diff --git a/changelog/20368.txt b/changelog/20368.txt new file mode 100644 index 000000000000..bca5957d1d29 --- /dev/null +++ b/changelog/20368.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/identity: Allow updates of only the custom-metadata for entity alias. +``` \ No newline at end of file diff --git a/vault/identity_store_aliases.go b/vault/identity_store_aliases.go index 1fe3c3126e39..4a83a836511b 100644 --- a/vault/identity_store_aliases.go +++ b/vault/identity_store_aliases.go @@ -172,8 +172,9 @@ func (i *IdentityStore) handleAliasCreateUpdate() framework.OperationFunc { } switch { case mountAccessor == "" && name == "": - // Just a canonical ID update, maybe - if canonicalID == "" { + // Check if the canonicalID or the customMetadata are being + // updated + if canonicalID == "" && !customMetadataExists { // Nothing to do, so be idempotent return nil, nil } diff --git a/vault/identity_store_aliases_test.go b/vault/identity_store_aliases_test.go index 6c0f7a0f06cd..ba52d7358ef0 100644 --- a/vault/identity_store_aliases_test.go +++ b/vault/identity_store_aliases_test.go @@ -458,6 +458,46 @@ func TestIdentityStore_AliasUpdate(t *testing.T) { "custom_metadata": map[string]string{}, }, }, + { + name: "only-metadata", + createData: map[string]interface{}{ + "name": "only", + "mount_accessor": githubAccessor, + "custom_metadata": map[string]string{ + "foo": "bar", + }, + }, + updateData: map[string]interface{}{ + "custom_metadata": map[string]string{ + "bar": "baz", + }, + }, + }, + { + name: "only-metadata-clear", + createData: map[string]interface{}{ + "name": "only-clear", + "mount_accessor": githubAccessor, + "custom_metadata": map[string]string{ + "foo": "bar", + }, + }, + updateData: map[string]interface{}{ + "custom_metadata": map[string]string{}, + }, + }, + { + name: "only-metadata-none-before", + createData: map[string]interface{}{ + "name": "no-metadata", + "mount_accessor": githubAccessor, + }, + updateData: map[string]interface{}{ + "custom_metadata": map[string]string{ + "foo": "bar", + }, + }, + }, } handleRequest := func(t *testing.T, req *logical.Request) *logical.Response {