Add missing option for RSA2048 signature (#22227)

Add support to use the new RSA2048 signature to validate EC2 instances. Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2023-08-14 16:08:43 -03:00
parent d66fdb4dfd
commit 951f1fef1b
1 changed files with 14 additions and 1 deletions
--- a/api/auth/aws/aws.go
+++ b/api/auth/aws/aws.go
@@ -56,7 +56,7 @@ const (
 // passed as a parameter to the client.Auth().Login method.
 //
 // Supported options: WithRole, WithMountPath, WithIAMAuth, WithEC2Auth,
-// WithPKCS7Signature, WithIdentitySignature, WithIAMServerIDHeader, WithNonce, WithRegion
+// WithPKCS7Signature, WithIdentitySignature, WithRSA2048Signature, WithIAMServerIDHeader, WithNonce, WithRegion
 func NewAWSAuth(opts ...LoginOption) (*AWSAuth, error) {
 	a := &AWSAuth{
 		mountPath:     defaultMountPath,
@@ -262,6 +262,19 @@ func WithPKCS7Signature() LoginOption {
 	}
 }

+// WithRSA2048Signature will explicitly tell the client to send the RSA2048
+// signature to verify EC2 auth logins. Only used by EC2 auth type.
+// If this option is not provided, will default to using the PKCS #7 signature.
+// The signature type used should match the type of the public AWS cert Vault
+// has been configured with to verify EC2 instance identity.
+// https://www.vaultproject.io/api/auth/aws#create-certificate-configuration
+func WithRSA2048Signature() LoginOption {
+	return func(a *AWSAuth) error {
+		a.signatureType = rsa2048Type
+		return nil
+	}
+}
+
 func WithIAMServerIDHeader(headerValue string) LoginOption {
 	return func(a *AWSAuth) error {
 		a.iamServerIDHeaderValue = headerValue