Allow auto-detection of AWS region when using the vault CLI (#14051)

2022-02-14 12:01:27 -08:00 · 2022-02-14 12:01:27 -08:00 · 0712ef13fc
parent 687469552c
commit 0712ef13fc
3 changed files with 27 additions and 12 deletions
--- a/builtin/credential/aws/cli.go
+++ b/builtin/credential/aws/cli.go
@ -44,8 +44,14 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
 	}

 	region := m["region"]
-	if region == "" {
+	switch region {
+	case "":
+		// The CLI has always defaulted to "us-east-1" if a region is not provided.
 		region = awsutil.DefaultRegion
+	case "auto":
+		// Beginning in 1.10 we also accept the "auto" value, which uses the region detection logic in
+		// awsutil.GetRegion() to determine the region. That behavior is triggered when region = "".
+		region = ""
 	}

 	loginData, err := awsutil.GenerateLoginData(creds, headerValue, region, hlogger)
@ -73,8 +79,8 @@ func (h *CLIHandler) Help() string {
 Usage: vault login -method=aws [CONFIG K=V...]

  The AWS auth method allows users to authenticate with AWS IAM
-  credentials. The AWS IAM credentials may be specified in a number of ways,
-  listed in order of precedence below:
+  credentials. The AWS IAM credentials, and optionally the AWS region, may be 
+  specified in a number of ways, listed in order of precedence below:

    1. Explicitly via the command line (not recommended)

@ -112,6 +118,11 @@ Configuration:
      here as well. If specified here, it takes precedence over the value for
      -path. The default value is "aws".

+  region=<string>
+      Explicit AWS region to reach out to for authentication request signing. A value
+      of "auto" enables auto-detection of region based on the precedence described above.
+      Defaults to "us-east-1" if not specified.
+
  role=<string>
      Name of the role to request a token against

--- a/changelog/14051.txt
+++ b/changelog/14051.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+auth/aws: Enable region detection in the CLI by specifying the region as `auto`
+```
--- a/website/content/docs/auth/aws.mdx
+++ b/website/content/docs/auth/aws.mdx
@ -658,8 +658,9 @@ The region used defaults to `us-east-1`, but you can specify a custom region lik
 $ vault login -method=aws region=us-west-2 role=dev-role-iam
 ```

-When using a custom region, be sure the designated region corresponds to that of the
-STS endpoint you're using.
+If the region is specified as `auto`, the Vault CLI will determine the region based
+on standard AWS credentials precedence as described earlier. Whichever method is used,
+be sure the designated region corresponds to that of the STS endpoint you're using.

 An example of how to generate the required request values for the `login` method
 can be found found in the [vault cli
@ -833,9 +834,9 @@ using VaultSharp.V1.SecretsEngines.AWS;

 namespace Examples
 {
-    public class AwsAuthExample 
+    public class AwsAuthExample
    {
-        /// <summary> 
+        /// <summary>
        /// Fetches a key-value secret (kv-v2) after authenticating to Vault via AWS IAM,
        /// one of two auth methods used to authenticate with AWS (the other is EC2 auth).
        /// </summary>
@ -856,12 +857,12 @@ namespace Examples
            var amazonSecurityTokenServiceConfig = new AmazonSecurityTokenServiceConfig();

            // Initialize BasicAWS Credentials w/ an accessKey and secretKey
-            Amazon.Runtime.AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"), 
+            Amazon.Runtime.AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID"),
                                                                secretKey: Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY"));
-            
+
            // Construct the IAM Request and add necessary headers
            var iamRequest = GetCallerIdentityRequestMarshaller.Instance.Marshall(new GetCallerIdentityRequest());
-            
+
            iamRequest.Endpoint = new Uri(amazonSecurityTokenServiceConfig.DetermineServiceURL());
            iamRequest.ResourcePath = "/";

@ -883,9 +884,9 @@ namespace Examples
            // We can retrieve the secret from the VaultClient object
            Secret<SecretData> kv2Secret = null;
            kv2Secret = vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(path: "/creds").Result;
-            
+
            var password = kv2Secret.Data.Data["password"];
-            
+
            return password.ToString();
        }
    }