luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/builtin/credential/aws
History
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247) 
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
..
backend.go auth/aws: Make identity alias configurable (#5247) 2018-09-26 08:27:12 -07:00
backend_test.go auth/aws: Make identity alias configurable (#5247) 2018-09-26 08:27:12 -07:00
cli.go Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
client.go Errwrap everywhere (#4252) 2018-04-05 11:49:21 -04:00
path_config_certificate.go Errwrap everywhere (#4252) 2018-04-05 11:49:21 -04:00
path_config_client.go Fixed writing config attribute 'max_retries' for existing client configs for aws auth method. (#4980) 2018-07-24 10:09:44 -04:00
path_config_client_test.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
path_config_identity.go auth/aws: Make identity alias configurable (#5247) 2018-09-26 08:27:12 -07:00
path_config_identity_test.go auth/aws: Make identity alias configurable (#5247) 2018-09-26 08:27:12 -07:00
path_config_sts.go Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
path_config_tidy_identity_whitelist.go Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
path_config_tidy_roletag_blacklist.go Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
path_identity_whitelist.go Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
path_login.go auth/aws: Make identity alias configurable (#5247) 2018-09-26 08:27:12 -07:00
path_login_test.go Update AWS auth backend iam_request_headers to be TypeHeader (#5320) 2018-09-12 16:16:16 -05:00
path_role.go auth/aws: Fix outdated help texts (#5253) 2018-09-04 10:55:02 -07:00
path_role_tag.go Errwrap everywhere (#4252) 2018-04-05 11:49:21 -04:00
path_role_test.go undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
path_roletag_blacklist.go Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
path_tidy_identity_whitelist.go Fix approle tidy on performance standbys (#5338) 2018-09-17 09:53:23 -07:00
path_tidy_roletag_blacklist.go Fix approle tidy on performance standbys (#5338) 2018-09-17 09:53:23 -07:00