scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-12-03 10:43:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add logging during awskms auto-unseal (#9794)

Browse Source 
Adds debug and warn logging around AWS credential chain generation,
specifically to help users debugging auto-unseal problems on AWS, by
logging which role is being used in the case of a webidentity token.

Adds a deferred call to flush the log output as well, to ensure logs
are output in the event of an initialization failure.
This commit is contained in:
Theron Voran
2020-09-28 14:06:49 -07:00
committed by GitHub
parent 1c0b92369f
commit 10c0adad72
28 changed files with 348 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
sdk/helper/awsutil/generate_credentials.go
View File

@@ -43,6 +43,13 @@ type CredentialsConfig struct {
Logger hclog.Logger
}
// Make sure the logger isn't nil before logging
func (c *CredentialsConfig) log(level hclog.Level, msg string, args ...interface{}) {
if c.Logger != nil {
c.Logger.Log(level, msg, args...)
}
}
func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials, error) {
var providers []credentials.Provider
@@ -55,6 +62,8 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials,
SecretAccessKey: c.SecretKey,
SessionToken: c.SessionToken,
}})
c.log(hclog.Debug, "added static credential provider", "AccessKey", c.AccessKey)
case c.AccessKey == "" && c.SecretKey == "":
// Attempt to get credentials from the IAM instance role below
@@ -69,12 +78,21 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials,
if roleARN != "" && tokenPath != "" {
// this session is only created to create the WebIdentityRoleProvider, as the env variables are already there
// this automatically assumes the role, but the provider needs to be added to the chain
c.log(hclog.Debug, "adding web identity provider", "roleARN", roleARN)
sess, err := session.NewSession()
if err != nil {
return nil, errors.Wrap(err, "error creating a new session to create a WebIdentityRoleProvider")
}
webIdentityProvider := stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, sessionName, tokenPath)
// Check if the webIdentityProvider can successfully retrieve
// credentials (via sts:AssumeRole), and warn if there's a problem.
if _, err := webIdentityProvider.Retrieve(); err != nil {
c.log(hclog.Warn, "error assuming role", "roleARN", roleARN, "tokenPath", tokenPath, "sessionName", sessionName, "err", err)
}
//Add the web identity role credential provider
providers = append(providers, stscreds.NewWebIdentityRoleProvider(sts.New(sess), roleARN, sessionName, tokenPath))
providers = append(providers, webIdentityProvider)
}
// Add the environment credential provider