Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend #4071

Merged
merged 7 commits into from
Mar 18, 2018
Merged

Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend #4071

merged 7 commits into from
Mar 18, 2018

Conversation

joelthompson
Copy link
Contributor

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.

Fixes #3261

@joelthompson
Update aws auth docs with new semantics
dbf42f3 
Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit
@joelthompson
Refactor tests to reduce duplication
80f93f6 
auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication
@joelthompson
Add tests for aws auth explicit wildcard constraints
58a7b87
@joelthompson
Remove implicit prefix matching from AWS auth backend
84ea5f2 
In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
@vishalnayak vishalnayak self-assigned this Mar 5, 2018
@jefferai jefferai added this to the 0.9.6 milestone Mar 14, 2018
jefferai
jefferai previously approved these changes Mar 14, 2018
View reviewed changes
@jefferai
Copy link
Member

@joelthompson this looks good but now conflicts due to the previous merge -- can you fix the conflict? I took a look but want to be very careful I don't end up with the wrong value in the end.

@joelthompson
Copy link
Contributor Author

@jefferai -- done!

@jefferai
Copy link
Member

Thanks Joel!

@jefferai jefferai merged commit 29551c0 into hashicorp:master Mar 18, 2018
@joelthompson joelthompson deleted the auth_aws_no_prefix_matching branch March 18, 2018 01:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishalnayak vishalnayak vishalnayak approved these changes

@jefferai jefferai jefferai left review comments

Assignees

@vishalnayak vishalnayak

Labels
None yet
Projects
None yet
Milestone
0.9.6
Development

Successfully merging this pull request may close these issues.

Permit non-prefix matching for bound_iam_role_arn
3 participants
@joelthompson @jefferai @vishalnayak