Don't read AWS env vars (#5974)

* Don't read AWS env vars

Let AWS SDK env cred chain provider do it for us

Fixes #5965

CHANGELOG.md

@@ -5,6 +5,12 @@ CHANGES:
  * secret/aws: Role now returns `credential_type` instead of `credential_types`
    to match role input. If a legacy role that can supply more than one
    credential type, they will be concatenated with a `,`.
+ * physical/dynamodb, autoseal/aws: Instead of Vault performing environment
+   variable handling, and overriding static (config file) values if found, we
+   use the default AWS SDK env handling behavior, which also looks for
+   deprecated values. If you were previously providing both config values and
+   environment values, please ensure the config values are unset if you want to
+   use environment values.
 
 ## 1.0.1 (December 14th, 2018)
 

physical/dynamodb/dynamodb.go

@@ -15,7 +15,7 @@ import (
 
 	log "github.com/hashicorp/go-hclog"
 
-	"github.com/armon/go-metrics"
+	metrics "github.com/armon/go-metrics"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -23,7 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
 	"github.com/hashicorp/errwrap"
 	cleanhttp "github.com/hashicorp/go-cleanhttp"
-	"github.com/hashicorp/go-uuid"
+	uuid "github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/helper/awsutil"
 	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/physical"
@@ -155,19 +155,6 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
 		writeCapacity = DefaultDynamoDBWriteCapacity
 	}
 
-	accessKey := os.Getenv("AWS_ACCESS_KEY_ID")
-	if accessKey == "" {
-		accessKey = conf["access_key"]
-	}
-	secretKey := os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if secretKey == "" {
-		secretKey = conf["secret_key"]
-	}
-	sessionToken := os.Getenv("AWS_SESSION_TOKEN")
-	if sessionToken == "" {
-		sessionToken = conf["session_token"]
-	}
-
 	endpoint := os.Getenv("AWS_DYNAMODB_ENDPOINT")
 	if endpoint == "" {
 		endpoint = conf["endpoint"]
@@ -197,9 +184,9 @@ func NewDynamoDBBackend(conf map[string]string, logger log.Logger) (physical.Bac
 	}
 
 	credsConfig := &awsutil.CredentialsConfig{
-		AccessKey:    accessKey,
+		AccessKey:    conf["access_key"],
-		SecretKey:    secretKey,
+		SecretKey:    conf["secret_key"],
-		SessionToken: sessionToken,
+		SessionToken: conf["session_token"],
 	}
 	creds, err := credsConfig.GenerateCredentialChain()
 	if err != nil {

vault/seal/awskms/awskms.go

@@ -38,11 +38,12 @@ const (
 // AWSKMSSeal represents credentials and Key information for the KMS Key used to
 // encryption and decryption
 type AWSKMSSeal struct {
-	accessKey string
+	accessKey    string
-	secretKey string
+	secretKey    string
-	region    string
+	sessionToken string
-	keyID     string
+	region       string
-	endpoint  string
+	keyID        string
+	endpoint     string
 
 	currentKeyID *atomic.Value
 
@@ -99,20 +100,10 @@ func (k *AWSKMSSeal) SetConfig(config map[string]string) (map[string]string, err
 		k.region = "us-east-1"
 	}
 
-	// Check and set AWS access key and secret key
+	// Check and set AWS access key, secret key, and session token
-	k.accessKey = os.Getenv("AWS_ACCESS_KEY_ID")
+	k.accessKey = config["access_key"]
-	if k.accessKey == "" {
+	k.secretKey = config["secret_key"]
-		if accessKey, ok := config["access_key"]; ok {
+	k.sessionToken = config["session_token"]
-			k.accessKey = accessKey
-		}
-	}
-
-	k.secretKey = os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if k.secretKey == "" {
-		if secretKey, ok := config["secret_key"]; ok {
-			k.secretKey = secretKey
-		}
-	}
 
 	k.endpoint = os.Getenv("AWS_KMS_ENDPOINT")
 	if k.endpoint == "" {
@@ -281,6 +272,7 @@ func (k *AWSKMSSeal) getAWSKMSClient() (*kms.KMS, error) {
 
 	credsConfig.AccessKey = k.accessKey
 	credsConfig.SecretKey = k.secretKey
+	credsConfig.SessionToken = k.sessionToken
 	credsConfig.Region = k.region
 
 	credsConfig.HTTPClient = cleanhttp.DefaultClient()