open-vault/website/content/partials/aws-auth-metadata-fix.mdx

36 lines
2.3 KiB
Plaintext
Raw Normal View History

## The AWS auth engine
Users of the AWS Auth Engine may notice less metadata in their audit logs
and associated with the aliases generated by logging in. This is because
we corrected a regression where more metadata had been added by default,
causing a performance impact for some users at scale.
Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:
- `iam_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `iam_alias` because
each change triggers a storage write and can have a performance impact at scale.
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `ec2_alias` because
each change triggers a storage write and can have a performance impact at scale.
At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
change for _those_ aliases.
This was selected because it will cover _most_ use cases. However, the AWS Auth Engine
has many use cases, so please do configure the aliases and metadata that makes sense for
your organization.