From fc5336e29b0e4ce833b0ab75477ab3d80a08a4ac Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Wed, 26 Aug 2020 12:51:21 -0500 Subject: [PATCH] Backport 9825 1.5.x (#9835) * Add X-Amz-Credential * Reorder imports * go fmt --- builtin/credential/aws/backend.go | 2 ++ builtin/credential/aws/path_config_client.go | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go index 8bcd62d2cbf6..d0fca69f8590 100644 --- a/builtin/credential/aws/backend.go +++ b/builtin/credential/aws/backend.go @@ -18,8 +18,10 @@ import ( ) const amzHeaderPrefix = "X-Amz-" + var defaultAllowedSTSRequestHeaders = []string{ "X-Amz-Date", + "X-Amz-Credential", "X-Amz-Security-Token", "X-Amz-Algorithm", "X-Amz-Signature", diff --git a/builtin/credential/aws/path_config_client.go b/builtin/credential/aws/path_config_client.go index dc380a74fdf2..4719f20055ce 100644 --- a/builtin/credential/aws/path_config_client.go +++ b/builtin/credential/aws/path_config_client.go @@ -3,13 +3,13 @@ package awsauth import ( "context" "errors" - "github.com/hashicorp/vault/sdk/helper/strutil" "net/http" "net/textproto" "strings" "github.com/aws/aws-sdk-go/aws" "github.com/hashicorp/vault/sdk/framework" + "github.com/hashicorp/vault/sdk/helper/strutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -336,7 +336,7 @@ type clientConfig struct { func (c *clientConfig) validateAllowedSTSHeaderValues(headers http.Header) error { for k := range headers { h := textproto.CanonicalMIMEHeaderKey(k) - if strings.HasPrefix(h, amzHeaderPrefix) && + if strings.HasPrefix(h, amzHeaderPrefix) && !strutil.StrListContains(defaultAllowedSTSRequestHeaders, h) && !strutil.StrListContains(c.AllowedSTSHeaderValues, h) { return errors.New("invalid request header: " + k)