diff --git a/builtin/credential/aws/path_config_rotate_root.go b/builtin/credential/aws/path_config_rotate_root.go index d5553632d..125056234 100644 --- a/builtin/credential/aws/path_config_rotate_root.go +++ b/builtin/credential/aws/path_config_rotate_root.go @@ -145,6 +145,10 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R } }() + oldAccessKey := clientConf.AccessKey + clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId + clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey + // Now get ready to update storage, doing everything beforehand so we can minimize how long // we need to hold onto the lock. newEntry, err := b.configClientToEntry(clientConf) @@ -153,10 +157,6 @@ func (b *backend) pathConfigRotateRootUpdate(ctx context.Context, req *logical.R return nil, errs } - oldAccessKey := clientConf.AccessKey - clientConf.AccessKey = *createAccessKeyRes.AccessKey.AccessKeyId - clientConf.SecretKey = *createAccessKeyRes.AccessKey.SecretAccessKey - // Someday we may want to allow the user to send a number of seconds to wait here // before deleting the previous access key to allow work to complete. That would allow // AWS, which is eventually consistent, to finish populating the new key in all places. diff --git a/builtin/credential/aws/path_config_rotate_root_test.go b/builtin/credential/aws/path_config_rotate_root_test.go index 7f585e47e..59361090f 100644 --- a/builtin/credential/aws/path_config_rotate_root_test.go +++ b/builtin/credential/aws/path_config_rotate_root_test.go @@ -3,13 +3,11 @@ package awsauth import ( "context" "testing" - "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/iam" "github.com/aws/aws-sdk-go/service/iam/iamiface" - "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-secure-stdlib/awsutil" "github.com/hashicorp/vault/sdk/logical" ) @@ -33,15 +31,13 @@ func TestPathConfigRotateRoot(t *testing.T) { } ctx := context.Background() + config := logical.TestBackendConfig() + logical.TestBackendConfig() storage := &logical.InmemStorage{} - b, err := Factory(ctx, &logical.BackendConfig{ - StorageView: storage, - Logger: hclog.Default(), - System: &logical.StaticSystemView{ - DefaultLeaseTTLVal: time.Hour, - MaxLeaseTTLVal: time.Hour, - }, - }) + config.StorageView = storage + + b, err := Backend(config) + if err != nil { t.Fatal(err) } @@ -76,4 +72,8 @@ func TestPathConfigRotateRoot(t *testing.T) { if resp.Data["access_key"].(string) != "fizz2" { t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"]) } + newClientConf, err := b.nonLockedClientConfigEntry(ctx, req.Storage) + if resp.Data["access_key"].(string) != newClientConf.AccessKey { + t.Fatalf("expected new access key buzz2 to be saved to storage but receieved %s", clientConf.AccessKey) + } } diff --git a/changelog/12715.txt b/changelog/12715.txt new file mode 100644 index 000000000..b4a61a7de --- /dev/null +++ b/changelog/12715.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/aws: fix config/rotate-root to store new key +```