Add aws metadata to identity alias (#7985)
* Add aws metadata to identity alias This allows for writing identity token templates that include these attributes (And including these attributes in path templates) * Add alias metadata asserstion to IAM login check
This commit is contained in:
parent
a94f2d3e6f
commit
ac974a814e
|
@ -839,6 +839,12 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
|
|||
},
|
||||
Alias: &logical.Alias{
|
||||
Name: identityAlias,
|
||||
Metadata: map[string]string{
|
||||
"instance_id": identityDocParsed.InstanceID,
|
||||
"region": identityDocParsed.Region,
|
||||
"account_id": identityDocParsed.AccountID,
|
||||
"ami_id": identityDocParsed.AmiID,
|
||||
},
|
||||
},
|
||||
}
|
||||
roleEntry.PopulateTokenAuth(auth)
|
||||
|
@ -1359,6 +1365,16 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
|
|||
DisplayName: entity.FriendlyName,
|
||||
Alias: &logical.Alias{
|
||||
Name: identityAlias,
|
||||
Metadata: map[string]string{
|
||||
"client_arn": callerID.Arn,
|
||||
"canonical_arn": entity.canonicalArn(),
|
||||
"client_user_id": callerUniqueId,
|
||||
"auth_type": iamAuthType,
|
||||
"inferred_entity_type": inferredEntityType,
|
||||
"inferred_entity_id": inferredEntityID,
|
||||
"inferred_aws_region": roleEntry.InferredAWSRegion,
|
||||
"account_id": entity.AccountNumber,
|
||||
},
|
||||
},
|
||||
}
|
||||
roleEntry.PopulateTokenAuth(auth)
|
||||
|
|
|
@ -7,6 +7,7 @@ import (
|
|||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"reflect"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
|
@ -231,6 +232,18 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
expectedAliasMetadata := map[string]string{
|
||||
"account_id": "123456789012",
|
||||
"auth_type": "iam",
|
||||
"canonical_arn": "arn:aws:iam::123456789012:user/valid-role",
|
||||
"client_arn": "arn:aws:iam::123456789012:user/valid-role",
|
||||
"client_user_id": "ASOMETHINGSOMETHINGSOMETHING",
|
||||
// Note there is no inferred entity, so these fields should be empty
|
||||
"inferred_aws_region": "",
|
||||
"inferred_entity_id": "",
|
||||
"inferred_entity_type": "",
|
||||
}
|
||||
|
||||
// expected errors for certain tests
|
||||
missingHeaderErr := errors.New("error validating X-Vault-AWS-IAM-Server-ID header: missing header \"X-Vault-AWS-IAM-Server-ID\"")
|
||||
parsingErr := errors.New("error making upstream request: error parsing STS response")
|
||||
|
@ -325,6 +338,10 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) {
|
|||
}
|
||||
t.Errorf("un expected failed login:\nresp: %#v\n\nerr: %v", resp, err)
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(expectedAliasMetadata, resp.Auth.Alias.Metadata) {
|
||||
t.Errorf("expected metadata (%#v) to match (%#v)", expectedAliasMetadata, resp.Auth.Alias.Metadata)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue