Add STS path to AWS backend.

The new STS path allows for obtaining the same credentials that you would get from the AWS "creds" path, except it will also provide a security token, and will not have an annoyingly long propagation time before returning to the user.
2025-11-02 03:27:54 +00:00 · 2015-12-07 23:32:49 -05:00
parent 4fc58e8b41
commit d206599b80
7 changed files with 156 additions and 8 deletions
--- a/builtin/logical/aws/client.go
+++ b/builtin/logical/aws/client.go
@@ -7,11 +7,12 @@ import (
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/logical"
 )

-func clientIAM(s logical.Storage) (*iam.IAM, error) {
+func getRootConfig(s logical.Storage) (*aws.Config, error) {
 	entry, err := s.Get("config/root")
 	if err != nil {
 		return nil, err
@@ -28,11 +29,19 @@ func clientIAM(s logical.Storage) (*iam.IAM, error) {
 	}

 	creds := credentials.NewStaticCredentials(config.AccessKey, config.SecretKey, "")
-	awsConfig := &aws.Config{
+	return &aws.Config{
 		Credentials: creds,
 		Region:      aws.String(config.Region),
 		HTTPClient:  cleanhttp.DefaultClient(),
-	}
+	}, nil
+}

+func clientIAM(s logical.Storage) (*iam.IAM, error) {
+	awsConfig, _ := getRootConfig(s)
 	return iam.New(session.New(awsConfig)), nil
 }
+
+func clientSTS(s logical.Storage) (*sts.STS, error) {
+	awsConfig, _ := getRootConfig(s)
+	return sts.New(session.New(awsConfig)), nil
+}