Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS secrets engine generating session tokens #23690

Merged
merged 34 commits into from
Nov 8, 2023
Merged

AWS secrets engine generating session tokens #23690

merged 34 commits into from
Nov 8, 2023

Conversation

robmonte
Copy link
Member

@robmonte robmonte commented Oct 17, 2023
edited
Loading

This reintroduces the addition of a new credential type session_token to the AWS Secrets Engine, originally provided here.

MFA codes:
When writing a vault role, provide the serial number of the MFA device added to the IAM user like so:

vault write aws/roles/my-mfa-role \
credential_type="session_token" \
mfa_serial_number="arn:aws:iam::<account-id>:mfa/<device-name>"

Then when getting credentials, pass the code like so:

vault read aws/creds/my-mfa-role \
mfa_code="123456"

Closes #12734

grahamc and others added 14 commits October 11, 2023 19:31
@grahamc @robmonte
AWS Secret Engine: Support Session Tokens
20dd50f 
Sometimes people will give you an AWS access key and secret and not
be interested in setting up a better approach for key exchange.

In cases like this, options are limited for distributing access to
the key material. However, AWS's STS GetSessionToken can be used
to general ephemeral credentials "underneath" that token. This
at least limits the spread of that root key, and the duration of
its users' access.

It should almost definitely not be used for other use cases, since
it does not limit behavior on an otherwise probably administrative
key.

Closes #12734
@grahamc @robmonte
Add a test for SessionTokens, untested: I couldn't get any of the tes…
0426428 
…ts to pass locally.
@grahamc @robmonte
add a changelog entry
65a99ed
@grahamc @robmonte
Document session tokens
db4c53e
@grahamc @robmonte
Update the JS for session tokens
72e3769
@robmonte
Add suggestions
1a4afd5
@robmonte
Fix typo
57c4199
@robmonte
Fix broken link
3f6e24e
@robmonte
Fix backticks
4c8ef89
@robmonte
Disallow setting aws role or policy on a session token-based role
1bc9bf0
@robmonte
Rename security token to session token
c491b92
@robmonte
Update check
a8b24ec
@robmonte
Adjust docs
d8ba1a7
@robmonte
use time.Until
1051683
@robmonte robmonte requested review from a team as code owners October 17, 2023 01:03
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 17, 2023
@robmonte robmonte added this to the 1.16.0-rc1 milestone Oct 17, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@robmonte
Copy link
Member Author

Hey @grahamc

I wanted to let you know I've had the opportunity to pick this back up. I was unhappy with the poor experience you had with your prior PR and wanted to get the feature added with this opportunity. I'd love to hear if you have any comments on changes I've mad.

At the moment the main change is switching from the use of "security_token" to "session_token" to better align with modern AWS terminology. Do you foresee any problems with this?

@grahamc
Copy link
Contributor

grahamc commented Oct 17, 2023 via email

schavis
schavis requested changes Oct 19, 2023
View reviewed changes
website/content/api-docs/secret/aws.mdx Outdated Show resolved Hide resolved
robmonte and others added 2 commits October 19, 2023 11:19
@robmonte @schavis
Update wording
7ad5b85 
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
@robmonte
Update wording
ada5c08
schavis
schavis requested changes Oct 19, 2023
View reviewed changes
website/content/docs/secrets/aws.mdx Outdated Show resolved Hide resolved
@robmonte @schavis
Update website/content/docs/secrets/aws.mdx
eec27c9 
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
raymonstah
raymonstah reviewed Oct 23, 2023
View reviewed changes
Copy link
Contributor

@raymonstah raymonstah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the rename of security_token to session_token a breaking change?

builtin/logical/aws/secret_access_keys.go Outdated Show resolved Hide resolved
@robmonte
Copy link
Member Author

Is the rename of security_token to session_token a breaking change?

You're right. I think since the goal of this PR is to now support session token generation, it makes sense to adjust the terminology accordingly to match AWS. I've added back security_token in with this commit 7489461 so both it and session_token can exist, while adding a deprecation notice for the security_token field. Let me know your thoughts, and then we can also run this by the wider team.

@robmonte robmonte requested a review from schavis October 31, 2023 16:41
austingebauer
austingebauer approved these changes Nov 1, 2023
View reviewed changes
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

builtin/logical/aws/path_roles.go Outdated Show resolved Hide resolved
builtin/logical/aws/secret_access_keys.go Outdated Show resolved Hide resolved
builtin/logical/aws/secret_access_keys.go Show resolved Hide resolved
robmonte and others added 3 commits November 4, 2023 03:21
@robmonte @austingebauer
Update builtin/logical/aws/secret_access_keys.go
de36e92 
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
@robmonte @austingebauer
Update builtin/logical/aws/path_roles.go
cc21967 
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
@robmonte
Mention ARN in field description
653dc8f
@robmonte robmonte merged commit 54bf080 into main Nov 8, 2023
110 checks passed
@robmonte robmonte deleted the aws-session-token-fork branch November 8, 2023 23:06
mladlow
mladlow reviewed Mar 11, 2024
View reviewed changes
changelog/23690.txt
@@ -0,0 +1,3 @@
```release-note:feature
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robmonte next time please use the correct new feature formatting for new features in the changelog.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To add some more clarification - this should use the "Feature Name" we'd use in the release notes, and should try to communicate to the user why they would want to learn more about this brand new feature we're introducing in Vault 1.16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mladlow mladlow mladlow left review comments

@schavis schavis schavis approved these changes

@austingebauer austingebauer austingebauer approved these changes

@raymonstah raymonstah raymonstah approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.16.0-rc1
Development

Successfully merging this pull request may close these issues.

Support issuing AWS Session Tokens via GetSessionToken
6 participants
@robmonte @grahamc @raymonstah @mladlow @austingebauer @schavis