auth/aws: Allow binding by EC2 instance IDs #3816
Conversation
This allows specifying a list of EC2 instance IDs that are allowed to bind to the role. To keep style formatting with the other bindings, this is still called bound_ec2_instance_id rather than bound_ec2_instance_ids as I intend to convert the other bindings to accept lists as well (where it makes sense) and keeping them with singular names would be the easiest for backwards compatibility. Partially fixes hashicorp#3797
|
I realize that some of the decisions I made when writing this probably seem a bit questionable at first blush, so I wanted to explain them. First, I think that eventually we'll want to convert most if not all binds to being Since I wasn't sure what to do with my first question, and because I wanted to get something out there to solve the request in #3797, I figured I'd try to just address that one request. So my second decision point was, do I only support a single EC2 instance ID, or do I support multiple from the beginning? I decided on multiple because that's the direction I want to go eventually, and I don't want to half-deliver a feature to @rorybrowne that he needs to hack around. Third, do I call it Anyway, would love feedback on any of these points, happy to adjust as y'all see fit! |
|
Also, it looks like Travis is failing for reasons not related to this PR, and running the aws auth backend acceptance tests worked for me when running locally. |
In the aws auth method, allow a number of binds to take in lists instead of a single string value. The intended semantic is that, for each bind type set, clients must match at least one of each of the bind types set in order to authenticate.
|
Hi Joel, Decision 1: We've been slowly making this exact breaking change across the API for the sake of better consistency. So if converting to TypeCommaStringSlice, which I encourage, then yeah -- pay the one-time upgrade cost, and have the returned value come from the new role entry, and have it be returned as an array. For people that want to configure things programmatically, it's way better to have it support array in -> array out. One thing to note about the upgrades: they need to be protected. See https://github.com/hashicorp/vault/blob/master/builtin/logical/pki/path_roles.go#L319 Decision 2: Sounds good Decision 3: I agree that plural sounds right but given that the whole backend uses singular, I guess just keep it singular. If we decide to fix this up across all of the parameters we can change this one as well, but in the meantime it keeps things consistent within the same role. |
Acceptance tests were failing due to hashicorp#4014 so, as a workaround for now, passing in the identity document and the RSA signature rather than the PKCS7 document.
This reverts commit c342691. The underlying issue causing the need for the workaround has been fixed, and additional testing changes have been added in hashicorp#4031 so this is no longer necessary.
Looks like these changes were dropped from prior commit
|
Sorry the commit history is such a mess, but this should be ready for review! :) I tried (and hope I succeeded!) to keep the singular and plural names consistent with #3907 now that that's merged. |
builtin/credential/aws/path_role.go
Outdated
| @@ -647,6 +658,13 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request | |||
| numBinds++ | |||
| } | |||
|
|
|||
| if len(roleEntry.BoundEc2InstanceIDs) > 0 { | |||
| if !allowEc2Binds { | |||
| return logical.ErrorResponse(fmt.Sprintf("specified bound_ec2_instance_id but not allowing ec2 auth_type or inferring %s", ec2EntityType)), nil | |||
There was a problem hiding this comment.
This language is slightly awkward in that you don't "allow" ec2 auth type.
There was a problem hiding this comment.
Yeah, it's a little awkward, but that's exactly what all the other error messages say. I've updated everywhere to use specifying instead of allowing, I think that's more accurate.
| @@ -384,6 +384,11 @@ func (b *backend) verifyInstanceMeetsRoleRequirements(ctx context.Context, | |||
| return nil, fmt.Errorf("nil identityDoc") | |||
| } | |||
|
|
|||
| // Verify that the instance ID matches one of the ones set by the role | |||
| if len(roleEntry.BoundEc2InstanceIDs) > 0 && !strutil.StrListContains(roleEntry.BoundEc2InstanceIDs, *instance.InstanceId) { | |||
There was a problem hiding this comment.
Any reason you explicitly dereference the pointer here and in the next line?
There was a problem hiding this comment.
I dereference it here so I don't get a compiler error:
$ make test TEST=./builtin/credential/aws/
go generate
# github.com/hashicorp/vault/builtin/credential/aws
/.../go/src/github.com/hashicorp/vault/builtin/credential/aws/path_login.go:388:111: cannot use instance.InstanceId (type *string) as type string in argument to strutil.StrListContains
FAIL github.com/hashicorp/vault/builtin/credential/aws [build failed]
Makefile:34: recipe for target 'test' failed
make: *** [test] Error 2I dereference it in the next line so that it shows up as expected in the error message.
There was a problem hiding this comment.
Oh, forgot about how it's all pointers in AWS land. Sounds good!
|
Two minor comments, LGTM otherwise! |
"allowing" is a bit of an awkward word, changing it to specifying to be more accurate.
|
Thanks! |
This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids.
Partially fixes #3797