luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

document aws auth metadata (#8880)

This commit is contained in:
Becca Petrin 2020-04-29 07:36:38 -07:00 committed by GitHub
parent 38acc09a2f
commit 74c1bf6894
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
website/pages/api-docs/auth/aws/index.mdx
View File

@ -160,6 +160,16 @@ This configures the way that Vault interacts with the
Vault won't be aware and any identity aliases set up for the role name will
still be valid.
- `iam_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `iam_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `canonical_arn`, `client_arn`, `client_user_id`, `inferred_aws_region`,
`inferred_entity_id`, and `inferred_entity_type` are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `iam_alias` because
each change triggers a storage write and can have a performance impact at scale.
- `ec2_alias` `(string: "role_id")` - Configures how to generate the identity
alias when using the `ec2` auth method. Valid choices are `role_id`,
`instance_id`, and `image_id`. When `role_id` is selected, the randomly
@ -167,6 +177,15 @@ This configures the way that Vault interacts with the
instance identifier is used as the identity alias name. When `image_id` is
selected, AMI ID of the instance is used as the identity alias name.
- `ec2_metadata` `(string: "default")` - The metadata to include on the token
returned by the `login` endpoint. This metadata will be added to both audit logs,
and on the `ec2_alias`. By default, it includes `account_id` and `auth_type`.
Additionally, `ami_id`, `instance_id`, and `region`, are available. To include no metadata,
set to `""` via the CLI or `[]` via the API. To use only particular fields, select
the explicit fields. To restore to defaults, send only a field of `default`.
**Only select fields that will have a low rate of change** for your `ec2_alias` because
each change triggers a storage write and can have a performance impact at scale.
### Sample Payload
```json