luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add AWS auth metadata changes to upgrade guide (#8887) 

* add aws auth metadata changes to upgrade guide
This commit is contained in:
Becca Petrin 2020-04-29 21:52:03 -07:00 committed by GitHub
parent 5d1b7e38e6
commit 62d266e9b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
website/data/docs-navigation.js
View File

@ -385,6 +385,7 @@ export default [
'upgrade-to-1.3.2',
'upgrade-to-1.3.3',
'upgrade-to-1.3.4',
'upgrade-to-1.3.5',
'upgrade-to-1.4.0'
]
},

15
website/pages/docs/upgrading/upgrade-to-1.3.5.mdx Normal file
View File

@ -0,0 +1,15 @@
---
layout: docs
page_title: Upgrading to Vault 1.3.5 - Guides
sidebar_title: Upgrade to 1.3.5
description: |-
This page contains the list of deprecations and important or breaking changes
for Vault 1.3.5. Please read it carefully.
---
# Overview
This page contains the list of deprecations and important or breaking changes
for Vault 1.3.4 compared to 1.3.5. Please read it carefully.
@include 'partials/aws-auth-metadata-fix.mdx'

35
website/pages/partials/aws-auth-metadata-fix.mdx Normal file
View File

@ -0,0 +1,35 @@
## The AWS Auth Engine
Users of the AWS Auth Engine may notice less metadata in their audit logs
and associated with the aliases generated by logging in. This is because
we corrected a regression where more metadata had been added by default,
causing a performance impact for some users at scale.
Now, in the `/auth/aws/config/identity` endpoint, we have added the following fields:
- `iam_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `iam_alias` because
each change triggers a storage write and can have a performance impact at scale.
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `ec2_alias` because
each change triggers a storage write and can have a performance impact at scale.
At the `/auth/aws/config/identity` endpoint, if the `iam_alias` and `ec2_alias` are unset,
the `role_id` used for login is the default alias used for auth metadata. Thus, the defaults
selected for the `iam_metadata` and `ec2_metadata` are fields that would have a low rate of
change for _those_ aliases.
This was selected because it will cover _most_ use cases. However, the AWS Auth Engine
has many use cases, so please do configure the aliases and metadata that makes sense for
your organization.