From 99bd2afbb397f2dacb7c68fae8dd5264d6194c3e Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 20 Feb 2019 16:43:21 -0800 Subject: [PATCH 01/10] allow aws region in cli login --- builtin/credential/aws/cli.go | 10 +++++++--- command/agent/auth/aws/aws.go | 2 +- website/source/docs/auth/aws.html.md | 5 +++++ 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index d26b0210a1..3cf764858b 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -20,12 +20,16 @@ type CLIHandler struct{} // Generates the necessary data to send to the Vault server for generating a token // This is useful for other API clients to use -func GenerateLoginData(creds *credentials.Credentials, headerValue string) (map[string]interface{}, error) { +func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) { loginData := make(map[string]interface{}) // Use the credentials we've found to construct an STS session + cfg := aws.Config{Credentials: creds} + if region != "" { + cfg.Region = ®ion + } stsSession, err := session.NewSessionWithOptions(session.Options{ - Config: aws.Config{Credentials: creds}, + Config: cfg, }) if err != nil { return nil, err @@ -79,7 +83,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro return nil, err } - loginData, err := GenerateLoginData(creds, headerValue) + loginData, err := GenerateLoginData(creds, headerValue, m["region"]) if err != nil { return nil, err } diff --git a/command/agent/auth/aws/aws.go b/command/agent/auth/aws/aws.go index c92f744183..fdac099e99 100644 --- a/command/agent/auth/aws/aws.go +++ b/command/agent/auth/aws/aws.go @@ -238,7 +238,7 @@ func (a *awsMethod) Authenticate(ctx context.Context, client *api.Client) (retTo defer a.credLock.Unlock() var err error - data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue) + data, err = awsauth.GenerateLoginData(a.lastCreds, a.headerValue, "") if err != nil { retErr = errwrap.Wrapf("error creating login value: {{err}}", err) return diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md index f38f10646a..2afc6cd284 100644 --- a/website/source/docs/auth/aws.html.md +++ b/website/source/docs/auth/aws.html.md @@ -645,6 +645,11 @@ $ vault login -method=aws header_value=vault.example.com role=dev-role-iam \ aws_security_token= ``` +The region used defaults to `us-east-1`, but you can specify a custom region like so: +``` +$ vault login -method=aws region=us-west-2 role=dev-role-iam +``` + An example of how to generate the required request values for the `login` method can be found found in the [vault cli source code](https://github.com/hashicorp/vault/blob/master/builtin/credential/aws/cli.go). From 63e55b8520fd2f9f42071521462a9f6715f31b9d Mon Sep 17 00:00:00 2001 From: Joel Thompson Date: Wed, 20 Feb 2019 22:57:39 -0500 Subject: [PATCH 02/10] Coax AWS SDK to use right region for STS --- builtin/credential/aws/cli.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index 3cf764858b..1d7779280f 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" "github.com/hashicorp/errwrap" @@ -18,6 +19,19 @@ import ( type CLIHandler struct{} +// STS is a really weird service that used to only have global endpoints but now has regional endpoints as well. +// For backwards compatibility, even if you request a region other than us-east-1, it'll still sign for us-east-1. +// See, e.g., https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#id_credentials_temp_enable-regions_writing_code +// So we have to shim in this EndpointResolver to force it to sign for the right region +func stsSigningResolver(service, region string, optFns ...func(*endpoints.Options)) (endpoints.ResolvedEndpoint, error) { + defaultEndpoint, err := endpoints.DefaultResolver().EndpointFor(service, region, optFns...) + if err != nil { + return defaultEndpoint, err + } + defaultEndpoint.SigningRegion = region + return defaultEndpoint, nil +} + // Generates the necessary data to send to the Vault server for generating a token // This is useful for other API clients to use func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) { @@ -27,6 +41,7 @@ func GenerateLoginData(creds *credentials.Credentials, headerValue, region strin cfg := aws.Config{Credentials: creds} if region != "" { cfg.Region = ®ion + cfg.EndpointResolver = endpoints.ResolverFunc(stsSigningResolver) } stsSession, err := session.NewSessionWithOptions(session.Options{ Config: cfg, From 10551cb1d251e249b22b74d1aad848bbbce675ab Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Thu, 21 Feb 2019 16:57:52 -0800 Subject: [PATCH 03/10] add note about sts region to doc --- website/source/docs/auth/aws.html.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md index 2afc6cd284..ff82c2b79a 100644 --- a/website/source/docs/auth/aws.html.md +++ b/website/source/docs/auth/aws.html.md @@ -649,6 +649,8 @@ The region used defaults to `us-east-1`, but you can specify a custom region lik ``` $ vault login -method=aws region=us-west-2 role=dev-role-iam ``` +When using a custom region, be sure the designated region corresponds to that of the +STS endpoint you're using. An example of how to generate the required request values for the `login` method can be found found in the [vault cli From 73a2280626e90fdf7466613c0631bf8a713ba254 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Thu, 28 Feb 2019 09:31:06 -0800 Subject: [PATCH 04/10] Support env vars for STS region (#6284) --- CHANGELOG.md | 2 + builtin/credential/aws/cli.go | 15 +- helper/awsutil/region.go | 75 ++++++ helper/awsutil/region_test.go | 225 ++++++++++++++++++ vault/seal/awskms/awskms.go | 29 +-- .../docs/configuration/seal/awskms.html.md | 6 +- 6 files changed, 314 insertions(+), 38 deletions(-) create mode 100644 helper/awsutil/region.go create mode 100644 helper/awsutil/region_test.go diff --git a/CHANGELOG.md b/CHANGELOG.md index e73a8d2567..970e4ab85f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ CHANGES: [JSONPointer](https://tools.ietf.org/html/rfc6901). * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly specified. + * vault aws kms seal **breaking change**: user-configured regions will now be + preferred over regions set in the enclosing environment. IMPROVEMENTS: diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index 1d7779280f..456811f32f 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -13,6 +13,7 @@ import ( "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/sts" "github.com/hashicorp/errwrap" + hclog "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/helper/awsutil" ) @@ -34,17 +35,17 @@ func stsSigningResolver(service, region string, optFns ...func(*endpoints.Option // Generates the necessary data to send to the Vault server for generating a token // This is useful for other API clients to use -func GenerateLoginData(creds *credentials.Credentials, headerValue, region string) (map[string]interface{}, error) { +func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string) (map[string]interface{}, error) { loginData := make(map[string]interface{}) // Use the credentials we've found to construct an STS session - cfg := aws.Config{Credentials: creds} - if region != "" { - cfg.Region = ®ion - cfg.EndpointResolver = endpoints.ResolverFunc(stsSigningResolver) - } + region := awsutil.GetOrDefaultRegion(hclog.Default(), configuredRegion) stsSession, err := session.NewSessionWithOptions(session.Options{ - Config: cfg, + Config: aws.Config{ + Credentials: creds, + Region: ®ion, + EndpointResolver: endpoints.ResolverFunc(stsSigningResolver), + }, }) if err != nil { return nil, err diff --git a/helper/awsutil/region.go b/helper/awsutil/region.go new file mode 100644 index 0000000000..d6c61591de --- /dev/null +++ b/helper/awsutil/region.go @@ -0,0 +1,75 @@ +package awsutil + +import ( + "fmt" + "net/http" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/ec2metadata" + "github.com/aws/aws-sdk-go/aws/session" + hclog "github.com/hashicorp/go-hclog" +) + +// "us-east-1 is used because it's where AWS first provides support for new features, +// is a widely used region, and is the most common one for some services like STS. +const DefaultRegion = "us-east-1" + +var ec2MetadataBaseURL = "http://169.254.169.254" + +/* +It's impossible to mimic "normal" AWS behavior here because it's not consistent +or well-defined. For example, boto3, the Python SDK (which the aws cli uses), +loads `~/.aws/config` by default and only reads the `AWS_DEFAULT_REGION` environment +variable (and not `AWS_REGION`, while the golang SDK does _mostly_ the opposite -- it +reads the region **only** from `AWS_REGION` and not at all `~/.aws/config`, **unless** +the `AWS_SDK_LOAD_CONFIG` environment variable is set. So, we must define our own +approach to walking AWS config and deciding what to use. + +Our chosen approach is: + + "More specific takes precedence over less specific." + +1. User-provided configuration is the most explicit. +2. Environment variables are potentially shared across many invocations and so they have less precedence. +3. Configuration in `~/.aws/config` is shared across all invocations of a given user and so this has even less precedence. +4. Configuration retrieved from the EC2 instance metadata service is shared by all invocations on a given machine, and so it has the lowest precedence. + +This approach should be used in future updates to this logic. +*/ +func GetOrDefaultRegion(logger hclog.Logger, configuredRegion string) string { + if configuredRegion != "" { + return configuredRegion + } + + sess, err := session.NewSessionWithOptions(session.Options{ + SharedConfigState: session.SharedConfigEnable, + }) + if err != nil { + logger.Warn(fmt.Sprintf("unable to start session, defaulting region to %s", DefaultRegion)) + return DefaultRegion + } + + region := aws.StringValue(sess.Config.Region) + if region != "" { + return region + } + + metadata := ec2metadata.New(sess, &aws.Config{ + Endpoint: aws.String(ec2MetadataBaseURL + "/latest"), + EC2MetadataDisableTimeoutOverride: aws.Bool(true), + HTTPClient: &http.Client{ + Timeout: time.Second, + }, + }) + if !metadata.Available() { + return DefaultRegion + } + + region, err = metadata.Region() + if err != nil { + logger.Warn("unable to retrieve region from instance metadata, defaulting region to %s", DefaultRegion) + return DefaultRegion + } + return region +} diff --git a/helper/awsutil/region_test.go b/helper/awsutil/region_test.go new file mode 100644 index 0000000000..f46ec7ebec --- /dev/null +++ b/helper/awsutil/region_test.go @@ -0,0 +1,225 @@ +package awsutil + +import ( + "fmt" + "io/ioutil" + "net/http" + "net/http/httptest" + "os" + "os/user" + "testing" + + hclog "github.com/hashicorp/go-hclog" +) + +const testConfigFile = `[default] +region=%s +output=json` + +var ( + logger = hclog.NewNullLogger() + expectedTestRegion = "us-west-2" + unexpectedTestRegion = "us-east-2" + regionEnvKeys = []string{"AWS_REGION", "AWS_DEFAULT_REGION"} +) + +func TestGetOrDefaultRegion_UserConfigPreferredFirst(t *testing.T) { + configuredRegion := expectedTestRegion + + cleanupEnv := setEnvRegion(t, unexpectedTestRegion) + defer cleanupEnv() + + cleanupFile := setConfigFileRegion(t, unexpectedTestRegion) + defer cleanupFile() + + cleanupMetadata := setInstanceMetadata(t, unexpectedTestRegion) + defer cleanupMetadata() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != expectedTestRegion { + t.Fatalf("expected: %s; actual: %s", expectedTestRegion, result) + } +} + +func TestGetOrDefaultRegion_EnvVarsPreferredSecond(t *testing.T) { + configuredRegion := "" + + cleanupEnv := setEnvRegion(t, expectedTestRegion) + defer cleanupEnv() + + cleanupFile := setConfigFileRegion(t, unexpectedTestRegion) + defer cleanupFile() + + cleanupMetadata := setInstanceMetadata(t, unexpectedTestRegion) + defer cleanupMetadata() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != expectedTestRegion { + t.Fatalf("expected: %s; actual: %s", expectedTestRegion, result) + } +} + +func TestGetOrDefaultRegion_ConfigFilesPreferredThird(t *testing.T) { + configuredRegion := "" + + cleanupEnv := setEnvRegion(t, "") + defer cleanupEnv() + + cleanupFile := setConfigFileRegion(t, expectedTestRegion) + defer cleanupFile() + + cleanupMetadata := setInstanceMetadata(t, unexpectedTestRegion) + defer cleanupMetadata() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != expectedTestRegion { + t.Fatalf("expected: %s; actual: %s", expectedTestRegion, result) + } +} + +func TestGetOrDefaultRegion_ConfigFileUnfound(t *testing.T) { + configuredRegion := "" + + cleanupEnv := setEnvRegion(t, "") + defer cleanupEnv() + + if err := os.Setenv("AWS_SHARED_CREDENTIALS_FILE", "foo"); err != nil { + t.Fatal(err) + } + defer func() { + if err := os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE"); err != nil { + t.Fatal(err) + } + }() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != DefaultRegion { + t.Fatalf("expected: %s; actual: %s", DefaultRegion, result) + } +} + +func TestGetOrDefaultRegion_EC2InstanceMetadataPreferredFourth(t *testing.T) { + configuredRegion := "" + + cleanupEnv := setEnvRegion(t, "") + defer cleanupEnv() + + cleanupFile := setConfigFileRegion(t, "") + defer cleanupFile() + + cleanupMetadata := setInstanceMetadata(t, expectedTestRegion) + defer cleanupMetadata() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != expectedTestRegion { + t.Fatalf("expected: %s; actual: %s", expectedTestRegion, result) + } +} + +func TestGetOrDefaultRegion_DefaultsToDefaultRegionWhenRegionUnavailable(t *testing.T) { + configuredRegion := "" + + cleanupEnv := setEnvRegion(t, "") + defer cleanupEnv() + + cleanupFile := setConfigFileRegion(t, "") + defer cleanupFile() + + result := GetOrDefaultRegion(logger, configuredRegion) + if result != DefaultRegion { + t.Fatalf("expected: %s; actual: %s", DefaultRegion, result) + } +} + +func setEnvRegion(t *testing.T, region string) (cleanup func()) { + for _, envKey := range regionEnvKeys { + if err := os.Setenv(envKey, region); err != nil { + t.Fatal(err) + } + } + cleanup = func() { + for _, envKey := range regionEnvKeys { + if err := os.Unsetenv(envKey); err != nil { + t.Fatal(err) + } + } + } + return +} + +func setConfigFileRegion(t *testing.T, region string) (cleanup func()) { + + var cleanupFuncs []func() + + cleanup = func() { + for _, f := range cleanupFuncs { + f() + } + } + + usr, err := user.Current() + if err != nil { + t.Fatal(err) + } + + pathToAWSDir := usr.HomeDir + "/.aws" + pathToConfig := pathToAWSDir + "/config" + + preExistingConfig, err := ioutil.ReadFile(pathToConfig) + if err != nil { + // File simply doesn't exist. + if err := os.Mkdir(pathToAWSDir, os.ModeDir); err != nil { + t.Fatal(err) + } + cleanupFuncs = append(cleanupFuncs, func() { + if err := os.RemoveAll(pathToAWSDir); err != nil { + t.Fatal(err) + } + }) + } else { + cleanupFuncs = append(cleanupFuncs, func() { + if err := ioutil.WriteFile(pathToConfig, preExistingConfig, 0644); err != nil { + t.Fatal(err) + } + }) + } + fileBody := fmt.Sprintf(testConfigFile, region) + if err := ioutil.WriteFile(pathToConfig, []byte(fileBody), 0644); err != nil { + t.Fatal(err) + } + + if err := os.Setenv("AWS_SHARED_CREDENTIALS_FILE", pathToConfig); err != nil { + t.Fatal(err) + } + cleanupFuncs = append(cleanupFuncs, func() { + if err := os.Unsetenv("AWS_SHARED_CREDENTIALS_FILE"); err != nil { + t.Fatal(err) + } + }) + + return +} + +func setInstanceMetadata(t *testing.T, region string) (cleanup func()) { + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + reqPath := r.URL.String() + switch reqPath { + case "/latest/meta-data/instance-id": + w.Write([]byte("i-1234567890abcdef0")) + return + case "/latest/meta-data/placement/availability-zone": + // add a letter suffix, as a normal response is formatted like "us-east-1a" + w.Write([]byte(region + "a")) + return + default: + t.Fatalf("received unexpected request path: %s", reqPath) + } + })) + originalMetadataBaseURL := ec2MetadataBaseURL + ec2MetadataBaseURL = ts.URL + cleanup = func() { + ts.Close() + ec2MetadataBaseURL = originalMetadataBaseURL + } + return +} diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go index 6fa4c1d682..cb46b455da 100644 --- a/vault/seal/awskms/awskms.go +++ b/vault/seal/awskms/awskms.go @@ -8,7 +8,6 @@ import ( "sync/atomic" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/aws/aws-sdk-go/service/kms/kmsiface" @@ -88,33 +87,7 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err return nil, fmt.Errorf("'kms_key_id' not found for AWS KMS seal configuration") } - // Check and set region - region, regionOk := config["region"] - switch { - case os.Getenv("AWS_REGION") != "": - k.region = os.Getenv("AWS_REGION") - case os.Getenv("AWS_DEFAULT_REGION") != "": - k.region = os.Getenv("AWS_DEFAULT_REGION") - case regionOk && region != "": - k.region = region - default: - k.region = "us-east-1" - - // If available, get the region from EC2 instance metadata - sess, err := session.NewSession(nil) - if err != nil { - k.logger.Warn(fmt.Sprintf("unable to begin session: %s, defaulting region to %s", err, k.region)) - break - } - - // This will hang for ~10 seconds if the agent isn't running on an EC2 instance - region, err := ec2metadata.New(sess).Region() - if err != nil { - k.logger.Warn(fmt.Sprintf("unable to retrieve region from ec2 instance metadata: %s, defaulting region to %s", err, k.region)) - break - } - k.region = region - } + k.region = awsutil.GetOrDefaultRegion(k.logger, config["region"]) // Check and set AWS access key, secret key, and session token k.accessKey = config["access_key"] diff --git a/website/source/docs/configuration/seal/awskms.html.md b/website/source/docs/configuration/seal/awskms.html.md index 0a4f09f16b..22d44a5dda 100644 --- a/website/source/docs/configuration/seal/awskms.html.md +++ b/website/source/docs/configuration/seal/awskms.html.md @@ -40,9 +40,9 @@ seal "awskms" { These parameters apply to the `seal` stanza in the Vault configuration file: - `region` `(string: "us-east-1")`: The AWS region where the encryption key - lives. May also be specified by the `AWS_REGION` or `AWS_DEFAULT_REGION` - environment variable or as part of the AWS profile from the AWS CLI or - instance profile. + lives. If not provided, may be populated from the `AWS_REGION` or + `AWS_DEFAULT_REGION` environment variables, from your `~/.aws/config` file, + or from instance metadata. - `access_key` `(string: )`: The AWS access key ID to use. May also be specified by the `AWS_ACCESS_KEY_ID` environment variable or as part of the From 94909033261906fd0c4a88d2420ce335752c7e4c Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Tue, 5 Mar 2019 15:14:33 -0800 Subject: [PATCH 05/10] strip merge markdown from changelog --- CHANGELOG.md | 1 - 1 file changed, 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7f9919be8..30c7459cc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,7 +60,6 @@ FEATURES: login may be initiatated from the Vault UI or through the `vault login` command. * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable wild card matching for a single directory in the path definition. ->>>>>>> opensource-master IMPROVEMENTS: From 548f02803ab057034ff75bd64e500866fb5510d5 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Mon, 1 Apr 2019 15:37:02 -0700 Subject: [PATCH 06/10] Update builtin/credential/aws/cli.go Co-Authored-By: tyrannosaurus-becks --- builtin/credential/aws/cli.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go index 456811f32f..6d9436184a 100644 --- a/builtin/credential/aws/cli.go +++ b/builtin/credential/aws/cli.go @@ -33,7 +33,7 @@ func stsSigningResolver(service, region string, optFns ...func(*endpoints.Option return defaultEndpoint, nil } -// Generates the necessary data to send to the Vault server for generating a token +// GenerateLoginData populates the necessary data to send to the Vault server for generating a token // This is useful for other API clients to use func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRegion string) (map[string]interface{}, error) { loginData := make(map[string]interface{}) From a87559d2e196d145acb1ffdab6baa18e6dd1b9b4 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 3 Apr 2019 11:58:20 -0700 Subject: [PATCH 07/10] add comment on region parsing --- vault/seal/awskms/awskms.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go index 1b4b566bc6..6ffb8f1afc 100644 --- a/vault/seal/awskms/awskms.go +++ b/vault/seal/awskms/awskms.go @@ -8,7 +8,7 @@ import ( "sync/atomic" "time" - "github.com/armon/go-metrics" + metrics "github.com/armon/go-metrics" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" @@ -90,6 +90,7 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err return nil, fmt.Errorf("'kms_key_id' not found for AWS KMS seal configuration") } + // Please see GetOrDefaultRegion for an explanation of the order in which region is parsed. k.region = awsutil.GetOrDefaultRegion(k.logger, config["region"]) // Check and set AWS access key, secret key, and session token From 0278f4d0d752ba0bee3f1db037422761d24c4fb2 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 3 Apr 2019 13:43:54 -0700 Subject: [PATCH 08/10] strip import whitespace --- vault/seal/awskms/awskms.go | 1 - 1 file changed, 1 deletion(-) diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go index 6ffb8f1afc..d3b2f865e1 100644 --- a/vault/seal/awskms/awskms.go +++ b/vault/seal/awskms/awskms.go @@ -9,7 +9,6 @@ import ( "time" metrics "github.com/armon/go-metrics" - "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" From 80838bea2f48b002984879961e4312c0db5cc545 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Fri, 12 Apr 2019 11:24:26 -0700 Subject: [PATCH 09/10] update CHANGELOG --- CHANGELOG.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cce4648f7a..774ceb0b58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## Next + +CHANGES: + + * autoseal/aws: The user-configured regions on the AWSKMS seal stanza + will now be preferred over regions set in the enclosing environment. + This is a _breaking_ change. + ## 1.1.1 (April 11th, 2019) SECURITY: @@ -30,12 +38,6 @@ CHANGES: previously possible from a performance secondary. These have been resolved, and these operations may now be run from a performance secondary. -CHANGES: - - * vault aws kms seal **breaking change**: user-configured regions will now be - preferred over regions set in the enclosing environment. - - IMPROVEMENTS: * agent: Allow AppRole auto-auth without a secret-id [GH-6324] From 797edb77545c5adfec0976a7d0c9ccb06bf48f02 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Fri, 12 Apr 2019 15:40:45 -0700 Subject: [PATCH 10/10] dont test files in CI --- helper/awsutil/region_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/helper/awsutil/region_test.go b/helper/awsutil/region_test.go index f46ec7ebec..fbfb2006f2 100644 --- a/helper/awsutil/region_test.go +++ b/helper/awsutil/region_test.go @@ -17,6 +17,8 @@ region=%s output=json` var ( + shouldTestFiles = os.Getenv("VAULT_ACC_AWS_FILES") == "1" + logger = hclog.NewNullLogger() expectedTestRegion = "us-west-2" unexpectedTestRegion = "us-east-2" @@ -60,6 +62,12 @@ func TestGetOrDefaultRegion_EnvVarsPreferredSecond(t *testing.T) { } func TestGetOrDefaultRegion_ConfigFilesPreferredThird(t *testing.T) { + if !shouldTestFiles { + // In some test environments, like a CI environment, we may not have the + // permissions to write to the ~/.aws/config file. Thus, this test is off + // by default but can be set to on for local development. + t.SkipNow() + } configuredRegion := "" cleanupEnv := setEnvRegion(t, "") @@ -157,6 +165,10 @@ func setConfigFileRegion(t *testing.T, region string) (cleanup func()) { } } + if !shouldTestFiles { + return + } + usr, err := user.Current() if err != nil { t.Fatal(err)