Backport 9825 1.5.x (#9835)

* Add X-Amz-Credential * Reorder imports * go fmt
hashicorp · Aug 26, 2020 · fc5336e · fc5336e
1 parent 268738a
commit fc5336e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go
@@ -18,8 +18,10 @@ import (
 )
 
 const amzHeaderPrefix = "X-Amz-"
+
 var defaultAllowedSTSRequestHeaders = []string{
 	"X-Amz-Date",
+	"X-Amz-Credential",
 	"X-Amz-Security-Token",
 	"X-Amz-Algorithm",
 	"X-Amz-Signature",

diff --git a/builtin/credential/aws/path_config_client.go b/builtin/credential/aws/path_config_client.go
@@ -3,13 +3,13 @@ package awsauth
 import (
 	"context"
 	"errors"
-	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"net/http"
 	"net/textproto"
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -336,7 +336,7 @@ type clientConfig struct {
 func (c *clientConfig) validateAllowedSTSHeaderValues(headers http.Header) error {
 	for k := range headers {
 		h := textproto.CanonicalMIMEHeaderKey(k)
-		if 	strings.HasPrefix(h, amzHeaderPrefix) &&
+		if strings.HasPrefix(h, amzHeaderPrefix) &&
 			!strutil.StrListContains(defaultAllowedSTSRequestHeaders, h) &&
 			!strutil.StrListContains(c.AllowedSTSHeaderValues, h) {
 			return errors.New("invalid request header: " + k)