scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 11:38:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow auto-detection of AWS region when using the vault CLI (#14051)

Browse Source
This commit is contained in:
Jim Kalafut
2022-02-14 12:01:27 -08:00
committed by GitHub
parent 23301d7343
commit 4d1475baa5
3 changed files with 27 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
builtin/credential/aws/cli.go
View File

@@ -44,8 +44,14 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, erro
} }
region := m["region"] region := m["region"]
if region == "" { switch region {
case "":
// The CLI has always defaulted to "us-east-1" if a region is not provided.
region = awsutil.DefaultRegion region = awsutil.DefaultRegion
case "auto":
// Beginning in 1.10 we also accept the "auto" value, which uses the region detection logic in
// awsutil.GetRegion() to determine the region. That behavior is triggered when region = "".
region = ""
} }
loginData, err := awsutil.GenerateLoginData(creds, headerValue, region, hlogger) loginData, err := awsutil.GenerateLoginData(creds, headerValue, region, hlogger)
@@ -73,8 +79,8 @@ func (h *CLIHandler) Help() string {
Usage: vault login -method=aws [CONFIG K=V...] Usage: vault login -method=aws [CONFIG K=V...]
The AWS auth method allows users to authenticate with AWS IAM The AWS auth method allows users to authenticate with AWS IAM
credentials. The AWS IAM credentials may be specified in a number of ways, credentials. The AWS IAM credentials, and optionally the AWS region, may be
listed in order of precedence below: specified in a number of ways, listed in order of precedence below:
1. Explicitly via the command line (not recommended) 1. Explicitly via the command line (not recommended)
@@ -112,6 +118,11 @@ Configuration:
here as well. If specified here, it takes precedence over the value for here as well. If specified here, it takes precedence over the value for
-path. The default value is "aws". -path. The default value is "aws".
region=<string>
Explicit AWS region to reach out to for authentication request signing. A value
of "auto" enables auto-detection of region based on the precedence described above.
Defaults to "us-east-1" if not specified.
role=<string> role=<string>
Name of the role to request a token against Name of the role to request a token against

3
changelog/14051.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
auth/aws: Enable region detection in the CLI by specifying the region as `auto`
```

5
website/content/docs/auth/aws.mdx
View File

@@ -658,8 +658,9 @@ The region used defaults to `us-east-1`, but you can specify a custom region lik
$ vault login -method=aws region=us-west-2 role=dev-role-iam $ vault login -method=aws region=us-west-2 role=dev-role-iam
``` ```
When using a custom region, be sure the designated region corresponds to that of the If the region is specified as `auto`, the Vault CLI will determine the region based
STS endpoint you're using. on standard AWS credentials precedence as described earlier. Whichever method is used,
be sure the designated region corresponds to that of the STS endpoint you're using.
An example of how to generate the required request values for the `login` method An example of how to generate the required request values for the `login` method
can be found found in the [vault cli can be found found in the [vault cli