open-vault/website/content/partials/aws-auth-metadata-fix.mdx

## The AWS Auth Engine

Users of the AWS Auth Engine may notice less metadata in their audit logs
and associated with the aliases generated by logging in. This is because
we corrected a regression where more metadata had been added by default,
causing a performance impact for some users at scale.

Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:

- `iam_metadata` `(string: "default")` - The metadata to include on the token
  returned by the `login` endpoint. This metadata will be added to both audit logs,
  and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
  Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
  `inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
  set to `""` via the CLI or `[]` via the API. To use only particular fields, select
  the explicit fields. To restore to defaults, send only a field of `default`.
  **Only select fields that will have a low rate of change** for your `iam_alias` because
  each change triggers a storage write and can have a performance impact at scale.
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
  returned by the `login` endpoint. This metadata will be added to both audit logs,
  and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
  Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
  set to `""` via the CLI or `[]` via the API. To use only particular fields, select
  the explicit fields. To restore to defaults, send only a field of `default`.
  **Only select fields that will have a low rate of change** for your `ec2_alias` because
  each change triggers a storage write and can have a performance impact at scale.

At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
change for _those_ aliases.

This was selected because it will cover _most_ use cases. However, the AWS Auth Engine
has many use cases, so please do configure the aliases and metadata that makes sense for
your organization.
Add AWS auth metadata changes to upgrade guide (#8887) * add aws auth metadata changes to upgrade guide 2020-04-30 04:52:03 +00:00			`## The AWS Auth Engine`

			`Users of the AWS Auth Engine may notice less metadata in their audit logs`
			`and associated with the aliases generated by logging in. This is because`
			`we corrected a regression where more metadata had been added by default,`
			`causing a performance impact for some users at scale.`

			Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:

			- `iam_metadata` `(string: "default")` - The metadata to include on the token
			returned by the `login` endpoint. This metadata will be added to both audit logs,
			and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
			Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
			`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
			set to `""` via the CLI or `[]` via the API. To use only particular fields, select
			the explicit fields. To restore to defaults, send only a field of `default`.
			Only select fields that will have a low rate of change for your `iam_alias` because
			`each change triggers a storage write and can have a performance impact at scale.`
			- `ec2_metadata` `(string: "default")` - The metadata to include on the token
			returned by the `login` endpoint. This metadata will be added to both audit logs,
			and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
			Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
			set to `""` via the CLI or `[]` via the API. To use only particular fields, select
			the explicit fields. To restore to defaults, send only a field of `default`.
			Only select fields that will have a low rate of change for your `ec2_alias` because
			`each change triggers a storage write and can have a performance impact at scale.`

			At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
			the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
			selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
			`change for _those_ aliases.`

			`This was selected because it will cover _most_ use cases. However, the AWS Auth Engine`
			`has many use cases, so please do configure the aliases and metadata that makes sense for`
			`your organization.`