Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS secrets engine generating session tokens #23690

Merged
merged 34 commits into from
Nov 8, 2023
Merged

Conversation

robmonte
Copy link
Member

@robmonte robmonte commented Oct 17, 2023

This reintroduces the addition of a new credential type session_token to the AWS Secrets Engine, originally provided here.

MFA codes:
When writing a vault role, provide the serial number of the MFA device added to the IAM user like so:

vault write aws/roles/my-mfa-role \
credential_type="session_token" \
mfa_serial_number="arn:aws:iam::<account-id>:mfa/<device-name>"

Then when getting credentials, pass the code like so:

vault read aws/creds/my-mfa-role \
mfa_code="123456"

Closes #12734

grahamc and others added 14 commits October 11, 2023 19:31
Sometimes people will give you an AWS access key and secret and not
be interested in setting up a better approach for key exchange.

In cases like this, options are limited for distributing access to
the key material. However, AWS's STS GetSessionToken can be used
to general ephemeral credentials "underneath" that token. This
at least limits the spread of that root key, and the duration of
its users' access.

It should almost definitely not be used for other use cases, since
it does not limit behavior on an otherwise probably administrative
key.

Closes #12734
@robmonte robmonte requested review from a team as code owners October 17, 2023 01:03
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 17, 2023
@robmonte robmonte added this to the 1.16.0-rc1 milestone Oct 17, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@robmonte
Copy link
Member Author

Hey @grahamc

I wanted to let you know I've had the opportunity to pick this back up. I was unhappy with the poor experience you had with your prior PR and wanted to get the feature added with this opportunity. I'd love to hear if you have any comments on changes I've mad.

At the moment the main change is switching from the use of "security_token" to "session_token" to better align with modern AWS terminology. Do you foresee any problems with this?

@grahamc
Copy link
Contributor

grahamc commented Oct 17, 2023 via email

website/content/api-docs/secret/aws.mdx Outdated Show resolved Hide resolved
robmonte and others added 2 commits October 19, 2023 11:19
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
website/content/docs/secrets/aws.mdx Outdated Show resolved Hide resolved
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Copy link
Contributor

@raymonstah raymonstah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the rename of security_token to session_token a breaking change?

builtin/logical/aws/secret_access_keys.go Outdated Show resolved Hide resolved
@robmonte
Copy link
Member Author

Is the rename of security_token to session_token a breaking change?

You're right. I think since the goal of this PR is to now support session token generation, it makes sense to adjust the terminology accordingly to match AWS. I've added back security_token in with this commit 7489461 so both it and session_token can exist, while adding a deprecation notice for the security_token field. Let me know your thoughts, and then we can also run this by the wider team.

@robmonte robmonte requested a review from schavis October 31, 2023 16:41
Copy link
Contributor

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

builtin/logical/aws/path_roles.go Outdated Show resolved Hide resolved
builtin/logical/aws/secret_access_keys.go Outdated Show resolved Hide resolved
builtin/logical/aws/secret_access_keys.go Show resolved Hide resolved
robmonte and others added 3 commits November 4, 2023 03:21
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
@robmonte robmonte merged commit 54bf080 into main Nov 8, 2023
107 checks passed
@robmonte robmonte deleted the aws-session-token-fork branch November 8, 2023 23:06
@@ -0,0 +1,3 @@
```release-note:feature
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@robmonte next time please use the correct new feature formatting for new features in the changelog.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To add some more clarification - this should use the "Feature Name" we'd use in the release notes, and should try to communicate to the user why they would want to learn more about this brand new feature we're introducing in Vault 1.16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support issuing AWS Session Tokens via GetSessionToken
6 participants