Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix auth/aws so that config/rotate-root saves new key pair to vault #12715

Merged
merged 4 commits into from Oct 19, 2021
Merged

Fix auth/aws so that config/rotate-root saves new key pair to vault #12715

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
06edc29
test: add test to verify Vault storage is updated
ludewigh Oct 1, 2021
b4fbc84
bug: fix config/rotate-root to store new key
ludewigh Oct 1, 2021
1d7286e
Merge branch 'hashicorp:main' into main
ludewigh Oct 1, 2021
fcef44c
choir: fix changelog name to match PR
ludewigh Oct 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions builtin/credential/aws/path_config_rotate_root.go
View file
Open in desktop
Expand Up @@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
}
}()

oldAccessKey := clientConf.AccessKey
clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey

// Now get ready to update storage, doing everything beforehand so we can minimize how long
// we need to hold onto the lock.
newEntry, err := b.configClientToEntry(clientConf)
Expand All @@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R
return nil, errs
}

oldAccessKey := clientConf.AccessKey
clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId
clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey

// Someday we may want to allow the user to send a number of seconds to wait here
// before deleting the previous access key to allow work to complete. That would allow
// AWS, which is eventually consistent, to finish populating the new key in all places.
Expand Down
20 changes: 10 additions & 10 deletions builtin/credential/aws/path_config_rotate_root_test.go
View file
Open in desktop
Expand Up @@ -3,13 +3,11 @@ package awsauth
import (
"context"
"testing"
"time"

"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/aws/aws-sdk-go/service/iam/iamiface"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-secure-stdlib/awsutil"
"github.com/hashicorp/vault/sdk/logical"
)
Expand All @@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) {
}

ctx := context.Background()
config := logical.TestBackendConfig()
logical.TestBackendConfig()
storage := &logical.InmemStorage{}
b, err := Factory(ctx, &logical.BackendConfig{
StorageView: storage,
Logger: hclog.Default(),
System: &logical.StaticSystemView{
DefaultLeaseTTLVal: time.Hour,
MaxLeaseTTLVal: time.Hour,
},
})
config.StorageView = storage

b, err := Backend(config)

if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) {
if resp.Data["access_key"].(string) != "fizz2" {
t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])
}
newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage)
if resp.Data["access_key"].(string) != newClientConf.AccessKey {
t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey)
}
}
3 changes: 3 additions & 0 deletions changelog/12715.txt
View file
Open in desktop
@@ -0,0 +1,3 @@
```release-note:bug
auth/aws: fix config/rotate-root to store new key
```