In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
* Fix spelling error in AppRole docs
* Add force flag to sample command to generate a secret ID in AppRole docs
* Update sample output for AppRole login in docs
We've disabled this in the token store, but it makes no sense to have
that disabled but have it enabled elsewhere. It's the same issue across
all, so simply remove the ability altogether.
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
per #1582, updating the docs to include notes about pkcs#7 handling, specifically that aws returns the pkcs#7 cert with newlines and that they need to be stripped before sending them to the login endpoint
