5844 AWS Root Credential Rotation (#9921)

* strip redundant field type declarations * root credential rotation for aws creds plugin * Change location of mocks awsutil and update methods that no longer exist * Update website/pages/docs/auth/aws.mdx Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com> * Update sdk version to get the awsutil mock file * Re-vendor modules to pass CI * Use write lock for the entirety of AWS root cred rotation * Update docs for AWS root cred rotation for clarity Co-authored-by: Becca Petrin <beccapetrin@gmail.com> Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2025-11-02 03:27:54 +00:00 · 2020-09-15 15:26:56 -07:00
parent 9cd3e4539f
commit 4ff444fc5f
15 changed files with 419 additions and 10 deletions
--- a/builtin/credential/aws/path_config_rotate_root_test.go
+++ b/builtin/credential/aws/path_config_rotate_root_test.go
@@ -0,0 +1,79 @@
+package awsauth
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/iam/iamiface"
+	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/vault/sdk/helper/awsutil"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func TestPathConfigRotateRoot(t *testing.T) {
+	getIAMClient = func(sess *session.Session) iamiface.IAMAPI {
+		return &awsutil.MockIAM{
+			CreateAccessKeyOutput: &iam.CreateAccessKeyOutput{
+				AccessKey: &iam.AccessKey{
+					AccessKeyId:     aws.String("fizz2"),
+					SecretAccessKey: aws.String("buzz2"),
+				},
+			},
+			DeleteAccessKeyOutput: &iam.DeleteAccessKeyOutput{},
+			GetUserOutput: &iam.GetUserOutput{
+				User: &iam.User{
+					UserName: aws.String("ellen"),
+				},
+			},
+		}
+	}
+
+	ctx := context.Background()
+	storage := &logical.InmemStorage{}
+	b, err := Factory(ctx, &logical.BackendConfig{
+		StorageView: storage,
+		Logger:      hclog.Default(),
+		System: &logical.StaticSystemView{
+			DefaultLeaseTTLVal: time.Hour,
+			MaxLeaseTTLVal:     time.Hour,
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	clientConf := &clientConfig{
+		AccessKey: "fizz1",
+		SecretKey: "buzz1",
+	}
+	entry, err := logical.StorageEntryJSON("config/client", clientConf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := storage.Put(ctx, entry); err != nil {
+		t.Fatal(err)
+	}
+
+	req := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "config/rotate-root",
+		Storage:   storage,
+	}
+	resp, err := b.HandleRequest(ctx, req)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("bad: resp: %#v\nerr:%v", resp, err)
+	}
+	if resp == nil {
+		t.Fatal("expected nil response to represent a 204")
+	}
+	if resp.Data == nil {
+		t.Fatal("expected resp.Data")
+	}
+	if resp.Data["access_key"].(string) != "fizz2" {
+		t.Fatalf("expected new access key buzz2 but received %s", resp.Data["access_key"])
+	}
+}