diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 94e34d631..6725617a8 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -839,6 +839,12 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request, }, Alias: &logical.Alias{ Name: identityAlias, + Metadata: map[string]string{ + "instance_id": identityDocParsed.InstanceID, + "region": identityDocParsed.Region, + "account_id": identityDocParsed.AccountID, + "ami_id": identityDocParsed.AmiID, + }, }, } roleEntry.PopulateTokenAuth(auth) @@ -1359,6 +1365,16 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request, DisplayName: entity.FriendlyName, Alias: &logical.Alias{ Name: identityAlias, + Metadata: map[string]string{ + "client_arn": callerID.Arn, + "canonical_arn": entity.canonicalArn(), + "client_user_id": callerUniqueId, + "auth_type": iamAuthType, + "inferred_entity_type": inferredEntityType, + "inferred_entity_id": inferredEntityID, + "inferred_aws_region": roleEntry.InferredAWSRegion, + "account_id": entity.AccountNumber, + }, }, } roleEntry.PopulateTokenAuth(auth) diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go index effca6efd..59d120d53 100644 --- a/builtin/credential/aws/path_login_test.go +++ b/builtin/credential/aws/path_login_test.go @@ -7,6 +7,7 @@ import ( "net/http" "net/http/httptest" "net/url" + "reflect" "strings" "testing" @@ -231,6 +232,18 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) { t.Fatal(err) } + expectedAliasMetadata := map[string]string{ + "account_id": "123456789012", + "auth_type": "iam", + "canonical_arn": "arn:aws:iam::123456789012:user/valid-role", + "client_arn": "arn:aws:iam::123456789012:user/valid-role", + "client_user_id": "ASOMETHINGSOMETHINGSOMETHING", + // Note there is no inferred entity, so these fields should be empty + "inferred_aws_region": "", + "inferred_entity_id": "", + "inferred_entity_type": "", + } + // expected errors for certain tests missingHeaderErr := errors.New("error validating X-Vault-AWS-IAM-Server-ID header: missing header \"X-Vault-AWS-IAM-Server-ID\"") parsingErr := errors.New("error making upstream request: error parsing STS response") @@ -325,6 +338,10 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) { } t.Errorf("un expected failed login:\nresp: %#v\n\nerr: %v", resp, err) } + + if !reflect.DeepEqual(expectedAliasMetadata, resp.Auth.Alias.Metadata) { + t.Errorf("expected metadata (%#v) to match (%#v)", expectedAliasMetadata, resp.Auth.Alias.Metadata) + } }) } }