Add AWS IAM auth method

[dbnicholson]

Authenticate to Vault using the AWS IAM auth method using credentials on
the master. This works by constructing an encoded GetCallerIdentity
request that's sent to Vault via bettercloud's loginByAwsIam method. Both a Credential and CASC SecretSource
are supported using a common helper.

Note that this explicitly uses the IAM flow and not the EC2 metadata flow. The latter could be added, but I've never used it and it would require persisting the nonce per instance ID somewhere. I started investigating but I think the IAM workflow is better since it encompasses both techniques by using the EC2 session credentials just like the EC2 flow does. That said, the Vault AWS auth method only supports one or the other, so if someone has configured their's to use the EC2 flow then this wouldn't help them.

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your master branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
  There weren't any that I could find, but I'm happy to open one if needed.
• Link to relevant pull requests, esp. upstream and downstream changes
  None that I know of.
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[dbnicholson]

The test error is due to testcontainers/testcontainers-java#3574. I just now noticed #126, which is for the EC2 metadata workflow.

[dbnicholson]

I rebased now that #168 is in and (should) fix the test issues. Other changes:

• Bumped the aws-java-sdk dependency to the latest version now that it doesn't cause conflicts with jackson2
• Switched from javax.annotations to edu.umd.cs.findbugs.annotations after learning about the licensing issues of using the latter.

The rest is the same and I won't rebase anymore if there are review comments to address.

[jetersen]

I have no way of testing this, but the code looks good to me :)

Do you think this is ready?

[dbnicholson]

I did test the VaultAwsIamCredential side, but I didn't actually test the CASC side yet (which is actually the whole reason I wanted this in the first place). Let me wire that up to our development instance first to make sure it does what I think it does.

[dbnicholson]

I've tested this now both from VaultAwsIamCredential and VaultSecretSource in CASC. I think it's ready to go.

3 caveats I'd like to note, though:

• I did not test the server ID configuration that maps to the X-Vault-AWS-IAM-Server-ID HTTP header since our setup doesn't currently have that. I believe it's implemented correctly, though.
• AwsHelper always uses the global https://sts.amazonaws.com STS endpoint in the encoded request. I've read in a couple other clients that you may need to use the region specific endpoint in some cases. I've only tried this in a couple US regions, so that might need a fix if someone tries to use this in a different AWS region.
• The AWS credentials are currently always gathered from the host in one of the many ways AWS supports. However, it could be nice to support an explicit set of credentials. I don't plan to support that, though, as the use case I really want is to use the credentials attached to a master host EC2 instance to seed secrets in CASC.

[jaekunchoi]

@jetersen is it possible to merge this? I need it :) another question I have is @dbnicholson will this work with ECS and EKS aswell?

[dbnicholson]

I've never tried it from ECS or EKS, but it should work. I have used vault from a role attached to an ECS service and it works. This should work the same by using the session credentials, so if you find it doesn't I think that would be a bug.

[dbnicholson]

@jetersen any chance to get this merged? It's not critical path for me, but it would be nice to get it out in the world.

[dbnicholson]

@jetersen ping?

[ryanm-sq]

Hi I see that this PR is merged but is not yet part of an official release. Is there a target date for the next version release that would include this change?

[agill17]

Any idea when this will be available in a release?

[jetersen]

@agill17 it's been available for quite a while since: https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/336.v182c0fbaaeb7

[agill17]

y chance to get this merged? It's not critical path for me, but it would be nice to get it out in the world.

Thanks!
One more question, does this plugin run on master node only? therefore master node IAM role would be used. What if I wanted the plugin to use an IAM role thats attached to an agent?

[dbnicholson]

Thanks! One more question, does this plugin run on master node only? therefore master node IAM role would be used. What if I wanted the plugin to use an IAM role thats attached to an agent?

It uses the controller's IAM credentials and role. It would defeat the purpose of having a Jenkins credential if the agent could authenticate to Vault and retrieve the secret. If you want to do that, just run the Vault CLI in your job with vault login -method=aws and read the secret.