2023-07-18 21:07:55 +00:00
|
|
|
## The AWS auth engine
|
2020-04-30 04:52:03 +00:00
|
|
|
|
|
|
|
Users of the AWS Auth Engine may notice less metadata in their audit logs
|
|
|
|
and associated with the aliases generated by logging in. This is because
|
|
|
|
we corrected a regression where more metadata had been added by default,
|
|
|
|
causing a performance impact for some users at scale.
|
|
|
|
|
|
|
|
Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:
|
|
|
|
|
|
|
|
- `iam_metadata` `(string: "default")` - The metadata to include on the token
|
|
|
|
returned by the `login` endpoint. This metadata will be added to both audit logs,
|
|
|
|
and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
|
|
|
|
Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
|
|
|
|
`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
|
|
|
|
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
|
|
|
|
the explicit fields. To restore to defaults, send only a field of `default`.
|
|
|
|
**Only select fields that will have a low rate of change** for your `iam_alias` because
|
|
|
|
each change triggers a storage write and can have a performance impact at scale.
|
|
|
|
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
|
|
|
|
returned by the `login` endpoint. This metadata will be added to both audit logs,
|
|
|
|
and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
|
|
|
|
Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
|
|
|
|
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
|
|
|
|
the explicit fields. To restore to defaults, send only a field of `default`.
|
|
|
|
**Only select fields that will have a low rate of change** for your `ec2_alias` because
|
|
|
|
each change triggers a storage write and can have a performance impact at scale.
|
|
|
|
|
|
|
|
At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
|
|
|
|
the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
|
|
|
|
selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
|
|
|
|
change for _those_ aliases.
|
|
|
|
|
|
|
|
This was selected because it will cover _most_ use cases. However, the AWS Auth Engine
|
|
|
|
has many use cases, so please do configure the aliases and metadata that makes sense for
|
|
|
|
your organization.
|