Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of Passes configured role name to Vault for AWS auth in Connect CA into release/1.16.x #18099

Merged
merged 3 commits into from
Jul 12, 2023
Merged

Backport of Passes configured role name to Vault for AWS auth in Connect CA into release/1.16.x #18099

merged 3 commits into from
Jul 12, 2023

Conversation

hc-github-team-consul-core
Copy link
Contributor

Backport

This PR is auto-generated from #17885 to be assessed for backporting due to the inclusion of the label backport/1.16.

The below text is copied from the body of the original PR.

Fixes #17887.

Description

When using Connect, with Vault CA, with AWS auth - this change ensures that the role name (if configured) is passed as part of the login request. Prior to this change, Consul did not respect this parameter and therefore always falls back to the default Vault behaviour of using the instance AWS IAM role name, even if role was specified in params.

Testing & Reproduction steps

  • Added additional coverage to the existing TestVaultCAProvider_AWSLoginDataGenerator tests.

To reproduce original bug

  1. Create a file with CA configuration, e.g.
{
  "Provider": "vault",
  "Config": {
    "Address": "https://my.vault.server:8200",
    "IntermediatePKIPath": "pki_int",
    "RootPKIPath": "pki",
    "AuthMethod": {
      "Type": "aws",
      "MountPath": "aws",
      "Params": {
        "role": "configured-role-name"
      }
    }
  }
}
  1. Set CA configuration
consul connect ca set-config -config-file ca.conf
  1. Observe that role is not sent to Vault, Vault will attempt to use the IAM instance role name and fail if this does not exist as a Vault role.

Links

PR Checklist

  • updated test coverage
  • external facing docs updated (Not applicable)
  • appropriate backport labels added
  • not a security concern
Overview of commits

@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/fix/vault-ca-aws-role/scarcely-full-python branch 2 times, most recently from 4d13aa0 to e976a9d Compare July 12, 2023 15:24
@hc-github-team-consul-core hc-github-team-consul-core force-pushed the backport/fix/vault-ca-aws-role/scarcely-full-python branch from 9679496 to 8ed33a3 Compare July 12, 2023 15:24
@github-actions github-actions bot added the theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies label Jul 12, 2023
github-team-consul-core-pr-approver
github-team-consul-core-pr-approver approved these changes Jul 12, 2023
View reviewed changes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved Consul Bot automated PR

@vercel vercel bot temporarily deployed to Preview – consul July 12, 2023 15:36 Inactive
@hc-github-team-consul-core hc-github-team-consul-core merged commit b26f795 into release/1.16.x Jul 12, 2023
104 checks passed
@hc-github-team-consul-core hc-github-team-consul-core deleted the backport/fix/vault-ca-aws-role/scarcely-full-python branch July 12, 2023 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-team-consul-core-pr-approver github-team-consul-core-pr-approver github-team-consul-core-pr-approver approved these changes

@cthain cthain Awaiting requested review from cthain

Assignees

@cthain cthain

Labels
theme/connect Anything related to Consul Connect, Service Mesh, Side Car Proxies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hc-github-team-consul-core @github-team-consul-core-pr-approver @cthain @t-davies