Add reading AWS root/config endpoint (#7245)

builtin/logical/aws/path_config_root.go

@@ -42,6 +42,7 @@ func pathConfigRoot(b *backend) *framework.Path {
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.ReadOperation:   b.pathConfigRootRead,
 			logical.UpdateOperation: b.pathConfigRootWrite,
 		},
 
@@ -50,6 +51,36 @@ func pathConfigRoot(b *backend) *framework.Path {
 	}
 }
 
+func (b *backend) pathConfigRootRead(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	b.clientMutex.RLock()
+	defer b.clientMutex.RUnlock()
+
+	entry, err := req.Storage.Get(ctx, "config/root")
+	if err != nil {
+		return nil, err
+	}
+	if entry == nil {
+		return nil, nil
+	}
+
+	var config rootConfig
+
+	if err := entry.DecodeJSON(&config); err != nil {
+		return nil, err
+	}
+
+	configData := map[string]interface{}{
+		"access_key":   config.AccessKey,
+		"region":       config.Region,
+		"iam_endpoint": config.IAMEndpoint,
+		"sts_endpoint": config.STSEndpoint,
+		"max_retries":  config.MaxRetries,
+	}
+	return &logical.Response{
+		Data: configData,
+	}, nil
+}
+
 func (b *backend) pathConfigRootWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	region := data.Get("region").(string)
 	iamendpoint := data.Get("iam_endpoint").(string)

builtin/logical/aws/path_config_root_test.go

@@ -0,0 +1,54 @@
+package aws
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func TestBackend_PathConfigRoot(t *testing.T) {
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+
+	b := Backend()
+	if err := b.Setup(context.Background(), config); err != nil {
+		t.Fatal(err)
+	}
+
+	configData := map[string]interface{}{
+		"access_key":   "AKIAEXAMPLE",
+		"secret_key":   "RandomData",
+		"region":       "us-west-2",
+		"iam_endpoint": "https://iam.amazonaws.com",
+		"sts_endpoint": "https://sts.us-west-2.amazonaws.com",
+		"max_retries":  10,
+	}
+
+	configReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Storage:   config.StorageView,
+		Path:      "config/root",
+		Data:      configData,
+	}
+
+	resp, err := b.HandleRequest(context.Background(), configReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: config writing failed: resp:%#v\n err: %v", resp, err)
+	}
+
+	resp, err = b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.ReadOperation,
+		Storage:   config.StorageView,
+		Path:      "config/root",
+	})
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: config reading failed: resp:%#v\n err: %v", resp, err)
+	}
+
+	delete(configData, "secret_key")
+	if !reflect.DeepEqual(resp.Data, configData) {
+		t.Errorf("bad: expected to read config root as %#v, got %#v instead", configData, resp.Data)
+	}
+}

website/source/api/secret/aws/index.html.md

@@ -81,6 +81,36 @@ $ curl \
     http://127.0.0.1:8200/v1/aws/config/root
 ```
 
+## Read Root Configuration
+
+This endpoint allows you to read non-secure values that have been configured in the
+`config/root` endpoint. In particular, the `secret_key` parameter is never returned.
+
+| Method   | Path                         |
+| :--------------------------- | :--------------------- |
+| `GET`   | `/aws/config/root`           |
+
+### Sample Request
+```
+$ curl
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/aws/config/root
+
+```
+
+### Sample Response
+```json
+{
+  "data": {
+    "access_key": "AKIAEXAMPLE",
+    "region": "us-west-2",
+    "iam_endpoint": "https://iam.amazonaws.com",
+    "sts_endpoint": "https://sts.us-west-2.amazonaws.com",
+    "max_retries": -1
+  }
+}
+```
+
 ## Rotate Root IAM Credentials
 
 When you have configured Vault with static credentials, you can use this