scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update docs and path names to the new patterns

Browse Source
This commit is contained in:
vishalnayak
2016-05-12 07:19:29 -04:00
parent 306632cb68
commit 4aa01d390a
14 changed files with 245 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
builtin/credential/aws/backend.go
View File

@@ -84,15 +84,15 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) {
pathRoleTag(b),
pathConfigClient(b),
pathConfigCertificate(b),
pathConfigTidyRoleTags(b),
pathConfigTidyIdentities(b),
pathConfigTidyRoletagBlacklist(b),
pathConfigTidyIdentityWhitelist(b),
pathListCertificates(b),
pathListBlacklistRoleTags(b),
pathBlacklistRoleTag(b),
pathTidyRoleTags(b),
pathListWhitelistIdentities(b),
pathWhitelistIdentity(b),
pathTidyIdentities(b),
pathListRoletagBlacklist(b),
pathRoletagBlacklist(b),
pathTidyRoletagBlacklist(b),
pathListIdentityWhitelist(b),
pathIdentityWhitelist(b),
pathTidyIdentityWhitelist(b),
},
}
@@ -168,9 +168,10 @@ Authentication is backed by a preconfigured role in the backend. The role
represents the authorization of resources by containing Vault's policies.
Role can be created using 'role/<role_name>' endpoint.
If there is need to further restrict the policies set on the role, 'role_tag' option
can be enabled on the role, and a tag can be generated using 'role/<role_name>/tag'
endpoint. This tag represents the subset of capabilities set on the role. When the
'role_tag' option is enabled on the role, the login operation requires that a respective
role tag is attached to the EC2 instance that is performing the login.
If there is need to further restrict the capabilities of the role on the instance
that is using the role, 'role_tag' option can be enabled on the role, and a tag
can be generated using 'role/<role_name>/tag' endpoint. This tag represents the
subset of capabilities set on the role. When the 'role_tag' option is enabled on
the role, the login operation requires that a respective role tag is attached to
the EC2 instance which performs the login.
`

20
builtin/credential/aws/backend_test.go
View File

@@ -49,15 +49,15 @@ func createBackend(conf *logical.BackendConfig) (*backend, error) {
pathRoleTag(b),
pathConfigClient(b),
pathConfigCertificate(b),
pathConfigTidyRoleTags(b),
pathConfigTidyIdentities(b),
pathConfigTidyRoletagBlacklist(b),
pathConfigTidyIdentityWhitelist(b),
pathListCertificates(b),
pathListBlacklistRoleTags(b),
pathBlacklistRoleTag(b),
pathTidyRoleTags(b),
pathListWhitelistIdentities(b),
pathWhitelistIdentity(b),
pathTidyIdentities(b),
pathListRoletagBlacklist(b),
pathRoletagBlacklist(b),
pathTidyRoletagBlacklist(b),
pathListIdentityWhitelist(b),
pathIdentityWhitelist(b),
pathTidyIdentityWhitelist(b),
},
}
@@ -413,7 +413,7 @@ func TestBackend_TidyIdentities(t *testing.T) {
// test update operation
_, err = b.HandleRequest(&logical.Request{
Operation: logical.UpdateOperation,
Path: "tidy/identities",
Path: "tidy/identity-whitelist",
Storage: storage,
})
if err != nil {
@@ -438,7 +438,7 @@ func TestBackend_TidyRoleTags(t *testing.T) {
// test update operation
_, err = b.HandleRequest(&logical.Request{
Operation: logical.UpdateOperation,
Path: "tidy/roletags",
Path: "tidy/roletag-blacklist",
Storage: storage,
})
if err != nil {

52
builtin/credential/aws/path_blacklist_roletag.go
View File

@@ -9,7 +9,7 @@ import (
"github.com/hashicorp/vault/logical/framework"
)
func pathBlacklistRoleTag(b *backend) *framework.Path {
func pathRoletagBlacklist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roletag-blacklist/(?P<role_tag>.*)",
Fields: map[string]*framework.FieldSchema{
@@ -21,32 +21,32 @@ to avoid any encoding problems, it can be base64 encoded.`,
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathBlacklistRoleTagUpdate,
logical.ReadOperation: b.pathBlacklistRoleTagRead,
logical.DeleteOperation: b.pathBlacklistRoleTagDelete,
logical.UpdateOperation: b.pathRoletagBlacklistUpdate,
logical.ReadOperation: b.pathRoletagBlacklistRead,
logical.DeleteOperation: b.pathRoletagBlacklistDelete,
},
HelpSynopsis: pathBlacklistRoleTagSyn,
HelpDescription: pathBlacklistRoleTagDesc,
HelpSynopsis: pathRoletagBlacklistSyn,
HelpDescription: pathRoletagBlacklistDesc,
}
}
// Path to list all the blacklisted tags.
func pathListBlacklistRoleTags(b *backend) *framework.Path {
func pathListRoletagBlacklist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "roletag-blacklist/?",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ListOperation: b.pathBlacklistRoleTagsList,
logical.ListOperation: b.pathRoletagBlacklistsList,
},
HelpSynopsis: pathListBlacklistRoleTagsHelpSyn,
HelpDescription: pathListBlacklistRoleTagsHelpDesc,
HelpSynopsis: pathListRoletagBlacklistHelpSyn,
HelpDescription: pathListRoletagBlacklistHelpDesc,
}
}
// Lists all the blacklisted role tags.
func (b *backend) pathBlacklistRoleTagsList(
func (b *backend) pathRoletagBlacklistsList(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.blacklistMutex.RLock()
defer b.blacklistMutex.RUnlock()
@@ -96,7 +96,7 @@ func (b *backend) blacklistRoleTagEntryInternal(s logical.Storage, tag string) (
}
// Deletes an entry from the role tag blacklist for a given tag.
func (b *backend) pathBlacklistRoleTagDelete(
func (b *backend) pathRoletagBlacklistDelete(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.blacklistMutex.Lock()
defer b.blacklistMutex.Unlock()
@@ -111,7 +111,7 @@ func (b *backend) pathBlacklistRoleTagDelete(
// If the given role tag is blacklisted, returns the details of the blacklist entry.
// Returns 'nil' otherwise.
func (b *backend) pathBlacklistRoleTagRead(
func (b *backend) pathRoletagBlacklistRead(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
tag := data.Get("role_tag").(string)
@@ -132,10 +132,10 @@ func (b *backend) pathBlacklistRoleTagRead(
}, nil
}
// pathBlacklistRoleTagUpdate is used to blacklist a given role tag.
// pathRoletagBlacklistUpdate is used to blacklist a given role tag.
// Before a role tag is blacklisted, the correctness of the plaintext part
// in the role tag is verified using the associated HMAC.
func (b *backend) pathBlacklistRoleTagUpdate(
func (b *backend) pathRoletagBlacklistUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// The role_tag value provided, optionally can be base64 encoded.
@@ -226,17 +226,17 @@ type roleTagBlacklistEntry struct {
ExpirationTime time.Time `json:"expiration_time" structs:"expiration_time" mapstructure:"expiration_time"`
}
const pathBlacklistRoleTagSyn = `
const pathRoletagBlacklistSyn = `
Blacklist a previously created role tag.
`
const pathBlacklistRoleTagDesc = `
Blacklist a role tag so that it cannot be used by any EC2 instance to perform logins
in the future. This can be used if the role tag is suspected or believed to be possessed
by an unintended party.
const pathRoletagBlacklistDesc = `
Blacklist a role tag so that it cannot be used by any EC2 instance to perform further
logins. This can be used if the role tag is suspected or believed to be possessed by
an unintended party.
By default, a cron task will periodically looks for expired entries in the blacklist
and delete them. The duration to periodically run this, is one hour by default.
By default, a cron task will periodically look for expired entries in the blacklist
and deletes them. The duration to periodically run this, is one hour by default.
However, this can be configured using the 'config/tidy/roletags' endpoint. This tidy
action can be triggered via the API as well, using the 'tidy/roletags' endpoint.
@@ -244,12 +244,12 @@ Also note that delete operation is supported on this endpoint to remove specific
entries from the blacklist.
`
const pathListBlacklistRoleTagsHelpSyn = `
List the blacklisted role tags.
const pathListRoletagBlacklistHelpSyn = `
Lists the blacklisted role tags.
`
const pathListBlacklistRoleTagsHelpDesc = `
List all the entries present in the blacklist. This will show both the valid
const pathListRoletagBlacklistHelpDesc = `
Lists all the entries present in the blacklist. This will show both the valid
entries and the expired entries in the blacklist. Use 'tidy/roletags' endpoint
to clean-up the blacklist of role tags based on expiration time.
`

14
builtin/credential/aws/path_config_certificate.go
View File

@@ -310,24 +310,24 @@ type awsPublicCert struct {
}
const pathConfigCertificateSyn = `
Configure the AWS Public Key that is used to verify the PKCS#7 signature of the identidy document.
Adds the AWS Public Key that is used to verify the PKCS#7 signature of the identidy document.
`
const pathConfigCertificateDesc = `
AWS Public Key which is used to verify the PKCS#7 signature of the identity document,
varies by region. The public key can be found in AWS EC2 instance metadata documentation.
varies by region. The public key(s) can be found in AWS EC2 instance metadata documentation.
The default key that is used to verify the signature is the one that is applicable for
following regions: US East (N. Virginia), US West (Oregon), US West (N. California),
EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore),
Asia Pacific (Sydney), and South America (Sao Paulo).
If the instances belongs to region other than the above, the public key for the corresponding
regions should be registered using this endpoint. PKCS#7 is verified using a collection
of certificates containing the default certificate and all the registered certificates
added using this endpoint.
If the instances belongs to region other than the above, the public key(s) for the
corresponding regions should be registered using this endpoint. PKCS#7 is verified
using a collection of certificates containing the default certificate and all the
certificates that are registered using this endpoint.
`
const pathListCertificatesHelpSyn = `
Lists all the AWS public certificates that are registered with Vault.
Lists all the AWS public certificates that are registered with the backend.
`
const pathListCertificatesHelpDesc = `
Certificates will be listed by their respective names that were used during registration.

12
builtin/credential/aws/path_config_client.go
View File

@@ -13,19 +13,19 @@ func pathConfigClient(b *backend) *framework.Path {
"access_key": &framework.FieldSchema{
Type: framework.TypeString,
Default: "",
Description: "AWS Access key with permissions to query EC2 instance metadata.",
Description: "AWS Access key with permissions to query EC2 DescribeInstances API.",
},
"secret_key": &framework.FieldSchema{
Type: framework.TypeString,
Default: "",
Description: "AWS Secret key with permissions to query EC2 instance metadata.",
Description: "AWS Secret key with permissions to query EC2 DescribeInstances API.",
},
"endpoint": &framework.FieldSchema{
Type: framework.TypeString,
Default: "",
Description: "The endpoint to be used to make API calls to AWS EC2.",
Description: "URL to override the default generated endpoint for making AWS EC2 API calls.",
},
},
@@ -193,7 +193,7 @@ Configure the client credentials that are used to query instance details from AW
`
const pathConfigClientHelpDesc = `
AWS auth backend makes API calls to retrieve EC2 instance metadata.
The aws_secret_key and aws_access_key registered with Vault should have the
permissions to make these API calls.
AWS auth backend makes DescribeInstances API call to retrieve information regarding
the instance that performs login. The aws_secret_key and aws_access_key registered with Vault should have the
permissions to make the API call.
`

32
builtin/credential/aws/path_config_tidy_identities.go
View File

@@ -12,7 +12,7 @@ const (
identityWhitelistConfigPath = "config/tidy/identity-whitelist"
)
func pathConfigTidyIdentities(b *backend) *framework.Path {
func pathConfigTidyIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("%s$", identityWhitelistConfigPath),
Fields: map[string]*framework.FieldSchema{
@@ -25,25 +25,25 @@ expiration, before it is removed from the backend storage.`,
"disable_periodic_tidy": &framework.FieldSchema{
Type: framework.TypeBool,
Default: false,
Description: "If set to 'true', disables the periodic tidying of the 'whitelist/identity/<instance_id>' entries.",
Description: "If set to 'true', disables the periodic tidying of the 'identity-whitelist/<instance_id>' entries.",
},
},
ExistenceCheck: b.pathConfigTidyIdentitiesExistenceCheck,
ExistenceCheck: b.pathConfigTidyIdentityWhitelistExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: b.pathConfigTidyIdentitiesCreateUpdate,
logical.UpdateOperation: b.pathConfigTidyIdentitiesCreateUpdate,
logical.ReadOperation: b.pathConfigTidyIdentitiesRead,
logical.DeleteOperation: b.pathConfigTidyIdentitiesDelete,
logical.CreateOperation: b.pathConfigTidyIdentityWhitelistCreateUpdate,
logical.UpdateOperation: b.pathConfigTidyIdentityWhitelistCreateUpdate,
logical.ReadOperation: b.pathConfigTidyIdentityWhitelistRead,
logical.DeleteOperation: b.pathConfigTidyIdentityWhitelistDelete,
},
HelpSynopsis: pathConfigTidyIdentitiesHelpSyn,
HelpDescription: pathConfigTidyIdentitiesHelpDesc,
HelpSynopsis: pathConfigTidyIdentityWhitelistHelpSyn,
HelpDescription: pathConfigTidyIdentityWhitelistHelpDesc,
}
}
func (b *backend) pathConfigTidyIdentitiesExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
func (b *backend) pathConfigTidyIdentityWhitelistExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
entry, err := b.configTidyIdentities(req.Storage)
if err != nil {
return false, err
@@ -74,7 +74,7 @@ func (b *backend) configTidyIdentitiesInternal(s logical.Storage) (*tidyWhitelis
return &result, nil
}
func (b *backend) pathConfigTidyIdentitiesCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyIdentityWhitelistCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
@@ -112,7 +112,7 @@ func (b *backend) pathConfigTidyIdentitiesCreateUpdate(req *logical.Request, dat
return nil, nil
}
func (b *backend) pathConfigTidyIdentitiesRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyIdentityWhitelistRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
clientConfig, err := b.configTidyIdentities(req.Storage)
if err != nil {
return nil, err
@@ -126,7 +126,7 @@ func (b *backend) pathConfigTidyIdentitiesRead(req *logical.Request, data *frame
}, nil
}
func (b *backend) pathConfigTidyIdentitiesDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyIdentityWhitelistDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
@@ -138,12 +138,12 @@ type tidyWhitelistIdentityConfig struct {
DisablePeriodicTidy bool `json:"disable_periodic_tidy" structs:"disable_periodic_tidy" mapstructure:"disable_periodic_tidy"`
}
const pathConfigTidyIdentitiesHelpSyn = `
const pathConfigTidyIdentityWhitelistHelpSyn = `
Configures the periodic tidying operation of the whitelisted identity entries.
`
const pathConfigTidyIdentitiesHelpDesc = `
const pathConfigTidyIdentityWhitelistHelpDesc = `
By default, the expired entries in the whitelist will be attempted to be removed
periodically. This operation will look for expired items in the list and purge them.
periodically. This operation will look for expired items in the list and purges them.
However, there is a safety buffer duration (defaults to 72h), purges the entries
only if they have been persisting this duration, past its expiration time.
`

30
builtin/credential/aws/path_config_tidy_roletags.go
View File

@@ -12,7 +12,7 @@ const (
roletagBlacklistConfigPath = "config/tidy/roletag-blacklist"
)
func pathConfigTidyRoleTags(b *backend) *framework.Path {
func pathConfigTidyRoletagBlacklist(b *backend) *framework.Path {
return &framework.Path{
Pattern: fmt.Sprintf("%s$", roletagBlacklistConfigPath),
Fields: map[string]*framework.FieldSchema{
@@ -31,21 +31,21 @@ Defaults to 4320h (180 days).`,
},
},
ExistenceCheck: b.pathConfigTidyRoleTagsExistenceCheck,
ExistenceCheck: b.pathConfigTidyRoletagBlacklistExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: b.pathConfigTidyRoleTagsCreateUpdate,
logical.UpdateOperation: b.pathConfigTidyRoleTagsCreateUpdate,
logical.ReadOperation: b.pathConfigTidyRoleTagsRead,
logical.DeleteOperation: b.pathConfigTidyRoleTagsDelete,
logical.CreateOperation: b.pathConfigTidyRoletagBlacklistCreateUpdate,
logical.UpdateOperation: b.pathConfigTidyRoletagBlacklistCreateUpdate,
logical.ReadOperation: b.pathConfigTidyRoletagBlacklistRead,
logical.DeleteOperation: b.pathConfigTidyRoletagBlacklistDelete,
},
HelpSynopsis: pathConfigTidyRoleTagsHelpSyn,
HelpDescription: pathConfigTidyRoleTagsHelpDesc,
HelpSynopsis: pathConfigTidyRoletagBlacklistHelpSyn,
HelpDescription: pathConfigTidyRoletagBlacklistHelpDesc,
}
}
func (b *backend) pathConfigTidyRoleTagsExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
func (b *backend) pathConfigTidyRoletagBlacklistExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
entry, err := b.configTidyRoleTags(req.Storage)
if err != nil {
return false, err
@@ -77,7 +77,7 @@ func (b *backend) configTidyRoleTagsInternal(s logical.Storage) (*tidyBlacklistR
return &result, nil
}
func (b *backend) pathConfigTidyRoleTagsCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyRoletagBlacklistCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
@@ -113,7 +113,7 @@ func (b *backend) pathConfigTidyRoleTagsCreateUpdate(req *logical.Request, data
return nil, nil
}
func (b *backend) pathConfigTidyRoleTagsRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyRoletagBlacklistRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
clientConfig, err := b.configTidyRoleTags(req.Storage)
if err != nil {
return nil, err
@@ -127,7 +127,7 @@ func (b *backend) pathConfigTidyRoleTagsRead(req *logical.Request, data *framewo
}, nil
}
func (b *backend) pathConfigTidyRoleTagsDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
func (b *backend) pathConfigTidyRoletagBlacklistDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
b.configMutex.Lock()
defer b.configMutex.Unlock()
@@ -139,12 +139,12 @@ type tidyBlacklistRoleTagConfig struct {
DisablePeriodicTidy bool `json:"disable_periodic_tidy" structs:"disable_periodic_tidy" mapstructure:"disable_periodic_tidy"`
}
const pathConfigTidyRoleTagsHelpSyn = `
const pathConfigTidyRoletagBlacklistHelpSyn = `
Configures the periodic tidying operation of the blacklisted role tag entries.
`
const pathConfigTidyRoleTagsHelpDesc = `
const pathConfigTidyRoletagBlacklistHelpDesc = `
By default, the expired entries in the blacklist will be attempted to be removed
periodically. This operation will look for expired items in the list and purge them.
periodically. This operation will look for expired items in the list and purges them.
However, there is a safety buffer duration (defaults to 72h), purges the entries
only if they have been persisting this duration, past its expiration time.
`

17
builtin/credential/aws/path_login.go
View File

@@ -20,9 +20,10 @@ func pathLogin(b *backend) *framework.Path {
Fields: map[string]*framework.FieldSchema{
"role_name": &framework.FieldSchema{
Type: framework.TypeString,
Description: `Name of the pre-registered role in this backend against which the login
is being attempted. If this is not supplied, the name of the AMI ID in
the instance identity document will be assumed to be the name of the role.`,
Description: `Name of the role against which the login is being attempted.
If 'role_name' is not specified, then the login endpoint looks for a role
bearing the name of the AMI ID of the EC2 instance that is trying to login.
If a matching role is not found, login fails.`,
},
"pkcs7": &framework.FieldSchema{
@@ -31,8 +32,10 @@ the instance identity document will be assumed to be the name of the role.`,
},
"nonce": &framework.FieldSchema{
Type: framework.TypeString,
Description: "The nonce created by a client of this backend. Nonce is used to avoid replay attacks. When the instances are configured to be allowed to login only once, nonce parameter is of no use and hence can be skipped.",
Type: framework.TypeString,
Description: `The nonce created by a client of this backend. When 'disallow_reauthentication'
option is enabled on either the role or the role tag, then nonce parameter is
optional. It is a required parameter otherwise.`,
},
},
@@ -550,7 +553,7 @@ Authenticates an EC2 instance with Vault.
const pathLoginDesc = `
An EC2 instance is authenticated using the PKCS#7 signature of the instance identity
document and a client created nonce. This nonce should be unique and should be used by
the instance for all future logins, unless 'allow_instance_migration' option on the
the instance for all future logins, unless 'disallow_reauthenitcation' option on the
registered role is enabled, in which case client nonce is optional.
First login attempt, creates a whitelist entry in Vault associating the instance to the nonce
@@ -558,7 +561,7 @@ provided. All future logins will succeed only if the client nonce matches the no
whitelisted entry.
By default, a cron task will periodically look for expired entries in the whitelist
and delete them. The duration to periodically run this, is one hour by default.
and deletes them. The duration to periodically run this, is one hour by default.
However, this can be configured using the 'config/tidy/identities' endpoint. This tidy
action can be triggered via the API as well, using the 'tidy/identities' endpoint.
`

9
builtin/credential/aws/path_role.go
View File

@@ -22,8 +22,9 @@ func pathRole(b *backend) *framework.Path {
},
"bound_ami_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: `If set, instances attempting login must be running the given AMI.`,
Type: framework.TypeString,
Description: `If set, defines a constraint on the EC2 instances that they should be
using the AMI ID specified by this parameter.`,
},
"role_tag": &framework.FieldSchema{
@@ -35,13 +36,13 @@ func pathRole(b *backend) *framework.Path {
"max_ttl": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Default: 0,
Description: "The maximum allowed lifetime for tokens issued due to logins using this role.",
Description: "The maximum allowed lifetime of tokens issued using this role.",
},
"policies": &framework.FieldSchema{
Type: framework.TypeString,
Default: "default",
Description: "Policies to be set on tokens logging in using this role.",
Description: "Policies to be set on tokens issued using this role.",
},
"allow_instance_migration": &framework.FieldSchema{

6
builtin/credential/aws/path_role_tag.go
View File

@@ -419,9 +419,9 @@ Create a tag on a role in order to be able to further restrict the capabilities
`
const pathRoleTagDesc = `
If there are needs to apply only a subset of role's capabilities on the instance,
create a role tag using this endpoint and attach the tag on the instance before
performing login.
If there are needs to apply only a subset of role's capabilities to any specific
instance, create a role tag using this endpoint and attach the tag on the instance
before performing login.
To be able to create a role tag, the 'role_tag' option on the role should be
enabled via the endpoint 'role/<role_name>'. Also, the policies to be associated

20
builtin/credential/aws/path_tidy_identities.go
View File

@@ -9,9 +9,9 @@ import (
"github.com/hashicorp/vault/logical/framework"
)
func pathTidyIdentities(b *backend) *framework.Path {
func pathTidyIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "tidy/identities$",
Pattern: "tidy/identity-whitelist$",
Fields: map[string]*framework.FieldSchema{
"safety_buffer": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
@@ -22,11 +22,11 @@ expiration, before it is removed from the backend storage.`,
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathTidyIdentitiesUpdate,
logical.UpdateOperation: b.pathTidyIdentityWhitelistUpdate,
},
HelpSynopsis: pathTidyIdentitiesSyn,
HelpDescription: pathTidyIdentitiesDesc,
HelpSynopsis: pathTidyIdentityWhitelistSyn,
HelpDescription: pathTidyIdentityWhitelistDesc,
}
}
@@ -75,19 +75,19 @@ func (b *backend) tidyWhitelistIdentity(s logical.Storage, safety_buffer int) er
return nil
}
// pathTidyIdentitiesUpdate is used to delete entries in the whitelist that are expired.
func (b *backend) pathTidyIdentitiesUpdate(
// pathTidyIdentityWhitelistUpdate is used to delete entries in the whitelist that are expired.
func (b *backend) pathTidyIdentityWhitelistUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return nil, b.tidyWhitelistIdentity(req.Storage, data.Get("safety_buffer").(int))
}
const pathTidyIdentitiesSyn = `
const pathTidyIdentityWhitelistSyn = `
Clean-up the whitelist instance identity entries.
`
const pathTidyIdentitiesDesc = `
const pathTidyIdentityWhitelistDesc = `
When an instance identity is whitelisted, the expiration time of the whitelist
entry is set based on the least 'max_ttl' value set on: the role, the role tag
entry is set based on the maximum 'max_ttl' value set on: the role, the role tag
and the backend's mount.
When this endpoint is invoked, all the entries that are expired will be deleted.

20
builtin/credential/aws/path_tidy_roletags.go
View File

@@ -9,9 +9,9 @@ import (
"github.com/hashicorp/vault/logical/framework"
)
func pathTidyRoleTags(b *backend) *framework.Path {
func pathTidyRoletagBlacklist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "tidy/roletags$",
Pattern: "tidy/roletag-blacklist$",
Fields: map[string]*framework.FieldSchema{
"safety_buffer": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
@@ -22,11 +22,11 @@ expiration, before it is removed from the backend storage.`,
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.UpdateOperation: b.pathTidyRoleTagsUpdate,
logical.UpdateOperation: b.pathTidyRoletagBlacklistUpdate,
},
HelpSynopsis: pathTidyRoleTagsSyn,
HelpDescription: pathTidyRoleTagsDesc,
HelpSynopsis: pathTidyRoletagBlacklistSyn,
HelpDescription: pathTidyRoletagBlacklistDesc,
}
}
@@ -74,19 +74,19 @@ func (b *backend) tidyBlacklistRoleTag(s logical.Storage, safety_buffer int) err
return nil
}
// pathTidyRoleTagsUpdate is used to clean-up the entries in the role tag blacklist.
func (b *backend) pathTidyRoleTagsUpdate(
// pathTidyRoletagBlacklistUpdate is used to clean-up the entries in the role tag blacklist.
func (b *backend) pathTidyRoletagBlacklistUpdate(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
return nil, b.tidyBlacklistRoleTag(req.Storage, data.Get("safety_buffer").(int))
}
const pathTidyRoleTagsSyn = `
const pathTidyRoletagBlacklistSyn = `
Clean-up the blacklist role tag entries.
`
const pathTidyRoleTagsDesc = `
const pathTidyRoletagBlacklistDesc = `
When a role tag is blacklisted, the expiration time of the blacklist entry is
set based on the least 'max_ttl' value set on: the role, the role tag and the
set based on the maximum 'max_ttl' value set on: the role, the role tag and the
backend's mount.
When this endpoint is invoked, all the entries that are expired will be deleted.

43
builtin/credential/aws/path_whitelist_identity.go
View File

@@ -8,27 +8,28 @@ import (
"github.com/hashicorp/vault/logical/framework"
)
func pathWhitelistIdentity(b *backend) *framework.Path {
func pathIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "identity-whitelist/" + framework.GenericNameRegex("instance_id"),
Fields: map[string]*framework.FieldSchema{
"instance_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: "EC2 instance ID. A successful login operation from an EC2 instance gets cached in this whitelist, keyed off of instance ID.",
Type: framework.TypeString,
Description: `EC2 instance ID. A successful login operation from an EC2 instance
gets cached in this whitelist, keyed off of instance ID.`,
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: b.pathWhitelistIdentityRead,
logical.DeleteOperation: b.pathWhitelistIdentityDelete,
logical.ReadOperation: b.pathIdentityWhitelistRead,
logical.DeleteOperation: b.pathIdentityWhitelistDelete,
},
HelpSynopsis: pathWhitelistIdentitySyn,
HelpDescription: pathWhitelistIdentityDesc,
HelpSynopsis: pathIdentityWhitelistSyn,
HelpDescription: pathIdentityWhitelistDesc,
}
}
func pathListWhitelistIdentities(b *backend) *framework.Path {
func pathListIdentityWhitelist(b *backend) *framework.Path {
return &framework.Path{
Pattern: "identity-whitelist/?",
@@ -36,8 +37,8 @@ func pathListWhitelistIdentities(b *backend) *framework.Path {
logical.ListOperation: b.pathWhitelistIdentitiesList,
},
HelpSynopsis: pathListWhitelistIdentitiesHelpSyn,
HelpDescription: pathListWhitelistIdentitiesHelpDesc,
HelpSynopsis: pathListIdentityWhitelistHelpSyn,
HelpDescription: pathListIdentityWhitelistHelpDesc,
}
}
@@ -83,8 +84,8 @@ func setWhitelistIdentityEntry(s logical.Storage, instanceID string, identity *w
return nil
}
// pathWhitelistIdentityDelete is used to delete an entry from the identity whitelist given an instance ID.
func (b *backend) pathWhitelistIdentityDelete(
// pathIdentityWhitelistDelete is used to delete an entry from the identity whitelist given an instance ID.
func (b *backend) pathIdentityWhitelistDelete(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
instanceID := data.Get("instance_id").(string)
if instanceID == "" {
@@ -94,8 +95,8 @@ func (b *backend) pathWhitelistIdentityDelete(
return nil, req.Storage.Delete("whitelist/identity/" + instanceID)
}
// pathWhitelistIdentityRead is used to view an entry in the identity whitelist given an instance ID.
func (b *backend) pathWhitelistIdentityRead(
// pathIdentityWhitelistRead is used to view an entry in the identity whitelist given an instance ID.
func (b *backend) pathIdentityWhitelistRead(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
instanceID := data.Get("instance_id").(string)
if instanceID == "" {
@@ -126,26 +127,26 @@ type whitelistIdentity struct {
LastUpdatedTime time.Time `json:"last_updated_time" structs:"last_updated_time" mapstructure:"last_updated_time"`
}
const pathWhitelistIdentitySyn = `
const pathIdentityWhitelistSyn = `
Read or delete entries in the identity whitelist.
`
const pathWhitelistIdentityDesc = `
const pathIdentityWhitelistDesc = `
Each login from an EC2 instance creates/updates an entry in the identity whitelist.
Entries in this list can be viewed or deleted using this endpoint.
By default, a cron task will periodically looks for expired entries in the whitelist
and delete them. The duration to periodically run this is one hour by default.
By default, a cron task will periodically look for expired entries in the whitelist
and deletes them. The duration to periodically run this, is one hour by default.
However, this can be configured using the 'config/tidy/identities' endpoint. This tidy
action can be triggered via the API as well, using the 'tidy/identities' endpoint.
`
const pathListWhitelistIdentitiesHelpSyn = `
List the items present in the identity whitelist.
const pathListIdentityWhitelistHelpSyn = `
Lists the items present in the identity whitelist.
`
const pathListWhitelistIdentitiesHelpDesc = `
const pathListIdentityWhitelistHelpDesc = `
The entries in the identity whitelist is keyed off of the EC2 instance IDs.
This endpoint lists all the entries present in the identity whitelist, both
expired and un-expired entries. Use 'tidy/identities' endpoint to clean-up

178
website/source/docs/auth/aws.html.md
View File

@@ -31,7 +31,7 @@ found
[here](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html).)
During login, the backend verifies the signature on the PKCS#7 document,
ensuring that the information contained within is certified accurate by AWS.
ensuring that the information contained within, is certified accurate by AWS.
Before succeeding the login attempt and returning a Vault token, the backend
verifies the current running status of the instance via the EC2 API.
@@ -44,9 +44,9 @@ The basic mechanism of operaion is per-role. Roles are registered in the
backend and associated with various optional restricitons, such as the set
of allowed policies and max TTLs on the generated tokens. Each role can
be specified with the contraints that are to be met during the login. For
example, currently the contraint that is supported is to bound against AMI
ID. The roles with this bound can only be used to login by the instances
that are running on the specified AMI.
example, currently the contraint that is supported is to bind against AMI
ID. A role which is bound to a specific AMI, can only be used for login by
those instances that are deployed on the same AMI.
In many cases, an organization will use a "seed AMI" that is specialized after
bootup by configuration management or similar processes. For this reason, an
@@ -79,11 +79,11 @@ investigation.
During the first login, the backend stores the instance ID that authenticated
in a `whitelist`. One method of operation of the backend is to disallow any
authentication attempt for an instance ID contained in the whitelist, using the
'disallow_reauthentication' option on the role. However, this has consequences
for token rotation, as it means that once a token has expired, subsequent
authentication attempts would fail. By default, reauthentication is enabled in
this backend, and can be turned off using 'disallow_reauthentication' parameter
on the registered role.
'disallow_reauthentication' option on the role, meaning that an instance is
allowed to login only once. However, this has consequences for token rotation,
as it means that once a token has expired, subsequent authentication attempts
would fail. By default, reauthentication is enabled in this backend, and can be
turned off using 'disallow_reauthentication' parameter on the registered role.
In the default method of operation, the client supplies a unique nonce during
the first authentication attempt, storing this nonce in the client's memory for
@@ -153,7 +153,7 @@ If an EC2 instance loses its client nonce (due to a reboot, a stop/start of the
client, etc.), subsequent login attempts will not succeed. If the client nonce
is lost, normally the only option is to delete the entry corresponding to the
instance ID from the identity `whitelist` in the backend. This can be done via
the `auth/aws/whitelist/identity/<instance_id>` endpoint. This allows a new
the `auth/aws/identity-whitelist/<instance_id>` endpoint. This allows a new
client nonce to be accepted by the backend during the next login request.
Under certain circumstances there is another useful setting. When the instance
@@ -196,7 +196,7 @@ hijacked by another entity.
When `disallow_reauthentication` option is enabled, the client can choose not
to supply a nonce during login, although it is not an error to do so (the nonce
is simply ignored). Note that reauthentication is enabled by default. If only
a single login is desired, `disable_reauthentication` should be set explicitly
a single login is desired, `disallow_reauthentication` should be set explicitly
on the role or on the role tag.
The `disallow_reauthentication` option is set per-role, and can also be
@@ -207,14 +207,15 @@ role tag has no effect.
### Blacklisting Role Tags
Role tags are tied to a specific role, but the backend has no control over which
instances using that role should have any particular role tag; that is purely up
Role tags are tied to a specific role, but the backend has no control over, which
instances using that role, should have any particular role tag; that is purely up
to the operator. Although role tags are only restrictive (a tag cannot escalate
privileges above what is set on its role), if a role tag is found to have been
used incorrectly, and the administrator wants to ensure that the role tag has no
further effect, the role tag can be placed on a `blacklist` via the endpoint
`auth/aws/blacklist/roletag/<role_tag>`. Note that this will not invalidate the
tokens that were already issued; this only blocks any further login requests.
`auth/aws/roletag-blacklist/<role_tag>`. Note that this will not invalidate the
tokens that were already issued; this only blocks any further login requests from
those instances that have the blacklisted tag attached to them.
### Expiration Times and Tidying of `blacklist` and `whitelist` Entries
@@ -225,7 +226,7 @@ time which is dynamically determined by three factors: `max_ttl` set on the role
least of these three dictates the maximum TTL of the issued token, and
correspondingly will be set as the expiration times of these entries.
The endpoints `aws/auth/tidy/identities` and `aws/auth/tidy/roletags` are
The endpoints `aws/auth/tidy/identity-whitelist` and `aws/auth/tidy/roletag-blacklist` are
provided to clean up the entries present in these lists. These endpoints allow
defining a safety buffer, such that an entry must not only be expired, but be
past expiration by the amount of time dictated by the safety buffer in order
@@ -236,14 +237,14 @@ of the backend. This function does the tidying of both blacklist role tags
and whitelist identities. Periodic tidying is activated by default and will
have a safety buffer of 72 hours, meaning only those entries are deleted which
were expired before 72 hours from when the tidy operation is being performed.
This can be configured via `config/tidy/roletags` and `config/tidy/identities`
This can be configured via `config/tidy/roletag-blacklist` and `config/tidy/identity-whitelist`
endpoints.
### Varying Public Certificates
The AWS public certificate which contains the public key used to verify the
PKCS#7 signature varies for groups of regions. The default public certificate
provided with the backend is applicable for many regions. Users of instances whose
provided with the backend is applicable for many regions. Instances whose PKCS#7
signatures cannot be verified by the default public certificate, can register a
different public certificate which can be found [here]
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
@@ -355,15 +356,12 @@ The response will be in JSON. For example:
The instance identity document fetched from the PKCS#7 signature
will provide the EC2 instance ID. The credentials configured using
this endpoint will be used to query the status of the instances via
DescribeInstanceStatus API. Also, if the login is performed using
the role tag, then these credentials will also be used to fetch the
tags that are set on the EC2 instance via DescribeTags API. If the
static credentials are not provided using this endpoint, then the
credentials will be retrieved from the environment variables
`AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and `AWS_REGION` respectively.
If the credentials are still not found and if the backend is configured
on an EC2 instance with metadata querying capabilities, the credentials
are fetched automatically.
DescribeInstances API. If static credentials are not provided using
this endpoint, then the credentials will be retrieved from the
environment variables `AWS_ACCESS_KEY`, `AWS_SECRET_KEY` and `AWS_REGION`
respectively. If the credentials are still not found and if the
backend is configured on an EC2 instance with metadata querying
capabilities, the credentials are fetched automatically.
</dd>
<dt>Method</dt>
@@ -378,14 +376,14 @@ The response will be in JSON. For example:
<li>
<span class="param">access_key</span>
<span class="param-flags">required</span>
AWS Access key with permissions to query EC2 instance metadata.
AWS Access key with permissions to query EC2 DescribeInstances API.
</li>
</ul>
<ul>
<li>
<span class="param">secret_key</span>
<span class="param-flags">required</span>
AWS Secret key with permissions to query EC2 instance metadata.
AWS Secret key with permissions to query EC2 DescribeInstances API.
</li>
</ul>
<ul>
@@ -582,7 +580,7 @@ The response will be in JSON. For example:
</dd>
</dl>
### /auth/aws/config/tidy/identities
### /auth/aws/config/tidy/identity-whitelist
##### POST
<dl class="api">
<dt>Description</dt>
@@ -594,7 +592,7 @@ The response will be in JSON. For example:
<dd>POST</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/identities`</dd>
<dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
<dt>Parameters</dt>
<dd>
@@ -610,8 +608,8 @@ The response will be in JSON. For example:
<li>
<span class="param">disable_periodic_tidy</span>
<span class="param-flags">optional</span>
If set to 'true', disables the periodic tidying of the 'whitelist/identity/<instance_id>'
entries and 'whitelist/identity/<instance_id>' entries.
If set to 'true', disables the periodic tidying of the 'identity-whitelist/<instance_id>'
entries.
</li>
</ul>
</dd>
@@ -633,7 +631,7 @@ The response will be in JSON. For example:
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/identities`</dd>
<dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
<dt>Parameters</dt>
<dd>
@@ -671,7 +669,7 @@ The response will be in JSON. For example:
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/identities`</dd>
<dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
<dt>Parameters</dt>
<dd>
@@ -685,7 +683,7 @@ The response will be in JSON. For example:
### /auth/aws/config/tidy/roletags
### /auth/aws/config/tidy/roletag-blacklist
##### POST
<dl class="api">
<dt>Description</dt>
@@ -697,7 +695,7 @@ The response will be in JSON. For example:
<dd>POST</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/roletags`</dd>
<dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
<dt>Parameters</dt>
<dd>
@@ -713,7 +711,7 @@ The response will be in JSON. For example:
<li>
<span class="param">disable_periodic_tidy</span>
<span class="param-flags">optional</span>
If set to 'true', disables the periodic tidying of the 'blacklist/roletag/<role_tag>' entries and 'whitelist/identity/<instance_id>' entries.
If set to 'true', disables the periodic tidying of the 'roletag-blacklist/<role_tag>' entries.
</li>
</ul>
</dd>
@@ -735,7 +733,7 @@ The response will be in JSON. For example:
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/roletags`</dd>
<dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
<dt>Parameters</dt>
<dd>
@@ -773,7 +771,7 @@ The response will be in JSON. For example:
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/auth/aws/config/tidy/roletags`</dd>
<dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
<dt>Parameters</dt>
<dd>
@@ -794,9 +792,9 @@ The response will be in JSON. For example:
<dd>
Registers a role in the backend. Only those instances which are using the role registered using this endpoint,
will be able to perform the login operation. Contraints can be specified on the role, that are applied on the
instances that are attempting to login. Currently only one constraint is supported which is 'bound_ami_id',
which must be specified. Going forward, when more than one constraint is supported, the requirement will be to
specify at least one constraint, not necessarily 'bound_ami_id'.
instances attempting to login. Currently only one constraint is supported which is 'bound_ami_id', which must
be specified. Going forward, when more than one constraint is supported, the requirement will be to specify at
least one constraint, but not necessarily 'bound_ami_id'.
</dd>
<dt>Method</dt>
@@ -818,36 +816,31 @@ The response will be in JSON. For example:
<li>
<span class="param">bound_ami_id</span>
<span class="param-flags">required</span>
If set, defines a constraint that the EC2 instances that are trying to login,
should be using the AMI ID specified by this parameter.
</li>
</ul>
<ul>
<li>
<span class="param">instance_id</span>
<span class="param-flags">optional</span>
Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
If set, defines a constraint on the EC2 instances that they should be using the AMI ID specified by this parameter.
</li>
</ul>
<ul>
<li>
<span class="param">role_tag</span>
<span class="param-flags">optional</span>
If set, enables the `roletag` login for this AMI, meaning that this AMI is shared among many EC2 instances. The value set for this field should be the `key` of the tag on the EC2 instance and the `tag_value` returned from `auth/aws/image/<ami_id>/roletag` should be the `value` of the tag on the instance. Defaults to empty string, meaning that this AMI is not shared among instances.
If set, enables the role tags for this role. The value set for this
field should be the 'key' of the tag on the EC2 instance. The 'value'
of the tag should be generated using 'role/<role_name>/tag' endpoint.
Defaults to an empty string, meaning that role tags are disabled.
</li>
</ul>
<ul>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">optional</span>
The maximum allowed lease duration.
The maximum allowed lifetime of tokens issued using this role.
</li>
</ul>
<ul>
<li>
<span class="param">policies</span>
<span class="param-flags">optional</span>
Policies to be associated with the AMI.
Policies to be set on tokens issued using this role.
</li>
</ul>
<ul>
@@ -861,7 +854,7 @@ The response will be in JSON. For example:
<li>
<span class="param">disallow_reauthentication</span>
<span class="param-flags">optional</span>
If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws/whitelist/identity/<instance_id>' endpoint. Defaults to 'false'.
If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws/identity-whitelist/<instance_id>' endpoint. Defaults to 'false'.
</li>
</ul>
</dd>
@@ -964,7 +957,7 @@ The response will be in JSON. For example:
<dl class="api">
<dt>Description</dt>
<dd>
Deletes the previously registered AMI ID.
Deletes the previously registered role.
</dd>
<dt>Method</dt>
@@ -989,8 +982,8 @@ The response will be in JSON. For example:
<dl class="api">
<dt>Description</dt>
<dd>
Creates a `roletag` on the role. Role tags provide an effective way to restrict the
policies that are set on the role.
Creates a role tag on the role. Role tags provide an effective way to restrict the
capabilities that are set on the role.
</dd>
<dt>Method</dt>
@@ -1012,21 +1005,30 @@ The response will be in JSON. For example:
<li>
<span class="param">policies</span>
<span class="param-flags">optional</span>
Policies to be associated with the tag.
Policies to be associated with the tag. If set, must be a subset of
the role's policies. If set, but set to an empty value, only the
'default' policy will be given to issued tokens.
</li>
</ul>
<ul>
<li>
<span class="param">max_ttl</span>
<span class="param-flags">optional</span>
The maximum allowed lease duration.
If set, specifies the maximum allowed token lifetime.
</li>
</ul>
<ul>
<li>
<span class="param">instance_id</span>
<span class="param-flags">optional</span>
Instance ID for which this tag is intended for. If set, the created tag can only be used by the instance with the given ID.
</li>
</ul>
<ul>
<li>
<span class="param">disallow_reauthentication</span>
<span class="param-flags">optional</span>
If set, only allows a single token to be granted per instance ID. This can be cleared with the auth/aws/whitelist/identity endpoint. Defaults to 'false'.
If set, only allows a single token to be granted per instance ID. This can be cleared with the auth/aws/identity-whitelist endpoint. Defaults to 'false'.
</li>
</ul>
<ul>
@@ -1082,9 +1084,9 @@ The response will be in JSON. For example:
<span class="param">role_name</span>
<span class="param-flags">optional</span>
Name of the role against which the login is being attempted.
If `role_name` is not specified, then the login endpoint assumes that there
is a role by the name matching the AMI ID of the EC2 instance that is trying
to login. If a matching role is not found, login fails.
If `role_name` is not specified, then the login endpoint looks for a role
bearing the name of the AMI ID of the EC2 instance that is trying to login.
If a matching role is not found, login fails.
</li>
</ul>
<ul>
@@ -1099,7 +1101,7 @@ The response will be in JSON. For example:
<span class="param">nonce</span>
<span class="param-flags">required/optional, depends</span>
The `nonce` created by a client of this backend. When `disallow_reauthentication`
option is enabled on either the AMI or the role tag, then `nonce` parameter is
option is enabled on either the role or the role tag, then `nonce` parameter is
optional. It is a required parameter otherwise.
</li>
</ul>
@@ -1138,15 +1140,15 @@ The response will be in JSON. For example:
</dl>
### /auth/aws/blacklist/roletag/<role_tag>
### /auth/aws/roletag-blacklist/<role_tag>
#### POST
<dl class="api">
<dt>Description</dt>
<dd>
Places a valid roletag in a blacklist. This ensures that the `roletag`
Places a valid role tag in a blacklist. This ensures that the role tag
cannot be used by any instance to perform a login operation again.
Note that if this `roletag` was previousy used to perfom a successful
login, placing the `roletag` in the blacklist does not invalidate the
Note that if the role tag was previousy used to perfom a successful
login, placing the tag in the blacklist does not invalidate the
already issued token.
</dd>
@@ -1154,7 +1156,7 @@ The response will be in JSON. For example:
<dd>POST</dd>
<dt>URL</dt>
<dd>`/auth/aws/blacklist/roletag/<role_tag>`</dd>
<dd>`/auth/aws/roletag-blacklist/<role_tag>`</dd>
<dt>Parameters</dt>
<dd>
@@ -1162,7 +1164,8 @@ The response will be in JSON. For example:
<li>
<span class="param">role_tag</span>
<span class="param-flags">required</span>
Role tag that needs be blacklisted. The tag can be supplied as-is, or can be base64 encoded.
Role tag to be blacklisted. The tag can be supplied as-is. In order
to avoid any encoding problems, it can be base64 encoded.
</li>
</ul>
</dd>
@@ -1177,14 +1180,14 @@ The response will be in JSON. For example:
<dl class="api">
<dt>Description</dt>
<dd>
Returns the blacklist entry of a previously blacklisted `roletag`.
Returns the blacklist entry of a previously blacklisted role tag.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/blacklist/roletag/<role_tag>`</dd>
<dd>`/auth/aws/broletag-blacklist/<role_tag>`</dd>
<dt>Parameters</dt>
<dd>
@@ -1216,14 +1219,14 @@ The response will be in JSON. For example:
<dl class="api">
<dt>Description</dt>
<dd>
Lists all the `roletags` that are blacklisted.
Lists all the role tags that are blacklisted.
</dd>
<dt>Method</dt>
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/blacklist/roletags?list=true`</dd>
<dd>`/auth/aws/roletag-blacklist?list=true`</dd>
<dt>Parameters</dt>
<dd>
@@ -1256,14 +1259,14 @@ The response will be in JSON. For example:
<dl class="api">
<dt>Description</dt>
<dd>
Deletes a blacklisted `roletag`.
Deletes a blacklisted role tag.
</dd>
<dt>Method</dt>
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/auth/aws/blacklist/roletag/<role_tag>`</dd>
<dd>`/auth/aws/roletag-blacklist/<role_tag>`</dd>
<dt>Parameters</dt>
<dd>
@@ -1276,7 +1279,7 @@ The response will be in JSON. For example:
</dl>
### /auth/aws/tidy/roletags
### /auth/aws/tidy/roletag-blacklist
#### POST
<dl class="api">
<dt>Description</dt>
@@ -1288,7 +1291,7 @@ The response will be in JSON. For example:
<dd>POST</dd>
<dt>URL</dt>
<dd>`/auth/aws/tidy/roletags`</dd>
<dd>`/auth/aws/tidy/roletag-blacklist`</dd>
<dt>Parameters</dt>
<dd>
@@ -1307,7 +1310,7 @@ The response will be in JSON. For example:
</dl>
### /auth/aws/whitelist/identity/<instance_id>
### /auth/aws/identity-whitelist/<instance_id>
#### GET
<dl class="api">
<dt>Description</dt>
@@ -1319,7 +1322,7 @@ The response will be in JSON. For example:
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/whitelist/identity/<instance_id>`</dd>
<dd>`/auth/aws/identity-whitelist/<instance_id>`</dd>
<dt>Parameters</dt>
<dd>
@@ -1327,7 +1330,8 @@ The response will be in JSON. For example:
<li>
<span class="param">instance_id</span>
<span class="param-flags">required</span>
EC2 instance ID. A successful login operation from an EC2 instance gets cached in this whitelist, keyed off of instance ID.
EC2 instance ID. A successful login operation from an EC2 instance
gets cached in this whitelist, keyed off of instance ID.
</li>
</ul>
</dd>
@@ -1367,7 +1371,7 @@ The response will be in JSON. For example:
<dd>GET</dd>
<dt>URL</dt>
<dd>`/auth/aws/whitelist/identities?list=true`</dd>
<dd>`/auth/aws/identity-whitelist?list=true`</dd>
<dt>Parameters</dt>
<dd>
@@ -1407,7 +1411,7 @@ The response will be in JSON. For example:
<dd>DELETE</dd>
<dt>URL</dt>
<dd>`/auth/aws/whitelist/identity/<instance_id>`</dd>
<dd>`/auth/aws/identity-whitelist/<instance_id>`</dd>
<dt>Parameters</dt>
<dd>
@@ -1420,7 +1424,7 @@ The response will be in JSON. For example:
</dl>
### /auth/aws/tidy/identities
### /auth/aws/tidy/identity-whitelist
#### POST
<dl class="api">
<dt>Description</dt>
@@ -1432,7 +1436,7 @@ The response will be in JSON. For example:
<dd>POST</dd>
<dt>URL</dt>
<dd>`/auth/aws/tidy/identities`</dd>
<dd>`/auth/aws/tidy/identity-whitelist`</dd>
<dt>Parameters</dt>
<dd>