-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce role_arns, max_sts_ttl and default_sts_ttl #329
Introduce role_arns, max_sts_ttl and default_sts_ttl #329
Conversation
I did not touch |
Description: "ARN for an existing IAM policy the role should use.", | ||
Deprecated: `Use "policy_arns".`, | ||
}, | ||
"policy_document": { | ||
Type: schema.TypeString, | ||
Optional: true, | ||
ConflictsWith: []string{"policy_arns", "policy_arn", "policy"}, | ||
ConflictsWith: []string{"policy_arns", "policy_arn", "policy", "role_arns"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per the documentation, there is no conflict
https://www.vaultproject.io/api/secret/aws/index.html#policy_document
Says it will just act as a filter
} | ||
|
||
if policy == "" && len(policyARNs) == 0 && len(roleARNs) == 0 { | ||
return fmt.Errorf("either policy or policy_arn or role_arns must be set") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The error is misleading, you are checking policy, policyARN and roleARN but mentioning only 2 of them in the error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the review, will address shortly
Any update on this? Any way I can help? |
@patoarvizu I've added a new tests, to confirm that the sts ttls are working, and it is constantly failing on read, while with the real vault - it works fine, can't figure out what is wrong :( |
weird, checks passed here, but did not on my own environment :( |
Catch up with Vault API for aws_secret_backend_role Fix test with assumed_role without role_arns, which is not possible in real life. Extend tests to make sure assumed_role is validated
b5f320e
to
e1e13db
Compare
@ShimiTaNaka It passed the second build in a row, and it is working for me, I believe it is ready. |
Hi there! Just following up with the maintainers to see if it would be possible to push this through. Thanks! |
@tyrannosaurus-becks hey, this is another fix for the issue fixed here: #259 Right now we're using a forked version of the provider due to the semantic versioning violation, is there a timeline for reviewing these PRs? |
I think there's another PR that was closed as well. |
@lattwood should be able to dig into these next week! |
@onorua thanks for working on this! When I test against Vault's current master branch, I get:
What version of Vault are you testing with? |
I also still find a test failure on version 11.6 of Vault, FWIW. |
This is great @onorua! I can't wait to make use of this. |
Anything I can do to help nudge this along? I need this merged in to support terraform provisioning AWS backend roles with credential type |
A workaround that I've been able to use is:
|
Also would love to know if there's anything that could be done to help this get merged so roles with the |
FWIW, I just bumped into this as well. I'm managing AWS and Vault with Terraform, and was wanting to read in an AWS role from a state file data source, and use that as a |
Closing due to inactivity. Please feel free to open it again if you have time to circle back and get it into order! Thank you! |
@bodhi thanks for sharing a workaround. At this point I'm willing to try it since it doesn't appear like official support will be added, however, it fails because |
@cludden you might be using a newer version of the provider than me? This is the configuration that we use: # This enables Vault clients to generate credentials for the service's
# AWS IAM role.
resource vault_aws_secret_backend_role service {
backend = "aws"
name = "${local.service_id}"
# Terraform doesn't support `credential_type` yet.
#credential_type = "assumed_role"
# Terraform doesn't support `role_arns` yet, so use `policy_arn`
# instead. This means this role needs to be used via `aws/sts/app`
# instead of `aws/creds/app`.
#role_arn = "${aws_iam_role.service.arn}"
policy_arn = "${aws_iam_role.service.arn}"
# Vault copies `policy_arn` to `policy_arns`, so this is always
# blank when fetching current state from Vault.
lifecycle {
ignore_changes = ["policy_arn"]
}
} This worked with v1.5.0 of |
Catch up with Vault API for aws_secret_backend_role
Fix test with assumed_role without role_arns, which is not possible in real life.
Extend tests to make sure assumed_role is validated