-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS secrets engine generating session tokens #23690
Conversation
Sometimes people will give you an AWS access key and secret and not be interested in setting up a better approach for key exchange. In cases like this, options are limited for distributing access to the key material. However, AWS's STS GetSessionToken can be used to general ephemeral credentials "underneath" that token. This at least limits the spread of that root key, and the duration of its users' access. It should almost definitely not be used for other use cases, since it does not limit behavior on an otherwise probably administrative key. Closes #12734
…ts to pass locally.
Build Results: |
CI Results: |
Hey @grahamc I wanted to let you know I've had the opportunity to pick this back up. I was unhappy with the poor experience you had with your prior PR and wanted to get the feature added with this opportunity. I'd love to hear if you have any comments on changes I've mad. At the moment the main change is switching from the use of |
Sounds good!
…On Mon, Oct 16, 2023, at 10:43 PM, Robert wrote:
Hey @grahamc <https://github.com/grahamc>
I wanted to let you know I've had the opportunity to pick this back up. I was unhappy with the poor experience you had with your prior PR and wanted to get the feature added with this opportunity. I'd love to hear if you have any comments on changes I've mad.
At the moment the main change is switching from the use of `"security_token"` to `"session_token"` to better align with modern AWS terminology. Do you foresee any problems with this?
—
Reply to this email directly, view it on GitHub <#23690 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAASXLDBQDZ52GL4Y5OGHQ3X7XWEXAVCNFSM6AAAAAA6DAPCEGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONRVGU3DMOJWHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the rename of security_token
to session_token
a breaking change?
You're right. I think since the goal of this PR is to now support session token generation, it makes sense to adjust the terminology accordingly to match AWS. I've added back |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
@@ -0,0 +1,3 @@ | |||
```release-note:feature |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robmonte next time please use the correct new feature formatting for new features in the changelog.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To add some more clarification - this should use the "Feature Name" we'd use in the release notes, and should try to communicate to the user why they would want to learn more about this brand new feature we're introducing in Vault 1.16.
This reintroduces the addition of a new credential type
session_token
to the AWS Secrets Engine, originally provided here.MFA codes:
When writing a vault role, provide the serial number of the MFA device added to the IAM user like so:
Then when getting credentials, pass the code like so:
Closes #12734