Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715)

* test:  add test to verify Vault storage is updated

* bug: fix config/rotate-root to store new key

* choir: fix changelog name to match PR

builtin/credential/aws/path_config_rotate_root.go

@@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
 		}
 	}()
 
+	oldAccessKey := clientConf.AccessKey
+	clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
+	clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey
+
 	// Now get ready to update storage, doing everything beforehand so we can minimize how long
 	// we need to hold onto the lock.
 	newEntry, err := b.configClientToEntry(clientConf)
@@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
 		return nil, errs
 	}
 
-	oldAccessKey := clientConf.AccessKey
-	clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
-	clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey
-
 	// Someday we may want to allow the user to send a number of seconds to wait here
 	// before deleting the previous access key to allow work to complete. That would allow
 	// AWS, which is eventually consistent, to finish populating the new key in all places.

builtin/credential/aws/path_config_rotate_root_test.go

@@ -3,13 +3,11 @@ package awsauth
 import (
 	"context"
 	"testing"
-	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/iam/iamiface"
-	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) {
 	}
 
 	ctx := context.Background()
+	config := logical.TestBackendConfig()
+	logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
-	b, err := Factory(ctx, &logical.BackendConfig{
+	config.StorageView = storage
-		StorageView: storage,
+
-		Logger:      hclog.Default(),
+	b, err := Backend(config)
-		System: &logical.StaticSystemView{
+
-			DefaultLeaseTTLVal: time.Hour,
-			MaxLeaseTTLVal:     time.Hour,
-		},
-	})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) {
 	if resp.Data["access_key"].(string) != "fizz2" {
 		t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])
 	}
+	newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage)
+	if resp.Data["access_key"].(string) != newClientConf.AccessKey {
+		t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey)
+	}
 }

changelog/12715.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/aws: fix config/rotate-root to store new key
+```