Pass configured role name to Vault for AWS auth in Connect CA (#17885)

This commit is contained in:
Tom Davies 2023-07-12 16:24:12 +01:00 committed by GitHub
parent 51d8eb8e07
commit f472164f05
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 3 deletions

2
.changelog/17885.txt Normal file
View File

@ -0,0 +1,2 @@
```release-note:bug
ca: Fixed a bug where the Vault provider was not passing the configured role param for AWS auth

View File

@ -72,6 +72,13 @@ func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthM
if err != nil {
return nil, fmt.Errorf("aws auth failed to generate login data: %w", err)
}
// If a Vault role name is specified, we need to manually add this
role, ok := authMethod.Params["role"]
if ok {
loginData["role"] = role
}
return loginData, nil
}

View File

@ -279,14 +279,21 @@ func TestVaultCAProvider_AWSCredentialsConfig(t *testing.T) {
func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
cases := map[string]struct {
expErr error
authMethod structs.VaultAuthMethod
}{
"valid login data": {},
"valid login data": {
authMethod: structs.VaultAuthMethod{},
},
"with role": {
expErr: nil,
authMethod: structs.VaultAuthMethod{Type: "aws", MountPath: "", Params: map[string]interface{}{"role": "test-role"}},
},
}
for name, c := range cases {
t.Run(name, func(t *testing.T) {
ldg := &AWSLoginDataGenerator{credentials: credentials.AnonymousCredentials}
loginData, err := ldg.GenerateLoginData(&structs.VaultAuthMethod{})
loginData, err := ldg.GenerateLoginData(&c.authMethod)
if c.expErr != nil {
require.Error(t, err)
require.Contains(t, err.Error(), c.expErr.Error())
@ -307,6 +314,10 @@ func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
require.True(t, exists, "missing expected key: %s", key)
require.NotEmpty(t, val, "expected non-empty value for key: %s", key)
}
if c.authMethod.Params["role"] != nil {
require.Equal(t, c.authMethod.Params["role"], loginData["role"])
}
})
}
}