mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-29 06:31:10 +01:00
Code Issues Projects Releases Wiki Activity

Renamed sts duration to ttl and added STS permissions note.

Browse Source
This commit is contained in:
Dmitriy Gromov 2016-01-21 14:28:34 -05:00
parent e13f58713e
commit ea1e29fa33
2 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
builtin/logical/aws/path_sts.go
View File

@ -15,8 +15,8 @@ func pathSTS(b *backend) *framework.Path {
Type: framework.TypeString, Type: framework.TypeString,
Description: "Name of the role", Description: "Name of the role",
}, },
"duration": &framework.FieldSchema{ "ttl": &framework.FieldSchema{
Type: framework.TypeInt, Type: framework.TypeDurationSecond,
Description: "Lifetime of the token in seconds", Description: "Lifetime of the token in seconds",
Default: 3600, Default: 3600,
}, },
@ -34,7 +34,7 @@ func pathSTS(b *backend) *framework.Path {
func (b *backend) pathSTSRead( func (b *backend) pathSTSRead(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) { req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
policyName := d.Get("name").(string) policyName := d.Get("name").(string)
duration := int64(d.Get("duration").(int)) ttl := int64(d.Get("ttl").(int))
// Read the policy // Read the policy
policy, err := req.Storage.Get("policy/" + policyName) policy, err := req.Storage.Get("policy/" + policyName)
@ -50,7 +50,7 @@ func (b *backend) pathSTSRead(
return b.secretAccessKeysAndTokenCreate( return b.secretAccessKeysAndTokenCreate(
req.Storage, req.Storage,
req.DisplayName, policyName, string(policy.Value), req.DisplayName, policyName, string(policy.Value),
&duration, &ttl,
) )
} }

15
website/source/docs/secrets/aws/index.html.md
View File

@ -100,6 +100,7 @@ security_token <nil>
``` ```
If you want keys with an STS token use the 'sts' endpoint instead of 'creds.' If you want keys with an STS token use the 'sts' endpoint instead of 'creds.'
The aws/sts endpoint will always fetch STS credentials with a 1hr ttl.
```text ```text
$vault read aws/sts/deploy $vault read aws/sts/deploy
@ -161,6 +162,20 @@ Note that this policy example is unrelated to the policy you wrote to `aws/roles
If you get stuck at any time, simply run `vault path-help aws` or with a subpath for If you get stuck at any time, simply run `vault path-help aws` or with a subpath for
interactive help output. interactive help output.
## A Note on STS Permissions
Vault generates STS tokens using the IAM credentials passed to aws/config.
Those credentials must have two properties:
- They must have permissions to call sts:GetFederatedToken.
- The capabilities of those credentials have to be at least as permissive as those requested
by policies attached to the STS creds.
If either of those conditions are not met, a "403 not-authorized" error will be returned.
See http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html for more details.
## A Note on Consistency ## A Note on Consistency
Unfortunately, IAM credentials are eventually consistent with respect to other Unfortunately, IAM credentials are eventually consistent with respect to other