diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go index 56e34d94de..e0f56d3e8d 100644 --- a/builtin/credential/aws/backend.go +++ b/builtin/credential/aws/backend.go @@ -166,11 +166,11 @@ created nonce to authenticates the EC2 instance with Vault. Authentication is backed by a preconfigured role in the backend. The role represents the authorization of resources by containing Vault's policies. -Role can be created using 'role/' endpoint. +Role can be created using 'role/' endpoint. If there is need to further restrict the capabilities of the role on the instance that is using the role, 'role_tag' option can be enabled on the role, and a tag -can be generated using 'role//tag' endpoint. This tag represents the +can be generated using 'role//tag' endpoint. This tag represents the subset of capabilities set on the role. When the 'role_tag' option is enabled on the role, the login operation requires that a respective role tag is attached to the EC2 instance which performs the login. diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws/backend_test.go index 231360f9ef..06a27a3084 100644 --- a/builtin/credential/aws/backend_test.go +++ b/builtin/credential/aws/backend_test.go @@ -110,7 +110,7 @@ func TestBackend_CreateParseVerifyRoleTag(t *testing.T) { } rTag1 := &roleTag{ Version: "v1", - RoleName: "abcd-123", + Role: "abcd-123", Nonce: nonce, Policies: []string{"p", "q", "r"}, MaxTTL: 200000000000, // 200s @@ -134,7 +134,7 @@ func TestBackend_CreateParseVerifyRoleTag(t *testing.T) { // check the values in parsed role tag if rTag2.Version != "v1" || rTag2.Nonce != nonce || - rTag2.RoleName != "abcd-123" || + rTag2.Role != "abcd-123" || rTag2.MaxTTL != 200000000000 || // 200s !policyutil.EquivalentPolicies(rTag2.Policies, []string{"p", "q", "r"}) || len(rTag2.HMAC) == 0 { @@ -198,9 +198,9 @@ func TestBackend_prepareRoleTagPlaintextValue(t *testing.T) { t.Fatal(err) } rTag := &roleTag{ - Version: "v1", - Nonce: nonce, - RoleName: "abcd-123", + Version: "v1", + Nonce: nonce, + Role: "abcd-123", } rTag.Version = "" @@ -221,14 +221,14 @@ func TestBackend_prepareRoleTagPlaintextValue(t *testing.T) { } rTag.Nonce = nonce - rTag.RoleName = "" + rTag.Role = "" // try to create plaintext part of role tag - // without specifying role_name + // without specifying role val, err = prepareRoleTagPlaintextValue(rTag) if err == nil { - t.Fatalf("expected error for missing role_name") + t.Fatalf("expected error for missing role") } - rTag.RoleName = "abcd-123" + rTag.Role = "abcd-123" // create the plaintext part of the tag val, err = prepareRoleTagPlaintextValue(rTag) @@ -933,7 +933,7 @@ func TestBackend_parseAndVerifyRoleTagValue(t *testing.T) { } if rTag.Version != "v1" || !policyutil.EquivalentPolicies(rTag.Policies, []string{"p", "q", "r", "s"}) || - rTag.RoleName != "abcd-123" { + rTag.Role != "abcd-123" { t.Fatalf("bad: parsed role tag contains incorrect values. Got: %#v\n", rTag) } } @@ -1248,7 +1248,7 @@ func TestBackendAcc_LoginAndWhitelistIdentity(t *testing.T) { if err != nil { t.Fatal(err) } - if resp == nil || resp.Data == nil || resp.Data["role_name"] != roleName { + if resp == nil || resp.Data == nil || resp.Data["role"] != roleName { t.Fatalf("failed to read whitelist identity") } diff --git a/builtin/credential/aws/path_identity_whitelist.go b/builtin/credential/aws/path_identity_whitelist.go index e3aac2bd3e..ba7b861b78 100644 --- a/builtin/credential/aws/path_identity_whitelist.go +++ b/builtin/credential/aws/path_identity_whitelist.go @@ -118,7 +118,7 @@ func (b *backend) pathIdentityWhitelistRead( // Struct to represent each item in the identity whitelist. type whitelistIdentity struct { - RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"` + Role string `json:"role" structs:"role" mapstructure:"role"` ClientNonce string `json:"client_nonce" structs:"client_nonce" mapstructure:"client_nonce"` CreationTime time.Time `json:"creation_time" structs:"creation_time" mapstructure:"creation_time"` DisallowReauthentication bool `json:"disallow_reauthentication" structs:"disallow_reauthentication" mapstructure:"disallow_reauthentication"` diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index c33af90ee9..7aecff4461 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -18,10 +18,10 @@ func pathLogin(b *backend) *framework.Path { return &framework.Path{ Pattern: "login$", Fields: map[string]*framework.FieldSchema{ - "role_name": &framework.FieldSchema{ + "role": &framework.FieldSchema{ Type: framework.TypeString, Description: `Name of the role against which the login is being attempted. -If 'role_name' is not specified, then the login endpoint looks for a role +If 'role' is not specified, then the login endpoint looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login. If a matching role is not found, login fails.`, }, @@ -220,7 +220,7 @@ func (b *backend) pathLoginUpdate( return logical.ErrorResponse("failed to extract instance identity document from PKCS#7 signature"), nil } - roleName := data.Get("role_name").(string) + roleName := data.Get("role").(string) // If roleName is not supplied, a role in the name of the instance's AMI ID will be looked for. if roleName == "" { @@ -332,10 +332,10 @@ func (b *backend) pathLoginUpdate( // Save the login attempt in the identity whitelist. currentTime := time.Now().UTC() if storedIdentity == nil { - // RoleName, ClientNonce and CreationTime of the identity entry, + // Role, ClientNonce and CreationTime of the identity entry, // once set, should never change. storedIdentity = &whitelistIdentity{ - RoleName: roleName, + Role: roleName, ClientNonce: clientNonce, CreationTime: currentTime, } @@ -369,7 +369,7 @@ func (b *backend) pathLoginUpdate( "instance_id": identityDoc.InstanceID, "region": identityDoc.Region, "role_tag_max_ttl": rTagMaxTTL.String(), - "role_name": roleName, + "role": roleName, "ami_id": identityDoc.AmiID, }, LeaseOptions: logical.LeaseOptions{ @@ -432,8 +432,8 @@ func (b *backend) handleRoleTagLogin(s logical.Storage, identityDoc *identityDoc // Check if the role name with which this login is being made is same // as the role name embedded in the tag. - if rTag.RoleName != roleName { - return nil, fmt.Errorf("role_name on the tag is not matching the role_name supplied") + if rTag.Role != roleName { + return nil, fmt.Errorf("role on the tag is not matching the role supplied") } // If instance_id was set on the role tag, check if the same instance is attempting to login. @@ -487,7 +487,7 @@ func (b *backend) pathLoginRenew( } // Ensure that role entry is not deleted. - roleEntry, err := b.awsRole(req.Storage, storedIdentity.RoleName) + roleEntry, err := b.awsRole(req.Storage, storedIdentity.Role) if err != nil { return nil, err } diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws/path_role.go index 5a2390a59e..adb8698763 100644 --- a/builtin/credential/aws/path_role.go +++ b/builtin/credential/aws/path_role.go @@ -14,9 +14,9 @@ import ( func pathRole(b *backend) *framework.Path { return &framework.Path{ - Pattern: "role/" + framework.GenericNameRegex("role_name"), + Pattern: "role/" + framework.GenericNameRegex("role"), Fields: map[string]*framework.FieldSchema{ - "role_name": &framework.FieldSchema{ + "role": &framework.FieldSchema{ Type: framework.TypeString, Description: "Name of the role.", }, @@ -30,7 +30,7 @@ using the AMI ID specified by this parameter.`, "role_tag": &framework.FieldSchema{ Type: framework.TypeString, Default: "", - Description: "If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role//tag' endpoint. Defaults to an empty string, meaning that role tags are disabled.", + Description: "If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' of the tag should be generated using 'role//tag' endpoint. Defaults to an empty string, meaning that role tags are disabled.", }, "max_ttl": &framework.FieldSchema{ @@ -101,7 +101,7 @@ func pathListRoles(b *backend) *framework.Path { // Establishes dichotomy of request operation between CreateOperation and UpdateOperation. // Returning 'true' forces an UpdateOperation, CreateOperation otherwise. func (b *backend) pathRoleExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) { - entry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role_name").(string))) + entry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role").(string))) if err != nil { return false, err } @@ -135,9 +135,9 @@ func (b *backend) awsRoleInternal(s logical.Storage, role string) (*awsRoleEntry // pathRoleDelete is used to delete the information registered for a given AMI ID. func (b *backend) pathRoleDelete( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { - roleName := data.Get("role_name").(string) + roleName := data.Get("role").(string) if roleName == "" { - return logical.ErrorResponse("missing role_name"), nil + return logical.ErrorResponse("missing role"), nil } b.roleMutex.Lock() @@ -162,7 +162,7 @@ func (b *backend) pathRoleList( // pathRoleRead is used to view the information registered for a given AMI ID. func (b *backend) pathRoleRead( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { - roleEntry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role_name").(string))) + roleEntry, err := b.awsRole(req.Storage, strings.ToLower(data.Get("role").(string))) if err != nil { return nil, err } @@ -188,9 +188,9 @@ func (b *backend) pathRoleRead( func (b *backend) pathRoleCreateUpdate( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { - roleName := strings.ToLower(data.Get("role_name").(string)) + roleName := strings.ToLower(data.Get("role").(string)) if roleName == "" { - return logical.ErrorResponse("missing role_name"), nil + return logical.ErrorResponse("missing role"), nil } b.roleMutex.Lock() @@ -316,7 +316,7 @@ that are associated to the role though this endpoint. When the instances require only a subset of policies on the role, then 'role_tag' option on the role can be enabled to create a role tag via the -endpoint 'role//tag'. This tag then needs to be applied on the +endpoint 'role//tag'. This tag then needs to be applied on the instance before it attempts a login. The policies on the tag should be a subset of policies that are associated to the role. In order to enable login using tags, 'role_tag' option should be set while creating a role. diff --git a/builtin/credential/aws/path_role_tag.go b/builtin/credential/aws/path_role_tag.go index 121dbbf6c1..4929bc07b8 100644 --- a/builtin/credential/aws/path_role_tag.go +++ b/builtin/credential/aws/path_role_tag.go @@ -21,9 +21,9 @@ const roleTagVersion = "v1" func pathRoleTag(b *backend) *framework.Path { return &framework.Path{ - Pattern: "role/" + framework.GenericNameRegex("role_name") + "/tag$", + Pattern: "role/" + framework.GenericNameRegex("role") + "/tag$", Fields: map[string]*framework.FieldSchema{ - "role_name": &framework.FieldSchema{ + "role": &framework.FieldSchema{ Type: framework.TypeString, Description: "Name of the role.", }, @@ -72,9 +72,9 @@ If set, the created tag can only be used by the instance with the given ID.`, func (b *backend) pathRoleTagUpdate( req *logical.Request, data *framework.FieldData) (*logical.Response, error) { - roleName := strings.ToLower(data.Get("role_name").(string)) + roleName := strings.ToLower(data.Get("role").(string)) if roleName == "" { - return logical.ErrorResponse("missing role_name"), nil + return logical.ErrorResponse("missing role"), nil } // Fetch the role entry @@ -149,7 +149,7 @@ func (b *backend) pathRoleTagUpdate( // Create a role tag out of all the information provided. rTagValue, err := createRoleTagValue(&roleTag{ Version: roleTagVersion, - RoleName: roleName, + Role: roleName, Nonce: nonce, Policies: policies, MaxTTL: maxTTL, @@ -257,13 +257,13 @@ func prepareRoleTagPlaintextValue(rTag *roleTag) (string, error) { if rTag.Nonce == "" { return "", fmt.Errorf("missing nonce") } - if rTag.RoleName == "" { - return "", fmt.Errorf("missing role_name") + if rTag.Role == "" { + return "", fmt.Errorf("missing role") } - // Attach Version, Nonce, RoleName, DisallowReauthentication and AllowInstanceMigration + // Attach Version, Nonce, Role, DisallowReauthentication and AllowInstanceMigration // fields to the role tag. - value := fmt.Sprintf("%s:%s:r=%s:d=%s:m=%s", rTag.Version, rTag.Nonce, rTag.RoleName, strconv.FormatBool(rTag.DisallowReauthentication), strconv.FormatBool(rTag.AllowInstanceMigration)) + value := fmt.Sprintf("%s:%s:r=%s:d=%s:m=%s", rTag.Version, rTag.Nonce, rTag.Role, strconv.FormatBool(rTag.DisallowReauthentication), strconv.FormatBool(rTag.AllowInstanceMigration)) // Attach the policies only if they are specified. if len(rTag.Policies) != 0 { @@ -319,7 +319,7 @@ func (b *backend) parseAndVerifyRoleTagValue(s logical.Storage, tag string) (*ro case strings.Contains(tagItem, "i="): rTag.InstanceID = strings.TrimPrefix(tagItem, "i=") case strings.Contains(tagItem, "r="): - rTag.RoleName = strings.TrimPrefix(tagItem, "r=") + rTag.Role = strings.TrimPrefix(tagItem, "r=") case strings.Contains(tagItem, "p="): rTag.Policies = strings.Split(strings.TrimPrefix(tagItem, "p="), ",") case strings.Contains(tagItem, "d="): @@ -342,16 +342,16 @@ func (b *backend) parseAndVerifyRoleTagValue(s logical.Storage, tag string) (*ro } } - if rTag.RoleName == "" { + if rTag.Role == "" { return nil, fmt.Errorf("missing role name") } - roleEntry, err := b.awsRole(s, rTag.RoleName) + roleEntry, err := b.awsRole(s, rTag.Role) if err != nil { return nil, err } if roleEntry == nil { - return nil, fmt.Errorf("entry not found for %s", rTag.RoleName) + return nil, fmt.Errorf("entry not found for %s", rTag.Role) } // Create a HMAC of the plaintext value of role tag and compare it with the given value. @@ -394,7 +394,7 @@ type roleTag struct { Nonce string `json:"nonce" structs:"nonce" mapstructure:"nonce"` Policies []string `json:"policies" structs:"policies" mapstructure:"policies"` MaxTTL time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"` - RoleName string `json:"role_name" structs:"role_name" mapstructure:"role_name"` + Role string `json:"role" structs:"role" mapstructure:"role"` HMAC string `json:"hmac" structs:"hmac" mapstructure:"hmac"` DisallowReauthentication bool `json:"disallow_reauthentication" structs:"disallow_reauthentication" mapstructure:"disallow_reauthentication"` AllowInstanceMigration bool `json:"allow_instance_migration" structs:"allow_instance_migration" mapstructure:"allow_instance_migration"` @@ -407,7 +407,7 @@ func (rTag1 *roleTag) Equal(rTag2 *roleTag) bool { rTag1.Nonce == rTag2.Nonce && policyutil.EquivalentPolicies(rTag1.Policies, rTag2.Policies) && rTag1.MaxTTL == rTag2.MaxTTL && - rTag1.RoleName == rTag2.RoleName && + rTag1.Role == rTag2.Role && rTag1.HMAC == rTag2.HMAC && rTag1.InstanceID == rTag2.InstanceID && rTag1.DisallowReauthentication == rTag2.DisallowReauthentication && @@ -424,7 +424,7 @@ instance, create a role tag using this endpoint and attach the tag on the instan before performing login. To be able to create a role tag, the 'role_tag' option on the role should be -enabled via the endpoint 'role/'. Also, the policies to be associated +enabled via the endpoint 'role/'. Also, the policies to be associated with the tag should be a subset of the policies associated with the registered role. This endpoint will return both the 'key' and the 'value' of the tag to be set diff --git a/builtin/credential/aws/path_roletag_blacklist.go b/builtin/credential/aws/path_roletag_blacklist.go index 83d2f7ede6..ff7362449d 100644 --- a/builtin/credential/aws/path_roletag_blacklist.go +++ b/builtin/credential/aws/path_roletag_blacklist.go @@ -166,7 +166,7 @@ func (b *backend) pathRoletagBlacklistUpdate( } // Get the entry for the role mentioned in the role tag. - roleEntry, err := b.awsRole(req.Storage, rTag.RoleName) + roleEntry, err := b.awsRole(req.Storage, rTag.Role) if err != nil { return nil, err } diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws.html.md index 14d1d3b308..37452036b6 100644 --- a/website/source/docs/auth/aws.html.md +++ b/website/source/docs/auth/aws.html.md @@ -128,7 +128,7 @@ instance. The tag holds information that represents a *subset* of privileges tha are set on the role and are used to further restrict the set of the role's privileges for that particular instance. -A `role_tag` can be created using `auth/aws/role//tag` endpoint +A `role_tag` can be created using `auth/aws/role//tag` endpoint and is immutable. The information present in the tag is SHA256 hashed and HMAC protected. The per-role key to HMAC is only maintained in the backend. This prevents an adversarial operator from modifying the tag when setting it on the EC2 instance @@ -286,7 +286,7 @@ $ vault write auth/aws/role/dev-role bound_ami_id=ami-fce3c696 policies=prod,dev #### Perform the login operation ``` -$ vault write auth/aws/login role_name=dev-role pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=vault-client-nonce +$ vault write auth/aws/login role=dev-role pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=vault-client-nonce ``` @@ -313,7 +313,7 @@ curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev- #### Perform the login operation ``` -curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role_name":"dev-role","pkcs7":"MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA","nonce":"vault-client-nonce"}' +curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev-role","pkcs7":"MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA","nonce":"vault-client-nonce"}' ``` @@ -328,7 +328,7 @@ The response will be in JSON. For example: "role_tag_max_ttl": "0", "instance_id": "i-de0f1344" "ami_id": "ami-fce3c696" - "role_name": "dev-prod" + "role": "dev-prod" }, "policies": [ "default", @@ -785,7 +785,7 @@ The response will be in JSON. For example: -### /auth/aws/role/ +### /auth/aws/role/ #### POST
Description
@@ -801,13 +801,13 @@ The response will be in JSON. For example:
POST
URL
-
`/auth/aws/role/`
+
`/auth/aws/role/`
Parameters
  • - role_name + role required Name of the role.
    • @@ -825,7 +825,7 @@ The response will be in JSON. For example: optional If set, enables the role tags for this role. The value set for this field should be the 'key' of the tag on the EC2 instance. The 'value' - of the tag should be generated using 'role//tag' endpoint. + of the tag should be generated using 'role//tag' endpoint. Defaults to an empty string, meaning that role tags are disabled.
@@ -876,7 +876,7 @@ The response will be in JSON. For example:
GET
URL
-
`/auth/aws/role/`
+
`/auth/aws/role/`
Parameters
@@ -964,7 +964,7 @@ The response will be in JSON. For example:
DELETE
URL
-
`/auth/aws/role/`
+
`/auth/aws/role/`
Parameters
@@ -977,7 +977,7 @@ The response will be in JSON. For example:
-### /auth/aws/role//tag +### /auth/aws/role//tag #### POST
Description
@@ -990,13 +990,13 @@ The response will be in JSON. For example:
POST
URL
-
`/auth/aws/role//tag`
+
`/auth/aws/role//tag`
Parameters
  • - role_name + role required Name of the role.
    • @@ -1081,10 +1081,10 @@ The response will be in JSON. For example:
    • - role_name + role optional Name of the role against which the login is being attempted. - If `role_name` is not specified, then the login endpoint looks for a role + If `role` is not specified, then the login endpoint looks for a role bearing the name of the AMI ID of the EC2 instance that is trying to login. If a matching role is not found, login fails.
      • @@ -1119,7 +1119,7 @@ The response will be in JSON. For example: "role_tag_max_ttl": "0", "instance_id": "i-de0f1344" "ami_id": "ami-fce36983" - "role_name": "dev-role" + "role": "dev-role" }, "policies": [ "default", @@ -1348,7 +1348,7 @@ The response will be in JSON. For example: "expiration_time": "2016-05-05 10:09:16.67077232 +0000 UTC", "creation_time": "2016-04-14 14:09:16.67077232 +0000 UTC", "client_nonce": "vault-client-nonce", - "role_name": "dev-role" + "role": "dev-role" }, "lease_duration": 0, "renewable": false,