mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-14 10:37:00 +02:00
Code Issues Projects Releases Wiki Activity
29551c0b1b
vault/builtin/logical/aws
History
Joel Thompson 025825dfe0 Accept temp creds in AWS secret backend acceptance tests (#4076) 
* Accept temp creds in AWS secret backend acceptance tests

The AWS secret backend acceptance tests implicitly accepted long-lived
AWS credentials (i.e., AWS IAM user and/or root credentials) in two
ways:

1. It expected credentials to be passed in via the AWS_ACCESS_KEY_ID and
   AWS_SECRET_ACCESS_KEY environment variables. By not accepting
   AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN, temporary credentials could
   not be passed in. (This also forced all credentials to be passed in
   via environment variables, which is a bit ugly).
2. The AWS sts:GetFederationToken call is only allowed from long-term
   credentials. This is called by the Vault code which the acceptance
   tests exercise.

1 is solved by deleting explicit references to credentials, which allows
the SDK to do one of the things it does best -- find credentials via the
default chain.

2 is a little more complicated. Rather than pass in whatever creds the
acceptance test was run under to the backend, the acceptance test now
creates a new IAM user and gets an access key from it, then passes the
IAM user's creds back to the backend so that it can call
sts:GetFederationToken (and then tries to clean up afterwards).

* Fix Travis build failure

The Travis build was failing because the user creation was happening
regardless of whether it was running in acceptance test mode or not.
This moves the user creation into the acceptance test precheck, which
requires lazily evaluating the credentials when configuring the backend
in the STS accetpance test, and so moving that to a PreFlight closure.

* Reduce blind sleeps in AWS secret backend acceptance tests

This removes a blind "sleep 10 seconds and then attempt to reuse the
credential" codepath and instead just keeps attemtping to reuse the
credential for 10 seconds and fails if there aren't any successful uses
after 10 seconds. This adds a few seconds speedup of acceptance test
runs from my experiments.
2018-03-13 10:35:10 -04:00
..
backend_test.go Accept temp creds in AWS secret backend acceptance tests (#4076) 2018-03-13 10:35:10 -04:00
backend.go Don't run rollback and upgrade functionality if we are a replication secondary (#3900) 2018-02-02 20:28:25 -05:00
client.go Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
path_config_lease.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
path_config_root.go Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
path_roles_test.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
path_roles.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
path_sts.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
path_user.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
rollback.go Don't run rollback and upgrade functionality if we are a replication secondary (#3900) 2018-02-02 20:28:25 -05:00
secret_access_keys_test.go Allow use of pre-existing policies for AWS users 2015-12-30 18:05:54 +00:00
secret_access_keys.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00