From 021f4e472a035d0bfd65ff00e3131f2a527ba95e Mon Sep 17 00:00:00 2001
From: hc-github-team-consul-core <github-team-consul-core@hashicorp.com>
Date: Wed, 12 Jul 2023 10:43:36 -0500
Subject: [PATCH] Backport of Passes configured role name to Vault for AWS auth
 in Connect CA into release/1.16.x (#18099)

* backport of commit 4034bb2b3eba81ea13bf6d3a62d27094d96ffc24

* backport of commit 9c4c3c50f07d4072bb981c16cf993118fd7f6f1d

* backport of commit 7282078993aa51915afa801bdabded0f78397cb5

---------

Co-authored-by: Tom Davies <thomas.23.davies@bt.com>
---
 .changelog/17885.txt                         |  2 ++
 agent/connect/ca/provider_vault_auth_aws.go  |  7 +++++++
 agent/connect/ca/provider_vault_auth_test.go | 17 ++++++++++++++---
 3 files changed, 23 insertions(+), 3 deletions(-)
 create mode 100644 .changelog/17885.txt

diff --git a/.changelog/17885.txt b/.changelog/17885.txt
new file mode 100644
index 000000000..2cd690488
--- /dev/null
+++ b/.changelog/17885.txt
@@ -0,0 +1,2 @@
+```release-note:bug
+ca: Fixed a bug where the Vault provider was not passing the configured role param for AWS auth
diff --git a/agent/connect/ca/provider_vault_auth_aws.go b/agent/connect/ca/provider_vault_auth_aws.go
index 59f1c9803..02abf3982 100644
--- a/agent/connect/ca/provider_vault_auth_aws.go
+++ b/agent/connect/ca/provider_vault_auth_aws.go
@@ -72,6 +72,13 @@ func (g *AWSLoginDataGenerator) GenerateLoginData(authMethod *structs.VaultAuthM
 	if err != nil {
 		return nil, fmt.Errorf("aws auth failed to generate login data: %w", err)
 	}
+
+	// If a Vault role name is specified, we need to manually add this
+	role, ok := authMethod.Params["role"]
+	if ok {
+		loginData["role"] = role
+	}
+
 	return loginData, nil
 }
 
diff --git a/agent/connect/ca/provider_vault_auth_test.go b/agent/connect/ca/provider_vault_auth_test.go
index c6979dbbe..74507acb3 100644
--- a/agent/connect/ca/provider_vault_auth_test.go
+++ b/agent/connect/ca/provider_vault_auth_test.go
@@ -278,15 +278,22 @@ func TestVaultCAProvider_AWSCredentialsConfig(t *testing.T) {
 
 func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
 	cases := map[string]struct {
-		expErr error
+		expErr     error
+		authMethod structs.VaultAuthMethod
 	}{
-		"valid login data": {},
+		"valid login data": {
+			authMethod: structs.VaultAuthMethod{},
+		},
+		"with role": {
+			expErr:     nil,
+			authMethod: structs.VaultAuthMethod{Type: "aws", MountPath: "", Params: map[string]interface{}{"role": "test-role"}},
+		},
 	}
 
 	for name, c := range cases {
 		t.Run(name, func(t *testing.T) {
 			ldg := &AWSLoginDataGenerator{credentials: credentials.AnonymousCredentials}
-			loginData, err := ldg.GenerateLoginData(&structs.VaultAuthMethod{})
+			loginData, err := ldg.GenerateLoginData(&c.authMethod)
 			if c.expErr != nil {
 				require.Error(t, err)
 				require.Contains(t, err.Error(), c.expErr.Error())
@@ -307,6 +314,10 @@ func TestVaultCAProvider_AWSLoginDataGenerator(t *testing.T) {
 				require.True(t, exists, "missing expected key: %s", key)
 				require.NotEmpty(t, val, "expected non-empty value for key: %s", key)
 			}
+
+			if c.authMethod.Params["role"] != nil {
+				require.Equal(t, c.authMethod.Params["role"], loginData["role"])
+			}
 		})
 	}
 }