scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth/aws: Fix outdated help texts (#5253)

Browse Source
This commit is contained in:
Joel Thompson
2018-09-04 13:55:02 -04:00
committed by Jeff Mitchell
parent 177cdb65c7
commit f39268f950
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
builtin/credential/aws/backend.go
View File

@@ -286,13 +286,22 @@ func getAnyRegionForAwsPartition(partitionId string) *endpoints.Region {
} }
const backendHelp = ` const backendHelp = `
aws-ec2 auth method takes in PKCS#7 signature of an AWS EC2 instance and a client The aws auth method uses either AWS IAM credentials or AWS-signed EC2 metadata
created nonce to authenticates the EC2 instance with Vault. to authenticate clients, which are IAM principals or EC2 instances.
Authentication is backed by a preconfigured role in the backend. The role Authentication is backed by a preconfigured role in the backend. The role
represents the authorization of resources by containing Vault's policies. represents the authorization of resources by containing Vault's policies.
Role can be created using 'role/<role>' endpoint. Role can be created using 'role/<role>' endpoint.
Authentication of IAM principals, either IAM users or roles, is done using a
specifically signed AWS API request using clients' AWS IAM credentials. IAM
principals can then be assigned to roles within Vault. This is known as the
"iam" auth method.
Authentication of EC2 instances is done using either a signed PKCS#7 document
or a detached RSA signature of an AWS EC2 instance's identity document along
with a client-created nonce. This is known as the "ec2" auth method.
If there is need to further restrict the capabilities of the role on the instance If there is need to further restrict the capabilities of the role on the instance
that is using the role, 'role_tag' option can be enabled on the role, and a tag that is using the role, 'role_tag' option can be enabled on the role, and a tag
can be generated using 'role/<role>/tag' endpoint. This tag represents the can be generated using 'role/<role>/tag' endpoint. This tag represents the

10
builtin/credential/aws/path_role.go
View File

@@ -891,12 +891,12 @@ Create a role and associate policies to it.
const pathRoleDesc = ` const pathRoleDesc = `
A precondition for login is that a role should be created in the backend. A precondition for login is that a role should be created in the backend.
The login endpoint takes in the role name against which the instance The login endpoint takes in the role name against which the client
should be validated. After authenticating the instance, the authorization should be validated. After authenticating the client, the authorization
for the instance to access Vault's resources is determined by the policies to access Vault's resources is determined by the policies that are
that are associated to the role though this endpoint. associated to the role though this endpoint.
When the instances require only a subset of policies on the role, then When an EC2 instance requires only a subset of policies on the role, then
'role_tag' option on the role can be enabled to create a role tag via the 'role_tag' option on the role can be enabled to create a role tag via the
endpoint 'role/<role>/tag'. This tag then needs to be applied on the endpoint 'role/<role>/tag'. This tag then needs to be applied on the
instance before it attempts a login. The policies on the tag should be a instance before it attempts a login. The policies on the tag should be a