From 9af595ec61e5f7f435722ff19c811307f23ccc80 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 4 Jan 2019 15:03:57 -0500 Subject: [PATCH] Don't read AWS env vars (#5974) * Don't read AWS env vars Let AWS SDK env cred chain provider do it for us Fixes #5965 --- CHANGELOG.md | 6 ++++++ physical/dynamodb/dynamodb.go | 23 +++++------------------ vault/seal/awskms/awskms.go | 30 +++++++++++------------------- 3 files changed, 22 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89c47ed542..e08033c8fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,12 @@ CHANGES: * secret/aws: Role now returns `credential_type` instead of `credential_types` to match role input. If a legacy role that can supply more than one credential type, they will be concatenated with a `,`. + * physical/dynamodb, autoseal/aws: Instead of Vault performing environment + variable handling, and overriding static (config file) values if found, we + use the default AWS SDK env handling behavior, which also looks for + deprecated values. If you were previously providing both config values and + environment values, please ensure the config values are unset if you want to + use environment values. ## 1.0.1 (December 14th, 2018) diff --git a/physical/dynamodb/dynamodb.go b/physical/dynamodb/dynamodb.go index 3a08cca173..55f9a9ed70 100644 --- a/physical/dynamodb/dynamodb.go +++ b/physical/dynamodb/dynamodb.go @@ -15,7 +15,7 @@ import ( log "github.com/hashicorp/go-hclog" - "github.com/armon/go-metrics" + metrics "github.com/armon/go-metrics" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr" "github.com/aws/aws-sdk-go/aws/session" @@ -23,7 +23,7 @@ import ( "github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute" "github.com/hashicorp/errwrap" cleanhttp "github.com/hashicorp/go-cleanhttp" - "github.com/hashicorp/go-uuid" + uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/helper/awsutil" "github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/physical" @@ -155,19 +155,6 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac writeCapacity = DefaultDynamoDBWriteCapacity } - accessKey := os.Getenv("AWS_ACCESS_KEY_ID") - if accessKey == "" { - accessKey = conf["access_key"] - } - secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY") - if secretKey == "" { - secretKey = conf["secret_key"] - } - sessionToken := os.Getenv("AWS_SESSION_TOKEN") - if sessionToken == "" { - sessionToken = conf["session_token"] - } - endpoint := os.Getenv("AWS_DYNAMODB_ENDPOINT") if endpoint == "" { endpoint = conf["endpoint"] @@ -197,9 +184,9 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac } credsConfig := &awsutil.CredentialsConfig{ - AccessKey: accessKey, - SecretKey: secretKey, - SessionToken: sessionToken, + AccessKey: conf["access_key"], + SecretKey: conf["secret_key"], + SessionToken: conf["session_token"], } creds, err := credsConfig.GenerateCredentialChain() if err != nil { diff --git a/vault/seal/awskms/awskms.go b/vault/seal/awskms/awskms.go index c0781f96ce..cb57e95f7d 100644 --- a/vault/seal/awskms/awskms.go +++ b/vault/seal/awskms/awskms.go @@ -38,11 +38,12 @@ const ( // AWSKMSSeal represents credentials and Key information for the KMS Key used to // encryption and decryption type AWSKMSSeal struct { - accessKey string - secretKey string - region string - keyID string - endpoint string + accessKey string + secretKey string + sessionToken string + region string + keyID string + endpoint string currentKeyID *atomic.Value @@ -99,20 +100,10 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err k.region = "us-east-1" } - // Check and set AWS access key and secret key - k.accessKey = os.Getenv("AWS_ACCESS_KEY_ID") - if k.accessKey == "" { - if accessKey, ok := config["access_key"]; ok { - k.accessKey = accessKey - } - } - - k.secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY") - if k.secretKey == "" { - if secretKey, ok := config["secret_key"]; ok { - k.secretKey = secretKey - } - } + // Check and set AWS access key, secret key, and session token + k.accessKey = config["access_key"] + k.secretKey = config["secret_key"] + k.sessionToken = config["session_token"] k.endpoint = os.Getenv("AWS_KMS_ENDPOINT") if k.endpoint == "" { @@ -281,6 +272,7 @@ func (k *AWSKMSSeal) getAWSKMSClient() (*kms.KMS, error) { credsConfig.AccessKey = k.accessKey credsConfig.SecretKey = k.secretKey + credsConfig.SessionToken = k.sessionToken credsConfig.Region = k.region credsConfig.HTTPClient = cleanhttp.DefaultClient()