Commit graph

26 commits

Author SHA1 Message Date
Brian Kassouf fc2e32df7c
Fix identity link (#5449) 2018-10-02 17:45:17 -07:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Richard Lane 43837ecdf1 Documentation correction - update list identity whitelist sample request (#5369)
Path was incorrectly referencing the roletag-blacklist

Updated the sample to match the correct path
2018-09-19 21:21:57 -07:00
Clint 5f5af90dfe
Update AWS auth backend iam_request_headers to be TypeHeader (#5320)
Update AWS Auth backend to use TypeHeader for iam request headers

- Remove parseIamRequestHeaders function and test, no longer needed with new TypeHeader
- Update AWS auth login docs
2018-09-12 16:16:16 -05:00
Jeff Escalante 2a21e85580 html syntax corrections (#5009) 2018-08-07 10:34:35 -07:00
Becca Petrin d9ac83569b
clarify aws role tag doc (#4797) 2018-06-19 15:59:57 -07:00
Jeff Mitchell 43d9ae5c0a
Update index.html.md
Fixes #4763
2018-06-14 10:19:38 -04:00
Jeff Mitchell 30dc66221c Flip documented resolve_aws_unique_id value
Fixes #4583
2018-05-18 12:05:52 -04:00
Sohex efd0023d89 Update index.html.md (#4372)
Remove duplicate of max_ttl description from end of period description under create role parameters.
2018-04-17 11:05:50 -04:00
Seth Vargo 0b827774ae Drop vault.rocks (#4186) 2018-03-23 11:41:51 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Joel Thompson 3e2006eb13 Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend (#4071)
* Update aws auth docs with new semantics

Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit

* Refactor tests to reduce duplication

auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication

* Add tests for aws auth explicit wildcard constraints

* Remove implicit prefix matching from AWS auth backend

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
2018-03-17 21:24:49 -04:00
Joel Thompson 39dc981301 auth/aws: Allow binding by EC2 instance IDs (#3816)
* auth/aws: Allow binding by EC2 instance IDs

This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.

Partially fixes #3797
2018-03-15 09:19:28 -07:00
Joel Thompson e4949d644b auth/aws: Allow lists in binds (#3907)
* auth/aws: Allow lists in binds

In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
2018-03-02 11:09:14 -05:00
Jeff Mitchell 6f6b4521fa Update website for AWS client max_retries 2018-02-16 11:13:55 -05:00
Joel Thompson c61ac21e6c auth/aws: Improve role tag docs as suggested on mailing list (#3915)
Fixes the ambiguity called out in
https://groups.google.com/forum/#!msg/vault-tool/X3s7YY0An_w/yH0KFQxlBgAJ
2018-02-12 17:39:17 -05:00
Jeff Mitchell d1803098ae Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Joel Thompson 2c8cd19e14 auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive (#3291) 2017-11-06 17:12:07 -05:00
Seth Vargo 83b1eb900a
More naming cleanup 2017-10-24 09:35:03 -04:00
Seth Vargo c5665920f6
Standardize on "auth method"
This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method
2017-10-24 09:32:15 -04:00
Alex Dadgar f56e191020 Fix spelling errors (#3390) 2017-09-28 07:54:40 -04:00
Vishal Nayak abcf4b3bb2 docs: Added certificate deletion operation API (#3385) 2017-09-26 20:28:52 -04:00
Chris Hoffman cfa74e6a95 remove token header from login samples (#3320) 2017-09-11 18:14:05 -04:00
Joel Thompson caf90f58d8 auth/aws: Allow wildcard in bound_iam_principal_id (#3213) 2017-08-30 17:51:48 -04:00
Chris Hoffman 27598ce960 Add GET variant on LIST endpoints (#3232) 2017-08-23 17:59:22 -04:00
Chris Hoffman 191d48f848 API Docs updates (#3101) 2017-08-08 12:28:17 -04:00