diff --git a/builtin/credential/aws-ec2/backend_test.go b/builtin/credential/aws-ec2/backend_test.go index 3be53d988e0e..5b0a6d61a74f 100644 --- a/builtin/credential/aws-ec2/backend_test.go +++ b/builtin/credential/aws-ec2/backend_test.go @@ -1125,15 +1125,17 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) { data := map[string]interface{}{ "policies": "root", "max_ttl": "120s", - "bound_ami_id": amiID, + "bound_ami_id": "wrong_ami_id", } - resp, err := b.HandleRequest(&logical.Request{ + roleReq := &logical.Request{ Operation: logical.UpdateOperation, Path: "role/" + roleName, Storage: storage, Data: data, - }) + } + + resp, err := b.HandleRequest(roleReq) if resp != nil && resp.IsError() { t.Fatalf("failed to create role") } @@ -1146,7 +1148,8 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) { "nonce": "vault-client-nonce", } - // perform the login operation. + // Perform the login operation with a AMI ID that is not matching + // the bound on the role. loginRequest := &logical.Request{ Operation: logical.UpdateOperation, Path: "login", @@ -1154,6 +1157,19 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) { Data: loginInput, } resp, err = b.HandleRequest(loginRequest) + if err != nil || resp == nil || (resp != nil && !resp.IsError()) { + t.Fatalf("bad: expected error response: resp:%#v\nerr:%v", resp, err) + } + + // Place the correct AMI ID on the role + data["bound_ami_id"] = amiID + resp, err = b.HandleRequest(roleReq) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: failed to create role: resp:%#v\nerr:%v", resp, err) + } + + // Try to login after the role has a matching AMI ID + resp, err = b.HandleRequest(loginRequest) if err != nil { t.Fatal(err) } diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go index 268e02f36935..ef14bf7062b9 100644 --- a/builtin/credential/aws-ec2/path_login.go +++ b/builtin/credential/aws-ec2/path_login.go @@ -244,6 +244,13 @@ func (b *backend) pathLoginUpdate( return logical.ErrorResponse("role entry not found"), nil } + // Only 'bound_ami_id' constraint is supported on the role currently. + // Check if the AMI ID of the instance trying to login matches the + // AMI ID specified as a constraint on the role. + if identityDoc.AmiID != roleEntry.BoundAmiID { + return logical.ErrorResponse(fmt.Sprintf("AMI ID %s does not belong to role %s", identityDoc.AmiID, roleName)), nil + } + // Get the entry from the identity whitelist, if there is one. storedIdentity, err := whitelistIdentityEntry(req.Storage, identityDoc.InstanceID) if err != nil {