Add aws metadata to identity alias (#7985)

* Add aws metadata to identity alias This allows for writing identity token templates that include these attributes (And including these attributes in path templates) * Add alias metadata asserstion to IAM login check
2020-01-09 17:12:30 -06:00 · 2020-01-09 17:12:30 -06:00 · ac974a814e
parent a94f2d3e6f
commit ac974a814e
2 changed files with 33 additions and 0 deletions
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@ -839,6 +839,12 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 		},
 		Alias: &logical.Alias{
 			Name: identityAlias,
+			Metadata: map[string]string{
+				"instance_id": identityDocParsed.InstanceID,
+				"region":      identityDocParsed.Region,
+				"account_id":  identityDocParsed.AccountID,
+				"ami_id":      identityDocParsed.AmiID,
+			},
 		},
 	}
 	roleEntry.PopulateTokenAuth(auth)
@ -1359,6 +1365,16 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 		DisplayName: entity.FriendlyName,
 		Alias: &logical.Alias{
 			Name: identityAlias,
+			Metadata: map[string]string{
+				"client_arn":           callerID.Arn,
+				"canonical_arn":        entity.canonicalArn(),
+				"client_user_id":       callerUniqueId,
+				"auth_type":            iamAuthType,
+				"inferred_entity_type": inferredEntityType,
+				"inferred_entity_id":   inferredEntityID,
+				"inferred_aws_region":  roleEntry.InferredAWSRegion,
+				"account_id":           entity.AccountNumber,
+			},
 		},
 	}
 	roleEntry.PopulateTokenAuth(auth)
--- a/builtin/credential/aws/path_login_test.go
+++ b/builtin/credential/aws/path_login_test.go
@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"reflect"
 	"strings"
 	"testing"

@ -231,6 +232,18 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) {
 		t.Fatal(err)
 	}

+	expectedAliasMetadata := map[string]string{
+		"account_id":     "123456789012",
+		"auth_type":      "iam",
+		"canonical_arn":  "arn:aws:iam::123456789012:user/valid-role",
+		"client_arn":     "arn:aws:iam::123456789012:user/valid-role",
+		"client_user_id": "ASOMETHINGSOMETHINGSOMETHING",
+		// Note there is no inferred entity, so these fields should be empty
+		"inferred_aws_region":  "",
+		"inferred_entity_id":   "",
+		"inferred_entity_type": "",
+	}
+
 	// expected errors for certain tests
 	missingHeaderErr := errors.New("error validating X-Vault-AWS-IAM-Server-ID header: missing header \"X-Vault-AWS-IAM-Server-ID\"")
 	parsingErr := errors.New("error making upstream request: error parsing STS response")
@ -325,6 +338,10 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) {
 				}
 				t.Errorf("un expected failed login:\nresp: %#v\n\nerr: %v", resp, err)
 			}
+
+			if !reflect.DeepEqual(expectedAliasMetadata, resp.Auth.Alias.Metadata) {
+				t.Errorf("expected metadata (%#v) to match (%#v)", expectedAliasMetadata, resp.Auth.Alias.Metadata)
+			}
 		})
 	}
 }