diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go index 881ca85dc9..e15d6daeb6 100644 --- a/builtin/credential/aws/backend_test.go +++ b/builtin/credential/aws/backend_test.go @@ -1125,6 +1125,11 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. t.Fatalf("instance ID not present in the response object") } + _, ok := resp.Auth.Metadata["nonce"] + if ok { + t.Fatalf("client nonce should not have been returned") + } + loginInput["nonce"] = "changed-vault-client-nonce" // try to login again with changed nonce resp, err = b.HandleRequest(loginRequest) @@ -1159,7 +1164,9 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. t.Fatalf("failed to delete whitelist identity") } - // Allow a fresh login. + // Allow a fresh login without supplying the nonce + delete(loginInput, "nonce") + resp, err = b.HandleRequest(loginRequest) if err != nil { t.Fatal(err) @@ -1167,6 +1174,11 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing. if resp == nil || resp.Auth == nil || resp.IsError() { t.Fatalf("login attempt failed") } + + _, ok = resp.Auth.Metadata["nonce"] + if !ok { + t.Fatalf("expected nonce to be returned") + } } func TestBackend_pathStsConfig(t *testing.T) { diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index d382701cfc..30c69047ed 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -643,7 +643,7 @@ func (b *backend) pathLoginUpdateEc2( return logical.ErrorResponse(err.Error()), nil } - // Don't let subsequent login attempts to bypass in initial + // Don't let subsequent login attempts to bypass the initial // intent of disabling reauthentication, despite the properties // of role getting updated. For example: Role has the value set // to 'false', a role-tag login sets the value to 'true', then @@ -693,7 +693,6 @@ func (b *backend) pathLoginUpdateEc2( if roleTagResp != nil { // Role tag is enabled on the role. - // // Overwrite the policies with the ones returned from processing the role tag // If there are no policies on the role tag, policies on the role are inherited. @@ -777,8 +776,9 @@ func (b *backend) pathLoginUpdateEc2( }, } - // Return the nonce only if reauthentication is allowed - if !disallowReauthentication { + // Return the nonce only if reauthentication is allowed and if the nonce + // was not supplied by the user. + if !disallowReauthentication && !clientNonceSupplied { // Echo the client nonce back. If nonce param was not supplied // to the endpoint at all (setting it to empty string does not // qualify here), callers should extract out the nonce from diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md index cce67fddb6..2a0df244b3 100644 --- a/website/source/docs/auth/aws.html.md +++ b/website/source/docs/auth/aws.html.md @@ -384,6 +384,11 @@ instance, it is not a bad idea to firewall access to the signed PKCS#7 metadata to ensure that it is accessible only to the matching user(s) that require access. +The client nonce which is generated by the backend and which gets returned +along with the authentication response, will be audit logged in plaintext. If +this is undesired, clients can supply a custom nonce to the login endpoint +which will not be returned and hence will not be audit logged. + ## Advanced Options and Caveats ### Dynamic Management of Policies Via Role Tags