Add the ability to use root credentials for AWS IAM authentication. (#…

…3181) Partial fix for #3179
hashicorp · Aug 16, 2017 · e99a2cd · e99a2cd
1 parent bf50130
commit e99a2cd
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
@@ -1279,8 +1279,10 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	// fullParts[5] would now be something like user/<UserName> or assumed-role/<RoleName>/<RoleSessionName>
 	parts := strings.Split(fullParts[5], "/")
 	entity.Type = parts[0]
-	entity.Path = strings.Join(parts[1:len(parts)-1], "/")
-	entity.FriendlyName = parts[len(parts)-1]
+	if len(parts) > 1 {
+		entity.Path = strings.Join(parts[1:len(parts)-1], "/")
+		entity.FriendlyName = parts[len(parts)-1]
+	}
 	// now, entity.FriendlyName should either be <UserName> or <RoleName>
 	switch entity.Type {
 	case "assumed-role":
@@ -1292,6 +1294,7 @@ func parseIamArn(iamArn string) (*iamEntity, error) {
 	case "user":
 	case "role":
 	case "instance-profile":
+	case "root":
 	default:
 		return &iamEntity{}, fmt.Errorf("unrecognized principal type: %q", entity.Type)
 	}
@@ -1513,7 +1516,11 @@ func (e *iamEntity) canonicalArn() string {
 	// make an AWS API call to look up the role by FriendlyName, which introduces more complexity to
 	// code and test, and it also breaks backwards compatibility in an area where we would really want
 	// it
-	return fmt.Sprintf("arn:%s:iam::%s:%s/%s", e.Partition, e.AccountNumber, entityType, e.FriendlyName)
+	ret := fmt.Sprintf("arn:%s:iam::%s:%s", e.Partition, e.AccountNumber, entityType)
+	if e.FriendlyName != "" {
+		ret = fmt.Sprintf("%s/%s", ret, e.FriendlyName)
+	}
+	return ret
 }
 
 const iamServerIdHeader = "X-Vault-AWS-IAM-Server-ID"

diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go
@@ -88,6 +88,9 @@ func TestBackend_pathLogin_parseIamArn(t *testing.T) {
 		"",
 		iamEntity{Partition: "aws", AccountNumber: "123456789012", Type: "instance-profile", Path: "profilePath", FriendlyName: "InstanceProfileName"},
 	)
+	testParser("arn:aws:iam::123456789012:root", "arn:aws:iam::123456789012:root",
+		iamEntity{Partition: "aws", AccountNumber: "123456789012", Type: "root"},
+	)
 }
 
 func TestBackend_validateVaultHeaderValue(t *testing.T) {