelpSyn = `
Expand Down
6 changes: 6 additions & 0 deletions helper/awsutil/generate_credentials.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ type CredentialsConfig struct {
// the client elsewhere.
Region string

//Endpoint to custom IAM server URL
IAMEndpoint string

//Endpoint to custom STS server URL
STSEndpoint string

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And then you can just remove these.

// The filename for the shared credentials provider, if being used
Filename string

Expand Down